Azure Container Security with ACI and AKS
Azure Container Security with ACI and AKS
Microsoft Azure provides Azure Container Instances (ACI) for serverless containers and Azure Kubernetes Service (AKS) for managed Kubernetes. Azure's identity and access management integrates through managed identities and Azure Active Directory. Network security uses Azure Virtual Networks and Network Security Groups. These Azure-native features provide comprehensive security when properly implemented.
ACI security focuses on isolation and simplified deployment. Container groups provide co-located containers with shared networking and storage. Virtual network integration enables private deployments. Managed identities eliminate credential management. However, ACI's serverless nature limits some security controls available in traditional deployments. Organizations must understand these trade-offs when choosing ACI.
# Example: Secure AKS deployment with Azure security features
# PowerShell script for secure AKS cluster deployment
param(
[Parameter(Mandatory=$true)]
[string]$ResourceGroupName,
[Parameter(Mandatory=$true)]
[string]$ClusterName,
[Parameter(Mandatory=$true)]
[string]$Location,
[string]$Environment = "production"
)
# Set strict error handling
$ErrorActionPreference = "Stop"
Write-Host "Deploying secure AKS cluster: $ClusterName" -ForegroundColor Green
# Create resource group
Write-Host "Creating resource group..." -ForegroundColor Yellow
az group create --name $ResourceGroupName --location $Location
# Create virtual network with subnets
Write-Host "Creating virtual network..." -ForegroundColor Yellow
az network vnet create `
--resource-group $ResourceGroupName `
--name "$ClusterName-vnet" `
--address-prefixes 10.0.0.0/16 `
--subnet-name aks-subnet `
--subnet-prefix 10.0.1.0/24
# Create additional subnets
az network vnet subnet create `
--resource-group $ResourceGroupName `
--vnet-name "$ClusterName-vnet" `
--name aci-subnet `
--address-prefixes 10.0.2.0/24
az network vnet subnet create `
--resource-group $ResourceGroupName `
--vnet-name "$ClusterName-vnet" `
--name agw-subnet `
--address-prefixes 10.0.3.0/24
# Create network security group
Write-Host "Creating network security group..." -ForegroundColor Yellow
az network nsg create `
--resource-group $ResourceGroupName `
--name "$ClusterName-nsg"
# Add security rules
az network nsg rule create `
--resource-group $ResourceGroupName `
--nsg-name "$ClusterName-nsg" `
--name AllowKubeAPI `
--priority 100 `
--destination-port-ranges 443 `
--protocol Tcp `
--source-address-prefixes "10.0.0.0/16" `
--access Allow
# Create Azure Key Vault
Write-Host "Creating Key Vault..." -ForegroundColor Yellow
$keyVaultName = "$ClusterName-kv-$(Get-Random -Maximum 9999)"
az keyvault create `
--name $keyVaultName `
--resource-group $ResourceGroupName `
--location $Location `
--enable-rbac-authorization `
--enable-soft-delete `
--enable-purge-protection `
--network-acls-ips "" `
--network-acls-vnets ""
# Create Log Analytics Workspace
Write-Host "Creating Log Analytics Workspace..." -ForegroundColor Yellow
$workspaceName = "$ClusterName-logs"
az monitor log-analytics workspace create `
--resource-group $ResourceGroupName `
--workspace-name $workspaceName `
--location $Location `
--retention-time 90
$workspaceId = $(az monitor log-analytics workspace show `
--resource-group $ResourceGroupName `
--workspace-name $workspaceName `
--query id -o tsv)
# Create Azure Container Registry
Write-Host "Creating Container Registry..." -ForegroundColor Yellow
$acrName = "$($ClusterName)acr$(Get-Random -Maximum 9999)"
az acr create `
--resource-group $ResourceGroupName `
--name $acrName `
--sku Premium `
--location $Location `
--admin-enabled false
# Enable security features on ACR
az acr update `
--name $acrName `
--anonymous-pull-enabled false
# Configure ACR network restrictions
az acr network-rule add `
--name $acrName `
--subnet /subscriptions/$subscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$ClusterName-vnet/subnets/aks-subnet
# Create AKS cluster with security features
Write-Host "Creating AKS cluster with security features..." -ForegroundColor Yellow
az aks create `
--resource-group $ResourceGroupName `
--name $ClusterName `
--location $Location `
--node-count 3 `
--node-vm-size Standard_D4s_v3 `
--network-plugin azure `
--network-policy azure `
--vnet-subnet-id "/subscriptions/$subscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$ClusterName-vnet/subnets/aks-subnet" `
--docker-bridge-address 172.17.0.1/16 `
--dns-service-ip 10.2.0.10 `
--service-cidr 10.2.0.0/16 `
--enable-cluster-autoscaler `
--min-count 3 `
--max-count 10 `
--enable-managed-identity `
--enable-aad `
--enable-azure-rbac `
--enable-private-cluster `
--enable-addons monitoring,azure-policy,azure-keyvault-secrets-provider `
--workspace-resource-id $workspaceId `
--attach-acr $acrName `
--kubernetes-version 1.27.3 `
--enable-defender `
--enable-workload-identity `
--enable-oidc-issuer `
--tags "Environment=$Environment" "SecurityLevel=High"
# Configure Azure Policy for AKS
Write-Host "Configuring Azure Policy..." -ForegroundColor Yellow
$aksResourceId = $(az aks show --resource-group $ResourceGroupName --name $ClusterName --query id -o tsv)
# Assign built-in security policies
az policy assignment create `
--name "AKS-Security-Baseline" `
--display-name "AKS Security Baseline" `
--policy-set-definition "/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d" `
--scope $aksResourceId `
--params '{\"effect\": {\"value\": \"Deny\"}}'
# Create diagnostic settings
Write-Host "Configuring diagnostics..." -ForegroundColor Yellow
az monitor diagnostic-settings create `
--name "AKS-Diagnostics" `
--resource $aksResourceId `
--workspace $workspaceId `
--logs '[
{\"category\": \"kube-apiserver\", \"enabled\": true, \"retentionPolicy\": {\"days\": 90, \"enabled\": true}},
{\"category\": \"kube-controller-manager\", \"enabled\": true, \"retentionPolicy\": {\"days\": 90, \"enabled\": true}},
{\"category\": \"kube-scheduler\", \"enabled\": true, \"retentionPolicy\": {\"days\": 90, \"enabled\": true}},
{\"category\": \"kube-audit\", \"enabled\": true, \"retentionPolicy\": {\"days\": 90, \"enabled\": true}},
{\"category\": \"kube-audit-admin\", \"enabled\": true, \"retentionPolicy\": {\"days\": 90, \"enabled\": true}}
]' `
--metrics '[
{\"category\": \"AllMetrics\", \"enabled\": true, \"retentionPolicy\": {\"days\": 90, \"enabled\": true}}
]'
# Configure Kubernetes RBAC
Write-Host "Configuring Kubernetes RBAC..." -ForegroundColor Yellow
az aks get-credentials --resource-group $ResourceGroupName --name $ClusterName --admin
# Apply security policies
kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
name: security-system
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: system-pdb
namespace: kube-system
spec:
minAvailable: 1
selector:
matchLabels:
tier: control-plane
EOF
Write-Host "AKS cluster deployment complete!" -ForegroundColor Green
Write-Host "Cluster name: $ClusterName" -ForegroundColor Cyan
Write-Host "Container Registry: $acrName.azurecr.io" -ForegroundColor Cyan
Write-Host "Key Vault: $keyVaultName" -ForegroundColor Cyan