Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tigera-solutions/azure-hub-spoke-aks-egress-gateways

[Azure AKS Blueprint] Learn how to deploy Azure Hub-Spoke VNETs with AKS and Calico Egress Gateways
https://github.com/tigera-solutions/azure-hub-spoke-aks-egress-gateways

aks azure calico egress egress-gateway microsoft-azure security tigera

Last synced: 2 months ago
JSON representation

[Azure AKS Blueprint] Learn how to deploy Azure Hub-Spoke VNETs with AKS and Calico Egress Gateways

Host: GitHub
URL: https://github.com/tigera-solutions/azure-hub-spoke-aks-egress-gateways
Owner: tigera-solutions
License: gpl-3.0
Created: 2023-08-10T11:46:00.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2023-12-11T22:17:07.000Z (about 1 year ago)
Last Synced: 2023-12-11T23:28:04.429Z (about 1 year ago)
Topics: aks, azure, calico, egress, egress-gateway, microsoft-azure, security, tigera
Language: HCL
Homepage:
Size: 22.1 MB
Stars: 4
Watchers: 2
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Enabling Workload-Level Security for AKS with Azure Firewall and Calico Egress Gateway

## Solution Overview

In this repo, we'll develop a foundational reference architecture that aligns with the Azure Well-Architected Framework's [best practices](https://learn.microsoft.com/en-us/azure/architecture/guide/aks/aks-firewall) for network design, with a special emphasis on the [hub-spoke network topology](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology). Our goal is to address challenges in pinpointing the source of traffic as it exits the cluster and traverses an external firewall, using [Egress Gateways for Calico](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure).

![infra](images/hubspoke.png)

This diagram illustrates our hub-spoke network design and the specific Azure resources used in our reference architecture. Each Spoke VNET shares its Egress Gateway address prefixes with the Azure Route Server located in the Hub VNET, ensuring seamless integration with the Azure network.

![infra](images/egw-routing.png)

Egress traffic from Kubernetes workloads can be directed through specific Egress Gateways (or none at all), guided by advanced [Egress Gateway Policy](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure#configure-a-namespace-or-pod-to-use-an-egress-gateway-egress-gateway-policy-method) settings. This configuration creates a distinct network identity suitable for Azure firewall rule settings.

## Walk Through

We'll use Terraform, an infrastructure-as-code tool, to deploy this reference architecture automatically. We'll walk you through the deployment process and then demonstrate how to utilize Egress Gateways with Calico.

### Prerequisites

First, ensure that you have installed the following tools locally.

1. [azure cli](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)
2. [kubectl](https://Kubernetes.io/docs/tasks/tools/)
3. [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli)

### Step 1: Checkout and deploy the Terraform blueprint

Make sure that you completed the prerequisites above and cloned the Terraform blueprint by running the following command in a local directory:

```sh
git clone [email protected]:tigera-solutions/azure-hub-spoke-aks-egress-gateways.git
```

Navigate to the `azure` subdirectory and then deploy the infrastructure.

If the names `demo-hub-network` and `demo-spoke-networks` are already taken, you will want to edit the [variables.tf](azure/variables.tf) file in Terraform to use custom names for your Hub and Spoke Azure Resource Groups.

```sh
cd azure
terraform init
terraform apply
```

Update your kubeconfig with the AKS cluster credentials

```sh
az aks get-credentials --name spoke1-aks --resource-group demo-spoke-networks --context spoke1-aks
```

Verify that Calico is up and running in your AKS cluster

```sh
kubectl get tigerastatus
```

```sh
NAME AVAILABLE PROGRESSING DEGRADED SINCE
apiserver True False False 9m30s
calico True False False 9m45s
```

### Step 2: Link your AKS Cluster to Calico Cloud

Join your AKS cluster to [Calico Cloud](https://www.calicocloud.io/home) as illustrated:

![infra](images/cc-join.gif)

Verify your AKS cluster is linked to Calico Cloud

```sh
kubectl get tigerastatus
```

```sh
NAME AVAILABLE PROGRESSING DEGRADED SINCE
apiserver True False False 50m
calico True False False 49m
cloud-core True False False 50m
compliance True False False 49m
image-assurance True False False 49m
intrusion-detection True False False 49m
log-collector True False False 50m
management-cluster-connection True False False 49m
monitor True False False 49m
```

### Step 3: Enterprise-grade Egress Gateways for the Azure Kubernetes Service

Connect your AKS cluster to the Azure Route Server. Use the first two nodes in the AKS cluster as BGP route reflectors to manage and limit the number of peer connections effectively.
```sh
kubectl apply -f - < GET / HTTP/1.1
> Host: www.tigera.io
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 470 status code 470
< Date: Sun, 03 Sep 2023 12:27:41 GMT
< Content-Length: 70
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host www.tigera.io left intact
Action: Deny. Reason: No rule matched. Proceeding with default action.
```

Let's go ahead and activate the Calico Egress Gateways for the cluster. We'll also specify that pods in the default namespace should use the tenant0-egw Egress Gateway.

```
kubectl patch felixconfiguration default --type='merge' -p '{
"spec": {
"egressIPSupport": "EnabledPerNamespaceOrPerPod",
"flowLogsFlushInterval": "15s",
"flowLogsFileAggregationKindForAllowed": 1
}
}'
```

Set up the `default` namespace to utilize the Egress Gateway located in the `tenant0-egw` namespace.

```
kubectl annotate ns default \
egress.projectcalico.org/namespaceSelector="projectcalico.org/name == 'tenant0-egw'"
```

Traffic is now allowed through the Azure Firewall because the incoming requests originate from a specific, recognized CIDR range assigned to the `tenant0` Calico Egress Gateways.

```
kubectl exec -it -n default netshoot -- curl -v http://www.tigera.io
```

You should now be able to get requests through the Azure Firewall. To verify, go to the Azure Firewall located in the hub resource group and select "Logs" under the Monitoring settings. Filter the Application log data to display the last 30 minutes. Look for entries showing that traffic originating from the 10.99.0.0/29 IP range has been successfully allowed to pass outbound through the Azure Firewall to [www.tigera.io](http://www.tigera.io).

![infra](images/azure-fw.gif)

### Cleanup

To teardown and remove the resources created in this example:

```sh
cd azure
terraform destroy --auto-approve
```

or delete the Azure Resource Groups

```sh
az group delete --resource-group demo-hub-network --no-wait
az group delete --resource-group demo-spoke-networks --no-wait
```