Prevent AKS Responding on External IP

Kieron Lanning 1 Reputation point
2021-06-09T11:28:49.647+00:00

Given an AKS cluster with public DNS, nginx ingress and a public IP - is it possible to prevent nginx from responding on the public IP and only on the DNS?

The goal here is that the DNS is the only addressable access point into the cluster. Currently the IP address responds to http with a 404 - not terrible, but if you attempt to access the IP using https then it give a fake certificate would is failing a PEN test.

In much the same way as CloudFlare support with using their network...

103839-image.png

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,073 questions
{count} votes

1 answer

Sort by: Most helpful
  1. SRIJIT-BOSE-MSFT 4,336 Reputation points Microsoft Employee
    2021-06-10T06:59:26.32+00:00

    @Kieron Lanning , Thank you for the question. You can use Azure Front Door Service and associate the Kubernetes ingress-controller Service External IP as a backend to it. You can find an example here. On the AKS cluster NSG(s) modify the Allow Inbound rule with destination as your application's External IP and Port with Source Service Tag as AzureFrontDoor.Backend. Thus, Azure Front Door will act as a proxy and only the FQDN specified on the Azure Front Door can be used to connect to the backend service (due to the NSG rule). If you try to access the External IP of the service directly over the Internet then it will fail as NSG rule allows only Azure Front Door backend to access the External IP on the specified Port. For more information please refer to this article.

    Hope this helps!

    Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.