Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

Udemy

Advanced Kubernetes/AKS Network & Infrastructure

via Udemy

Go to class Write review

Overview

Learn how to secure network communication in AKS/Kubernetes cluster

What you'll learn:
  • Learn AKS and Kubernetes network best practices
  • Learn how to securely expose services in Kubernetes
  • Learn how to secure pod to pod communication
  • Learn to setup TLS certificates for pods and ingress

You started your journey learning Kubernetes ?

You have been learning the fundamentals of a Kubernetes cluster ?

And now you want to make sure your cluster is production ready in terms of security ?


If you are looking for how to secure your Kubernetes cluster then this course is for you.


Let us face it, security is not an easy task. And Kubernetes is not an exception.

Securing a Kubernetes cluster requires thinking about all these aspects:

  1. Network security: through private cluster access to API Server with Private Endpoint.

  2. Secure egress traffic: all egress traffic should be filtered using Firewall.

  3. Secure ingress traffic: using TLS and HTTPS on the ingress controller.

  4. Secure inter-pod communication: secure traffic between pods using TLS or mTLS.

  5. Controlling traffic between pods: using Network Policy tools like Calico.

  6. Securing access to Managed Identities: by restricting access to IMDS endpoint (169.254.169.254).

  7. Implementing a Landing Zone: with integration into the Hub an Spoke model

  8. Customize logging and metrics collection

  9. Reduce the cost of the cluster infrastructure


Microsoft provides the following recommendations to secure an AKS cluster and this course will try to go deeper with demonstration.

Recommendation 1: To distribute HTTP or HTTPS traffic to your applications, use ingress resources and controllers. Compared to an Azure load balancer, ingress controllers provide extra features and can be managed as native Kubernetes resources.

Recommendation 2: To scan incoming traffic for potential attacks, use a web application firewall (WAF) such as Barracuda WAF for Azure or Azure Application Gateway. These more advanced network resources can also route traffic beyond just HTTP and HTTPS connections or basic TLS termination.

Recommendation 3: Use network policies to allow or deny traffic to pods. By default, all traffic is allowed between pods within a cluster. For improved security, define rules that limit pod communication.

Recommendation 4: Don't expose remote connectivity to your AKS nodes. Create a bastion host, or jump box, in a management virtual network. Use the bastion host to securely route traffic into your AKS cluster to remote management tasks.


Disclaimer: This course uses Azure Kubernetes Service (AKS) for demonstrations. But most of the content is applicable to any Kubernetes cluster on any environment.

Syllabus

  • Course introduction
  • Kubernetes and AKS architecture
  • Introduction to Kubernetes fundamentals
  • Comparing AKS public and private clusters
  • Network isolated AKS cluster
  • Accessing a private AKS cluster using Bastion
  • Networking plugins for AKS: Kubenet & Azure CNI
  • AKS Private DNS resolution at scale
  • Kubernetes External-DNS
  • Kubernetes CoreDNS
  • Gateway API with Application Gateway for Containers
  • Gateway API with Envoy Gateway
  • AKS Application Routing (Managed Ingress)
  • App Gateway and Ingress Controller instead of AGIC
  • AKS Egress Traffic and Outbound Types (LB, NAT Gateway, UDR)
  • HTTP Proxy with AKS
  • Filtering egress traffic using Network Policies
  • Assigning static IP addresses using Kube Static Egress Gateway
  • Preserving client IP for Pods
  • Working with Kubernetes StatefulSet for data persistence
  • Persist AKS data using Azure Disk
  • Persist AKS data using Azure Storage Blob
  • Creating a Snapshot for a Persistent Volume
  • Copying Disks and File shares in Kubernetes
  • Creating an AKS Backup using Azure Backup Vault
  • Creating Kubernetes Backup using Velero
  • Securing cluster Secrets using Secret Store CSI Volume
  • Scheduling Pods on Nodepools
  • Securing Traffic in Kubernetes
  • Securing Ingress using TLS/HTTPS
  • Securing inter Pod communication using TLS certificates
  • Implementing network policy using Calico
  • Securing access to IMDS (169.254.169.254)
  • Exposing AKS apps using API Management
  • Exposing AKS apps using Front Door
  • AKS versioning and upgrade
  • Creating custom Azure RBAC roles for AKS
  • Logging with Log Analytics
  • Karpenter for AKS
  • AKS monitoring with Prometheus, Grafana and Log Analytics
  • Creating Grafana dashboard to view logs from AKS
  • Azure Monitor Agent (AMA) for AKS
  • Application deployment using GitOps and ArgoCD
  • Running LLM models in AKS
  • AKS Cost Analysis
  • Introduction to AKS Automatic
  • ACR RBAC roles with ABAC
  • Setting up AKS, ACR and VM in a private virtual network
  • About the author

Taught by

Houssem Dellai

Reviews

4.6 rating at Udemy based on 457 ratings

Start your review of Advanced Kubernetes/AKS Network & Infrastructure

Go to class

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Sign up for free
Someone learning on their laptop while sitting on the floor.