0

I am currently working on the topic AKS behind a WAF. We already have an AKS running. The requests are already secured by the WAF. Now I would like to encrypt the connection from WAF to AKS and the services in AKS via TLS. How can I achieve this?

Simon
  • 101
  • You can take a look at [Create an HTTPS ingress controller on Azure Kubernetes Service (AKS)](https://docs.microsoft.com/en-us/azure/aks/ingress-tls). – Charles Xu Feb 13 '19 at 08:14

1 Answers1

0

When you want to intercept connection from Azure Application Gateway to the underlying AKS services it might be possible to achieve using Ingress Controller, therefore it will be working as Ingress service by exposing Kubernetes services. Generally, Ingress controller runs as a pod within the AKS cluster and distributes network traffic to Kubernetes Pods.

There are a few most known Ingress controllers:

  • NGINX Ingress Controller , as @Charles Xu - MSFT mentioned in the comments. Provides a flexible methods for the configuration via annotations, ConfigMaps and Custom templates. Supports TLS termination with your own managed TLS certificates or third party issuers like Let's Encrypt.

  • Traefik can be used as an Ingress controller for a Kubernetes cluster, therefore can be implemented on AKS; you can look at this guide and use it as the tutorial for installation. Traefik designed with a similar approach for managing configuration as NGINX Ingress Controller, also supports TLS termination.

  • Istio represents itself as a product for traffic management, load balancing, service-to-service authentication, monitoring, etc.; brings most of the advantages for services residing on Cloud platforms. Istio has a concepts of Service mesh to describe microservices network and connections between different services inside. Despite the basic Ingress Controller resource, Istio offers its own component Istio Gateway for the network traffic and routing purposes. Istio supports TLS termination as well as mutual TLS authentication between sidecars.

Nick_Kh
  • 568
  • 4
  • 7
  • Hello mk_sta, thirst i want to thank you for your answer. I have already looked at some background information about the implementation with Ingress. The question that comes to my mind is the following: Do I also have to secure the communication between individual services on a node or the communication of services across nodes via TLS? Because ingress only encrypts external communication. – Simon Feb 13 '19 at 15:46
  • Actually it depends how do you provision your application services, if you consider to distribute application within a worker Nodes which are residing on separate network segment when you can add appropriate TLS certificate validated by K8s root CA to make more secure connection to the nested service. However, Istio equipped with mutual TLS authentication between sidecars and it can be enabled during installation. – Nick_Kh Feb 14 '19 at 10:10
  • Hello, I have to say I'm pretty new to this field. I learned that we already use ISTIO as load balancer in the cluster. I now want to secure the connection from the WAF to the ISTIO load balancer. For this I can deposit a second certificate in the WAF. Do I now have to deposit this certificate in the ISTIO load balancer again? – Simon Feb 15 '19 at 09:52
  • I would recommend you to open new question on Stack, because this topic is out of this thread. – Nick_Kh Feb 18 '19 at 09:15