Securing AKS using Palo Alto Networks AI Runtime Security Unified Firewall

Background 

Azure Kubernetes Service 

Azure Kubernetes Service (AKS) is a fully managed container orchestration service provided by Microsoft Azure. It allows you to deploy, manage, and scale containerized applications using Kubernetes (k8s), an open-source container orchestration platform. AKS simplifies the process of managing Kubernetes clusters by automating many tasks like cluster setup, patching, scaling, and monitoring, so you can focus more on developing and deploying applications rather than managing infrastructure. 

AKS networking provides strong segmentation and access controls that form an important foundation of a Zero Trust architecture, but these controls can be further enhanced with additional security tools. Whether using Security Groups, Security Policy, or even separate overlays for each namespace, the enforcement is still based on trust: are these endpoints allowed to connect to each other?  Organizations implementing defense-in-depth strategies may want to consider additional content inspection capabilities to further mitigate the risk of lateral movement. 

While AKS provides robust built-in security features, organizations may want to consider implementing Next-Generation Firewalls (NGFW) as part of a comprehensive security strategy for containerized workloads. Fundamentally, an NGFW augments identity-based permissions of AKS policies with inline content inspection to prevent unauthorized access, layer 7 attacks, and data breaches. While containers offer flexibility and scalability, they are not immune to security challenges of VM environments, and software NGFWs can mitigate these risks. 

AKS allows you to segment containerized workloads into distinct overlays and namespaces (e.g., “front end”, “ordering”, and “inventory”), restricting access to only those parts of the network that are necessary for each part of the application to function. This reduces the potential attack surface and makes it harder for attackers to move laterally within your environment. However, application-specific attacks at Layer 7 can pass through those Layer 4 restrictions simply by following the east-west traffic to the next target. 

Next-Generation Firewalls can also provide detailed logging and monitoring capabilities for all network traffic going to, from, and between containers. This enables real-time visibility into potential security incidents, helping to identify any compromised containers performing malicious activities such as port scanning, unauthorized access attempts, or suspicious traffic patterns. As attacks have become more sophisticated and evasive, NGFWs have likewise evolved to detect and block those attacks using inline inspection and machine learning (ML).  Advanced security solutions can leverage machine learning and AI capabilities to help detect and block sophisticated attacks, including zero-day threats within Kubernetes environments. Solutions like Palo Alto Networks' Prisma AIRS exemplify this approach, combining AI-powered security with comprehensive runtime protection for containerized workloads. 

In most environments it is operationally easier to deploy a virtual firewall outside of the application cluster. For most firewalls, the downside is that the firewall is no longer able to identify the traffic source. The network namespaces and overlays that provide segmentation in K8s also create a requirement for Network Address Translation (NAT), replacing the pod IP with Node IP address, and potentially IP address of the ingress/egress gateway at the edge of the cluster.  

This reduces the firewall policy granularity, as it cannot uniquely identify the source and destination applications, effectively treating the entire k8s cluster as a “black box” with unknown internals.  

While it is possible to deploy an orchestrated combination of containerized NGFW running within the cluster and a virtualized NGFW outside of the cluster, the complexity often outweighs the benefit.  

Integration with Third-Party Security solutions such as Palo Alto Networks Prisma AIRS (AI Runtime Security) can be integrated with AKS to provide additional visibility and protection for East-West and North-South traffic.

Design Architecture 

The proposed design follows the AKS landing zone accelerator reference architecture to build a scalable Azure Kubernetes Service (AKS) cluster while following the Cloud Adoption Framework. 

The topology follows the AKS Secure Baseline architecture, including Azure networking, security, identity, management, and monitoring services. It deploys an AKS cluster, an Application Gateway for Ingress, a Container Registry with Private Endpoints, and more. The cluster is then connected to a Hub Virtual Network where the AI Runtime Security is deployed to inspect and secure the traffic. 

This reference architecture integrates a Container Network Interface (CNI) solution from Palo Alto Networks as one example of how third-party security tools can be deployed with AKS. The PAN-CNI will redirect the traffic to the Prisma AIRS platform (AI Runtime Security) outside the cluster for inspection and policy enforcement. The traffic is encapsulated inside a VXLAN tunnel, which allows preservation of the original source IPs, which can be referenced in the policy of the AI Runtime Security instances. This ensures that AI Runtime Security is able to extend the same L7 inline protection to AKS clusters with source information presentation as it does for VM-based deployments today.