Friday, July 10, 2026

Lock Down AKS Finish to Finish with Software Gateway for Containers and Managed Cilium L7


Good day Of us!

In case your AKS cluster seems like most manufacturing clusters I’ve walked by, one among two issues is true. Both no one writes any community insurance policies and each pod can speak to each different pod, so one compromised container blows up your complete blast radius. Or any person wrote a couple of coarse guidelines alongside the strains of “namespace A talks to namespace B over port 80”, which sounds safe proper up till an attacker realizes that port 80 is strictly the place they have been planning to stay anyway. Actual assaults occur at Layer 7, dressed up like strange HTTP site visitors, and L3 / L4 plumbing can’t inform the distinction.

That’s the hole session MAIS09 from the Microsoft Azure Infrastructure Summit 2026 closes. Vyshnavi Namani and Darshil Shah from the Azure Networking product workforce walked by how two AKS-managed add-ons, Software Gateway for Containers (AGC) and Cilium L7 by way of Superior Container Networking Companies (ACNS), can lock down your complete path from the general public web to a single pod. No NGINX. No exterior WAF equipment. No third-party CNI to babysit.

📺 Watch the session:

 

Let me lower to the chase. Should you function AKS clusters right now, this session issues as a result of:

  • You in all probability nonetheless have an ingress controller and an exterior WAF stitched along with annotations and prayers. AGC plus ACNS collapses that stack into first-party add-ons that AKS owns finish to finish.
  • Each Software Gateway for Containers and Superior Container Networking Companies are typically obtainable. This isn’t a preview demo, that is manufacturing.
  • Safety is lastly readable. Each rule is a YAML object. Code assessment, audit, GitOps. No extra “what does this NGINX config map even do anymore” archaeology.
  • It truly works on an actual assault sample. The demo reveals WAF killing a SQL-injection-style GET that Cilium would have fortunately forwarded, as a result of the strategy (GET) was on the enable listing.

You probably have ever needed to clarify to an auditor why a single compromised pod might pivot throughout your entire cluster, that is your exit ramp.

Most clusters are protected by a load balancer on the edge and mainly nothing inside. The cluster door seems like a vault, however the hallways are broad open. Cilium calls this the lateral motion drawback, and it’s precisely how Kubernetes assaults unfold within the wild. Compromise a pod, then cellphone residence, then pivot.

What MAIS09 demonstrates is one thing totally different. AGC is the L7 entrance door (the steel detector on the foyer). ACNS Cilium L7 is the lock on each pod’s workplace door. Each communicate HTTP. Each implement id. Each are managed by AKS itself.

The legacy various, Software Gateway Ingress Controller (AGIC), bolted a full Software Gateway onto your cluster by a translator. Two companies, two lifecycles, two finger-pointing groups when one thing broke. AGC is the successor, constructed from scratch for Kubernetes, talking the Gateway API natively, enabled with a single AKS flag. AKS provisions the controller, wires the id, delegates the subnet, and owns the upgrades. You personal the insurance policies.

Right here is the psychological mannequin from the session. Image 4 concentric layers of protection between the general public web and a pod.

  1. AGC entrance finish. One Azure useful resource, one public DNS title, and (because of the Kubernetes Gateway API) a number of hostnames behind the identical IP. The demo runs Contoso, Fabrikam, and Journey Works on a single AGC public IP utilizing three HTTPRoute objects. One infrastructure, three web sites. Actual price financial savings, actual possession readability (platform owns the Gateway, app groups personal the HTTPRoutes).
  2. Azure WAF on AGC. That is the content material inspector. It runs the OWASP Core Rule Set (DRS 2.1 within the demo) in opposition to each incoming request, seems for SQL injection, cross-site scripting, path traversal, and the remainder of the OWASP Prime 10, and returns a 403 earlier than the packet ever touches your pod. Microsoft maintains the rule set, you bind it to AGC by way of a SecurityPolicy.
  3. ACNS Cilium L7 ingress on each pod. That is the place identity-based coverage lives. Guidelines key off pod labels, not IPs, as a result of IPs change each time the cluster autoscaler does its job. The demo makes use of an allow-agc-l7-get-only CiliumNetworkPolicy that lets the AGC backend attain the tenant pods, however solely with GET or GET /merchandise. Anything, POST, PUT, DELETE, will get a Cilium-synthesized 403 earlier than NGINX ever sees the request.
  4. ACNS east-west and egress coverage. Two extra insurance policies do the heavy lifting inside. client-may-call-contoso-get-only lets the consumer pod attain Contoso with GET, and solely Contoso. A default-deny baseline blocks all the things else (pod-to-pod and pod-to-internet) with a single carve-out for kube-dns on port 53.

The magic is that the identical Cilium engine handles north-south, east-west, and egress with one constant id mannequin. eBPF within the Linux kernel does the enforcement on the identical node because the pod, so the choice occurs earlier than the packet leaves the host. No sidecars, no iptables sprawl, no daemonset you might want to improve by hand.

The demo walks by six exams and the outcomes map instantly onto issues you’re in all probability attempting to unravel proper now:

  • Multi-site internet hosting on one IP. Three hostnames, one AGC, three 200 OKs from three totally different backend pods. If you’re paying for 3 load balancers right now, you may cease.
  • WAF blocks a malicious GET that ACNS would have let by. That is the punch line of why you want each layers. The strategy (GET) is on the Cilium enable listing, however the payload is a SQLi sample. WAF returns 403 on the edge. Protection in depth, working as marketed.
  • Methodology enforcement on the pod door. GET returns 200, POST/PUT/DELETE return 403, GET /admin returns 403, GET /merchandise returns 200. Cilium is doing precise HTTP inspection, not simply dropping packets.
  • East-west enforcement with readable verdicts. Consumer to Contoso GET is 200. Similar consumer, similar vacation spot, POST is 403 (L7 deny, TCP accomplished). Consumer to Fabrikam is 000 (L4 drop, no TCP handshake). Studying the distinction between 403 and 000 is now a debuggable sign, not a thriller.
  • Default-deny egress kills phone-home. A pod tries to succeed in bing.com. DNS resolves (the carve-out works), TCP SYN goes nowhere, wget provides up with exit code 1. If that pod was compromised and attempting to exfiltrate information, that is the place the assault chain dies.
  • Selective enable nonetheless works. Similar pod, similar instruments, however a DNS lookup in opposition to kube-dns contained in the cluster returns immediately. We didn’t unplug the community. We locked it down with a function.

Sincere tradeoffs to name out. The session doesn’t faux all the things is free. AGC introduces a billed subnet affiliation and a managed id you don’t handle in BYO mode. Cilium L7 wants the Cilium information aircraft (ACNS Container Community Safety features are Cilium-only). The Envoy proxy that handles L7 inspection has a value solely once you truly implement L7, which is a good deal in my e-book.

If you wish to do this on a cluster of your individual, three flags do many of the work on az aks create:

  • –network-dataplane cilium (activates the eBPF information aircraft)
  • –enable-acns (permits Superior Container Networking Companies, together with Hubble observability and Cilium L7 coverage)
  • –enable-app-routing or the ALB add-on flag (provisions the AGC controller as an AKS-managed add-on)

From there you write 4 YAML objects: a default-deny CiliumNetworkPolicy, an allow-DNS carve-out, an AGC ingress enable with methodology and path constraints, and your east-west enable guidelines. The session repo consists of the complete set so you may clone and comply with alongside.

One bonus price figuring out about. ACNS ships Hubble out of the field, with pre-built Azure Managed Grafana dashboards. Circulation logs, service maps, coverage hit counts. Even on pods that aren’t but beneath L7 enforcement, you get observability totally free. When one thing breaks at 2 a.m., you may have an audit path as an alternative of a tcpdump.

If MAIS09 hit the spot, there are dozens extra periods in the identical playlist masking AKS networking at scale, Azure Native, AVM, the brand new Deployment Agent, and much more. Seize a espresso and binge.

Microsoft Azure Infrastructure Summit 2026 playlist

Cheers!

Pierre Roman

Related Articles

Latest Articles