Prod1gy's Arena

AKS Node Security Reinvented: Your Guide to SSH via Azure Bastion

Prod1gy's photo
Prod1gy
ยท

2 min read

AKS Node Security Reinvented: Your Guide to SSH via Azure Bastion

Table of contents

Step into a Fresh Era of AKS Node Security! This guide opens the doors to a groundbreaking approach for setting up SSH connections to your Azure Kubernetes Service (AKS) nodes. By harnessing the capabilities of Azure Bastion, you're about to embark on a journey that reshapes security and simplifies the management of your AKS environment.

Azure Bastion's Modern Approach:

Azure Bastion redefines VM access. Say goodbye to public IP addresses, special software, or agents.

Connect using your browser, Azure portal, or native SSH/RDP client.

Platform-Managed PaaS Service:

Azure Bastion leverages a Platform-as-a-Service (PaaS) model. It handles the heavy lifting while ensuring secure and seamless connectivity to your VMs.

Secure RDP and SSH:

Security is a priority. Azure Bastion facilitates RDP/SSH connections over TLS, assuring data integrity and confidentiality. Connect from the Azure portal or native clients.

No Exposed Ports:

VMs don't need public IPs, agents, or special software. Azure Bastion provides secure access without exposing RDP/SSH ports externally.

Simplified VM Management:

Azure Bastion enables secure RDP and SSH for all VMs in a network, streamlining management without compromising security.

Steps Elevating AKS Linux Node Connectivity: SSH Walkthrough with Azure Bastion

  1. Generating an SSH Key Pair:

    a) As a prerequisite, make sure that the aks-preview extension version 0.5.111 or later is installed. This extension version is crucial for seamless integration.

    ref: https://learn.microsoft.com/en-us/cli/azure/azure-cli-extensions-overview#how-to-install-extensions

    az extension add --name aks-preview

    b) If you don't already have an SSH key pair, create one using the command below:

    ssh-keygen -m PEM -t rsa -b 4096

  2. Updating the AKS Cluster with SSH Public Key:

    Ref: https://learn.microsoft.com/en-us/azure/aks/node-access#update-ssh-public-key-on-an-existing-aks-cluster-preview

    az aks update --name myAKSCluster --resource-group MyResourceGroup --ssh-key-value ~/.ssh/id_rsa.pub

  3. Creating the AzureBastionSubnet:

    Set up a dedicated subnet, named AzureBastionSubnet, within your AKS's virtual network (VNet) or any VNet that has connectivity to your AKS VNet.

  4. Deploying the Azure Bastion Resource:

    Create an Azure Bastion resource within the AzureBastionSubnet.

  5. Connecting VMSS Instances via Azure Bastion:

    Access your Virtual Machine Scale Set (VMSS) instances with ease. Select the specific instance you wish to connect to and initiate a secure connection via Azure Bastion. Utilize the provided username ("azureuser") and the private key generated earlier for a seamless experience.

    We have successfully established secure and efficient SSH connections to our AKS Linux nodes using Azure Bastion.

  6. Deleting created Resources:

    To ensure cost efficiency, consider deleting all the resources created during this process when they are no longer needed.

Thank You !! ๐Ÿ™Œ

aksBastion HostsAzureazure certifiedDevops
ย