使用 Azure 防火墙保护 Azure Kubernetes 服务 (AKS) 部署Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments

Azure Kubernetes 服务 (AKS) 提供 Azure 上的托管 Kubernetes 群集。Azure Kubernetes Service (AKS) offers a managed Kubernetes cluster on Azure. 它通过将大量管理工作量卸载到 Azure,来降低管理 Kubernetes 所产生的复杂性和操作开销。It reduces the complexity and operational overhead of managing Kubernetes by offloading much of that responsibility to Azure. AKS 可以处理关键任务(例如运行状况监视和维护),并提供受到辅助治理的企业级安全群集。AKS handles critical tasks, such as health monitoring and maintenance for you and delivers an enterprise-grade and secure cluster with facilitated governance.

Kubernetes 根据虚拟机的可用计算资源和每个容器的资源要求,协调虚拟机群集并安排容器在这些虚拟机上运行。Kubernetes orchestrates clusters of virtual machines and schedules containers to run on those virtual machines based on their available compute resources and the resource requirements of each container. 容器将分组到 Pod(Kubernetes 的基本操作单位)中,这些 Pod 可以缩放到你所需的状态。Containers are grouped into pods, the basic operational unit for Kubernetes, and those pods scale to the state that you want.

为了便于管理和操作,AKS 群集中的节点需要访问特定的端口和完全限定的域名 (FQDN)。For management and operational purposes, nodes in an AKS cluster need to access certain ports and fully qualified domain names (FQDNs). 这些操作可以是与 API 服务器通信,或者下载并安装核心 Kubernetes 群集组件和节点安全更新。These actions could be to communicate with the API server, or to download and then install core Kubernetes cluster components and node security updates. Azure 防火墙可以帮助你锁定环境并筛选出站流量。Azure Firewall can help you lock down your environment and filter outbound traffic.

请参阅本文中的指南,使用 Azure 防火墙为 Azure Kubernetes 群集提供额外保护。Follow the guidelines in this article to provide additional protection for your Azure Kubernetes cluster using Azure Firewall.


保护 AKSSecuring AKS

Azure 防火墙提供 AKS FQDN 标记以简化此配置。Azure Firewall provides an AKS FQDN Tag to simplify the configuration. 使用以下步骤允许出站 AKS 平台流量:Use the following steps to allow outbound AKS platform traffic:

  • 使用 Azure 防火墙限制出站流量并创建用户定义的路由 (UDR) 来引导所有出站流量时,请确保在防火墙中创建适当的 DNAT 规则,以正确允许入站流量。When you use Azure Firewall to restrict outbound traffic and create a user-defined route (UDR) to direct all outbound traffic, make sure you create an appropriate DNAT rule in Firewall to correctly allow inbound traffic.

    结合使用 Azure 防火墙和 UDR 时,会因不对称路由而破坏入站设置。Using Azure Firewall with a UDR breaks the inbound setup because of asymmetric routing. 如果 AKS 子网具有指向防火墙专用 IP 地址的默认路由,而你使用公共负载均衡器,就会出现此问题。The issue occurs if the AKS subnet has a default route that goes to the firewall's private IP address, but you're using a public load balancer. 例如类型为 LoadBalancer 的入站或 Kubernetes 服务。For example, inbound or Kubernetes service of type LoadBalancer.

    在这种情况下,将通过负载均衡器的公共 IP 地址接收传入的负载均衡器流量,但返回路径将通过防火墙的专用 IP 地址。In this case, the incoming load balancer traffic is received via its public IP address, but the return path goes through the firewall's private IP address. 由于防火墙是有状态的,并且无法识别已建立的会话,因此会丢弃返回的数据包。Because the firewall is stateful, it drops the returning packet because the firewall isn't aware of an established session. 若要了解如何将 Azure 防火墙与入口或服务负载均衡器集成,请参阅将 Azure 防火墙与 Azure 标准负载均衡器集成To learn how to integrate Azure Firewall with your ingress or service load balancer, see Integrate Azure Firewall with Azure Standard Load Balancer.

  • 创建应用程序规则集合并添加启用 AzureKubernetesService FQDN 标记的规则。Create an application rule collection and add a rule to enable the AzureKubernetesService FQDN tag. 源 IP 地址范围为主机池虚拟网络,协议为 https,目标为 AzureKubernetesService。The source IP address range is the host pool virtual network, the protocol is https, and the destination is AzureKubernetesService.

  • 以下出站端口/网络规则对于 AKS 群集是必需的:The following outbound ports / network rules are required for an AKS cluster:

    • TCP 端口 443TCP port 443

    • 如果有应用需要与 API 服务器通信,则需要 TCP [IPAddrOfYourAPIServer]:443。TCP [ IPAddrOfYourAPIServer ]:443 is required if you have an app that needs to talk to the API server. 创建群集后,可以设置此更改。This change can be set after the cluster is created.

    • TCP 端口 9000 和 UDP 端口 1194,使隧道前端 pod 与 API 服务器上的隧道后端进行通信。TCP port 9000, and UDP port 1194 for the tunnel front pod to communicate with the tunnel end on the API server.

      有关更具体的信息,请参阅 *.hcp..cx.prod.service.azk8s.cn 及下表中的地址:To be more specific, see the * .hcp..cx.prod.service.azk8s.cn and addresses in the following table:

    目标终结点Destination Endpoint 协议Protocol 端口Port 用途Use
    ServiceTag - AzureCloud.<Region>:1194ServiceTag - AzureCloud.<Region>:1194
    区域 CIDR - RegionCIDRs:1194Regional CIDRs - RegionCIDRs:1194
    APIServerIP:1194 (only known after cluster creation)APIServerIP:1194 (only known after cluster creation)
    UDPUDP 11941194 用于节点与控制平面之间的隧道安全通信。For tunneled secure communication between the nodes and the control plane.
    ServiceTag - AzureCloud.<Region>:9000ServiceTag - AzureCloud.<Region>:9000
    区域 CIDR - RegionCIDRs:9000Regional CIDRs - RegionCIDRs:9000
    APIServerIP:9000 (only known after cluster creation)APIServerIP:9000 (only known after cluster creation)
    TCPTCP 90009000 用于节点与控制平面之间的隧道安全通信。For tunneled secure communication between the nodes and the control plane.
    • UDP 端口 123,用于网络时间协议 (NTP) 时间同步(Linux 节点)。UDP port 123 for Network Time Protocol (NTP) time synchronization (Linux nodes).
    • 如果你有可直接访问 API 服务器的 pod,则还必须具有用于 DNS 的 UDP 端口 53。UDP port 53 for DNS is also required if you have pods directly accessing the API server.

    有关详细信息,请参阅控制 Azure Kubernetes 服务 (AKS) 中群集节点的出口流量For more information, see Control egress traffic for cluster nodes in Azure Kubernetes Service (AKS).

  • 配置 AzureMonitor 和存储服务标记。Configure AzureMonitor and Storage service tags. Azure Monitor 接收日志分析数据。Azure Monitor receives log analytics data.

    还可以单独允许工作区 URL:<worksapceguid>.ods.opinsights.azure.com<worksapceguid>.oms.opinsights.azure.comYou can also allow your workspace URL individually: <worksapceguid>.ods.opinsights.azure.com, and <worksapceguid>.oms.opinsights.azure.com. 可以通过以下方式之一来解决此问题:You can address this in one of the following ways:

    • 允许从主机池子网到 *. ods.opinsights.azure.com*.oms. opinsights.azure.com 的 https 访问。Allow https access from your host pool subnet to *. ods.opinsights.azure.com, and *.oms. opinsights.azure.com. 这些通配符 FQDN 会允许所需的访问,但限制更少。These wildcard FQDNs enable the required access but are less restrictive.
    • 使用以下日志分析查询列出所需的确切 FQDN,然后在防火墙应用程序规则中显式允许这些 FQDN:Use the following log analytics query to list the exact required FQDNs, and then allow them explicitly in your firewall application rules:
    | where Category == "AzureFirewallApplicationRule" 
    | search "Allow" 
    | search "*. ods.opinsights.azure.com" or "*.oms. opinsights.azure.com"
    | parse msg_s with Protocol " request from " SourceIP ":" SourcePort:int " to " FQDN ":" * 
    | project TimeGenerated,Protocol,FQDN 

后续步骤Next steps