AKS – Ensure public load balancer creation is audited or denied on Azure Kubernetes

Many use cases of Azure Kubernetes Service are based on running an private AKS cluster that exposes services only via Web Application Firewall (such as Azure Application Gateway), or exposes services only internally.

Auditing / and or denying creation of public load balancers ensures that the governance principle for the particular AKS instance followed.

ControlId Ensure public load balancer creation is audited or denied


Example of Public Load Balancer resource
Prevent creation of load balancer with Public IP with Azure Policy
Audit successful creations of public load balancers with public IP

Check the control from log analytics

//adjust the time if needed 
| where TimeGenerated > now()-240m
| where Category == "kube-audit"
| extend l= parse_json(log_s)
| where l.responseObject contains "loadBalancer"
| extend ingress = parse_json(l.responseObject.status).loadBalancer.ingress
| where isnotempty(ingress)
 | mv-apply ingress.ip on   (
   summarize countif(ipv4_is_private(tostring(ingress_ip)))
    | where countif_ == 0| extend isPublicIP = "True"
| project-away countif_, log_s
| distinct tostring(ingress), isPublicIP, tostring(l.responseObject.spec)


Source: https://aka.ms/kubepolicydoc.

Kubernetes clusters should use internal load balancersUse internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Blog related to Azure Policy


KQL example


0 comments on “AKS – Ensure public load balancer creation is audited or denied on Azure Kubernetes


Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:


Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: