AKS deny OutBound Internet

Question

I have an AKS cluster with a web application.
The web app is secured via an Azure application gateway.
Accordingly, my AKS cluster and the posds do not need a connection to the internet.
The default NSG has an AllowInternetOutBound rule.

Can I restrict access to the internet?

Or can I redirect Internet access to a proxy server in order to at least control it?

Thanks and best regards

Guido

Answer 1

@Guido Jeuken Apologies for the delay in response and all the inconvenience caused because of the issue.

The principle of least privilege should be applied to how traffic can flow between pods in an Azure Kubernetes Service (AKS) cluster. Let's say you likely want to block traffic directly to back-end applications. The Network Policy feature in Kubernetes lets you define rules for ingress and egress traffic between pods in a cluster.

All pods in an AKS cluster can send and receive traffic without limitations, by default. To improve security, you can define rules that control the flow of traffic. Back-end applications are often only exposed to required front-end services, for example. Or, database components are only accessible to the application tiers that connect to them.

Network Policy is a Kubernetes specification that defines access policies for communication between Pods. Using Network Policies, you define an ordered set of rules to send and receive traffic and apply them to a collection of pods that match one or more label selectors.

These network policy rules are defined as YAML manifests. Network policies can be included as part of a wider manifest that also creates a deployment or service.

You can refer to this for more information.

You can give a read to this article as well.

Hope it helps!!!

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics