I support an MSP where we deploy hundreds of AKS clusters at scale. These AKS clusters run analytics software, often with sensitive/protected data. Having a default egress of anything is not acceptable, and our governance requires our outbound connectivity go through a firewall where it is inspected and logged.
We are having issues with routing AKS through an Azure Firewall. Due to the well-known SNI issue, we've had to put a network rule in place for AzurePublic service tag. This poses an unacceptable data exfiltration risk for solutions hosting protected data. The alternative of adding FQDN based rules is not scalable and some of our AKS clusters are spin up on demand and destroy so there would be some significant overhead to tracking those clusters and getting the firewall updated as they try to come online and start their deployments. Additionally, our analytics software is comprised of 150+ containers, and using an FQDN annotation is not practical. The most obvious solution is a service tag on the firewall that only permits AKS public IP ranges, preferably limited by region.
miwithro
commented
3 months ago
I support an MSP where we deploy hundreds of AKS clusters at scale. These AKS clusters run analytics software, often with sensitive/protected data. Having a default egress of anything is not acceptable, and our governance requires our outbound connectivity go through a firewall where it is inspected and logged.
We are having issues with routing AKS through an Azure Firewall. Due to the well-known SNI issue, we've had to put a network rule in place for AzurePublic service tag. This poses an unacceptable data exfiltration risk for solutions hosting protected data. The alternative of adding FQDN based rules is not scalable and some of our AKS clusters are spin up on demand and destroy so there would be some significant overhead to tracking those clusters and getting the firewall updated as they try to come online and start their deployments. Additionally, our analytics software is comprised of 150+ containers, and using an FQDN annotation is not practical. The most obvious solution is a service tag on the firewall that only permits AKS public IP ranges, preferably limited by region.