Blog Post

Apps on Azure Blog
4 MIN READ

Enhancing Security and Control: Bring Your Own NSG to Microsoft Azure Red Hat OpenShift Clusters

Melanie_Kraintz's avatar
Aug 07, 2024

Microsoft Azure Red Hat OpenShift (ARO) has taken a significant step forward in empowering organizations with greater control over their cluster security. The "bring your own" Network Security Group (NSG) feature offers a flexible approach to managing network security for ARO clusters. Let us explore this feature and see how it can benefit your organization.

 

What is an NSG?

Network Security Groups (NSGs) are crucial for maintaining robust security and efficient traffic management within cloud environments. They provide essential control over network traffic by defining rules that determine which IP addresses, ports, and protocols are allowed or denied, thereby safeguarding resources from unauthorized access and cyber threats. By segmenting security policies according to specific network segments or resources, NSGs enable tailored and precise protection, ensuring sensitive data and systems are shielded while allowing necessary traffic to flow seamlessly. Additionally, NSGs support compliance with regulatory standards by enforcing strict access controls and facilitating effective monitoring and auditing of network activity. Overall, NSGs play a vital role in securing cloud infrastructure, making network management more streamlined and responsive to evolving security needs.

 

Understanding the NSG Challenge

Traditionally, when creating an ARO cluster, the ARO Resource Provider (RP) would generate a dedicated resource group containing cluster-specific resources, including Network Security Groups (NSGs).

 

While this approach ensured a baseline level of security, organizations often sought more flexibility and control over their network security configurations. The new "bring your own" Network Security Group (NSG) feature addresses these needs by offering:

  • Enhanced Control: Customers can now configure NSGs to meet their specific security requirements.
  • Organizational Alignment: The ability to customize NSGs allows for better alignment between security, networking, and cluster operations teams.
  • Improved Compliance: Organizations can now more easily implement specific network rules to meet strict security policies and regulatory requirements.
  • Flexibility for Networking Teams: Network administrators can implement their own rules and adapt the NSGs to fit within broader network security strategies.
  • Customized Approach: The new feature accounts for the diverse security needs of different industries and organizational structures.

These enhancements provide customers with greater control over their network security in ARO environments. Organizations needed a way to maintain the benefits of a fully managed OpenShift service while still having the flexibility to implement their own security policies and network rules.

 

The "Bring Your Own NSG" Solution

In response to these customer demands, ARO now offers the ability to attach your own preconfigured NSG to the ARO cluster subnets. This NSG resides in your base or VNET resource group, giving you full control over its rules throughout the cluster's lifecycle.

 

Key Benefits:

  1. Customization: Tailor your network security rules to match your organization's specific requirements.
  2. Flexibility: Add or remove rules as needed, even after the cluster is created.
  3. Compliance: Ensure your ARO clusters align with your company's security policies and regulatory requirements.

 

Use Case: Financial Services Company

Let us consider a financial services company, FinSecure, that wants to deploy an ARO cluster for their trading platform. They have strict security policies that require:

  1. Limiting API (Application Programming Interfaces) server access to specific IP ranges
  2. Controlling inbound traffic to their OpenShift router
  3. Implementing custom rules for their Kubernetes services

 

Implementation:

  1. Create a VNET with master and worker subnets.
  2. Create rule specific preconfigured NSGs and attach them to the subnets. See documentation for rule requirements for your preconfigured NSG.
  3. Deploy the ARO cluster using the new feature:

  1. Update the NSGs with FinSecure's custom rules:

   - Allow inbound traffic to port 6443 only from FinSecure's office IP range

   - Restrict access to ports 80 and 443 on the OpenShift router

   - Implement specific rules for their Kubernetes services

By leveraging this new feature, FinSecure can maintain a robust security posture while enjoying the benefits of Azure Red Hat OpenShift.

 

Considerations and Limitations

While this feature offers great flexibility, it is important to note a few key points:

- NSGs must be attached to both master and worker subnets before cluster creation.

- The feature can only be enabled during cluster creation, not for existing clusters.

- Manual updates to NSG rules are required when creating new Kubernetes LoadBalancer services or OpenShift routes.

- Certain rules must be added to ensure the service can run its operations. Please see the documentation for these rules.

 

Conclusion

The "bring your own NSG" feature for Azure Red Hat OpenShift clusters represents a significant step forward in cloud-native security customization. By offering greater control over network security, Microsoft and Red Hat are empowering organizations to confidently deploy and manage OpenShift clusters in Azure while adhering to their unique security requirements.

 

As you explore this capability, remember to carefully plan your NSG rules and keep them updated as your cluster evolves. With the right approach, you can create a secure, compliant, and flexible OpenShift environment in Azure that meets your organization's specific needs.

 

Availability and Getting Started

ARO customers can start using this feature immediately when creating new clusters. To enable the feature, simply use the --enable-preconfigured-nsg flag when creating a new ARO cluster using the Azure CLI (command-line interfaces), as demonstrated in the use case above. This feature is available for all ARO clusters running OpenShift version 4.12 and onwards.

 

New customers can get started by following these steps:

  1. Set up an Azure subscription if you do not already have one.
  2. Install the Azure CLI and log in to your account.
  3. Create a resource group, VNET, and subnets for your ARO cluster.
  4. Create and configure your custom NSGs.
  5. Use the az aro create command with the --enable-preconfigured-nsg flag to create your cluster.

For more detailed information and best practices, visit the official Azure Red Hat OpenShift documentation at https://docs.microsoft.com/en-us/azure/openshift/ and the Red Hat OpenShift documentation at https://docs.openshift.com/.

 

For technical support and troubleshooting, please refer to the Azure support channels or contact Red Hat support if you have an OpenShift subscription

 

Resources:

Bring your own Network Security Group to Azure Red Hat OpenShift - Azure Red Hat OpenShift | Microsoft Learn

 

Getting started with ARO:

Red Hat OpenShift Kubernetes

OpenShift vs Kubernetes: What’s the Difference?

eBook, Getting started with Azure Red Hat OpenShift

Azure Red Hat OpenShift Workshop

 

Updated Aug 07, 2024
Version 3.0
No CommentsBe the first to comment