AKS Azure Container Registry

Restricting Access to Azure Container Registry from AKS while allowing Azure Defender Access

Since releasing the ”Firewall exception” for trusted Microsoft services, you can now allow Azure Defender to access the container registry for image scanning, while also restricting access to Azure Container registry via firewall

  • Allowing Defender for ACR to scan container images via ’Trusted service’ setting on firewall
  • Allowing AKS to Pull images from ACR using load balancer public IP
    • This is not the only config option, there is also version using private endpoints. I personally prefer using public endpoints, as there is less to configure and maintain (not that would not have it’s use cases)

Background

https://docs.microsoft.com/en-us/azure/security-center/defender-for-container-registries-introduction

https://docs.microsoft.com/en-us/azure/container-registry/allow-access-trusted-services#trusted-services

Config for AKS cluster with Azure CNI and Azure Standard Load Balancer

TaskStatusLocation
Allow access from Azure Security Center for Image Scanning ACR Networking – Firewall
Allow access from AKS outbound Loadbalancer ACR Networking – Firewall

MS Docs References

SourceTaskInfostatus
MS Docs Azure PolicyConfigure container registries to disable local authentication.Disable local authentication so that your container registries exclusively require Azure Active Directory identities for authentication. Learn more about at: https://aka.ms/acr/authentication.
MS Docs Azure PolicyContainer registries should not allow unrestricted network accessAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn’t have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet.

Verifying configuration

On successful configuration you should see that the AKS loadbalancer IP, and Azure Security Center both can access the ACR.

// Show registry events reported over the last hour 
// A list of registry event logs, sorted by time (earliest logs shown first). 
ContainerRegistryRepositoryEvents
| where TimeGenerated > ago(24h)
| sort by TimeGenerated asc
| distinct CallerIpAddress, ArtifactType, OperationName, Identity

0 comments on “Restricting Access to Azure Container Registry from AKS while allowing Azure Defender Access

Vastaa

Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

WordPress.com-logo

Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )

Google photo

Olet kommentoimassa Google -tilin nimissä. Log Out /  Muuta )

Twitter-kuva

Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )

Facebook-kuva

Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: