The spread of new application architectures based on microservices requires the adoption of cutting-edge solutions that ensure a high level of protection and that allow you to detect and respond to any security threats. Azure Defender is able to offer advanced and targeted protection of resources and workloads in hybrid environments and in Azure. This article describes how Azure Defender is able to guarantee the protection of instances of Azure Kubernetes Service (AKS) and scan the images in Azure Container Registry to detect any vulnerabilities.
Azure Kubernetes Service (AKS) is the fully managed Azure service that allows the activation of a Kubernetes cluster, ideal for simplifying the deployment and management of microservices-based architectures. Thanks to the features offered by AKS it is possible to scale automatically according to the use, use controls to ensure the integrity of the services, implement load balancing policies and manage secrets. In microservices-based architectures, it is also common to adopt the Azure Container Registry that allows you to create, store and manage container images and artifacts in a private registry. The use of this managed service is integrated with the container development and deployment pipelines.
Figure 1 – Example of an Azure Kubernetes-based microservices architecture
Azure Defender for Kubernetes
Through continuous analysis of the AKS environment, Azure Security Center (ASC) provides real-time threat protection for containerized environments and generates alerts if threats or malicious activity are detected, both at the host level and at the AKS cluster level.
Protection from security threats for Azure Kubernetes Service takes place at different levels:
- Host level (provided by Azure Defender for servers): the Linux nodes of the AKS cluster are monitored through the Log Analytics agent. In this way the solution is able to detect suspicious activities such as connections from particular IP addresses and web shell detection. The agent is also able to monitor specific activities related to containers, such as creating privileged containers, access to API servers and the presence of SSH servers running inside a Docker container. The complete list of alerts that can be obtained by enabling Host level protection can be consulted in this document.
- AKS cluster level (provided by Azure Defender for Kubernetes): at the cluster level, threat protection is based on the analysis of Kubernetes audit logs. It is a monitor that does not require the presence of specific agents and that allows you to generate alerts, monitoring AKS managed services, such as the presence of exposed Kubernetes dashboards and the creation of roles with elevated privileges. To see the complete list of alerts generated by this protection, you can access this link.
In an AKS environment it is recommended by best-prectices to also enable theAzure Policy add-on for Kubernetes as well as Azure Defender threat protection services. In this way, thanks to the iteration between the various platform components, in Azure Security Center you can analyze the following:
- Audit logs from API servers
- Raw security events (row) by the Log Analytics agent
- Information on AKS cluster configuration
- Workload configurations
Figure 2 – High-level architecture showing the interaction between ASC, AKS and Azure Policy
Azure Defender for container registry
The protection service Azure Defender for container registries allows you to evaluate and manage the presence of vulnerabilities in the images present in Azure Container Registry (ACR). Qualys' scanning tool allows you to perform an in-depth scan of images that takes place in three moments:
- In case of push: each time an image is sent to the ACR, scan is automatically performed.
- In case of recent extraction: because new vulnerabilities are discovered every day, it also analyzes any image for which an extraction has been made in the last 30 days.
- When importing: Azure Container Registry has import tools to merge images into it from Docker Hub, Microsoft Container Registry or other ACR. All imported images are promptly analyzed.
During the scan, Qualys extracts the image and runs it in an isolated sandbox to track down any known vulnerabilities.
If any vulnerabilities are found, a notification will be generated in the Security Center dashboard. This alert will be accompanied by a severity classification and practical guidance on how to correct the specific vulnerabilities found in each image. To verify the images supported by the solution, you can access this link.
Figure 3 – High-level diagram showing ACR security using ASC
Activation and costs
The activation of these Azure Defender threat protection services can be done directly from the Azure portal:
Figure 4 – Enabling Kubernetes and ACR Azure Defender Security Services
Azure Defender modules in Azure Security Center are subject to specific costs that can be calculated using the tool Azure Pricing calculator. In particular, the cost of Azure Defender for Kubernetes is calculated on the number of cores of the VMs that make up the AKS cluster, while the cost of Azure Defender for Container registries is calculated based on scanned images.
Conclusions
Thanks to the coverage offered by ASC's Azure Defender services, it is possible to obtain a high degree of protection for application architectures based on microservices, that use Azure Kubernetes Service (AKS) and Azure Container Registry. Microsoft proves to be a provider capable of offering effective services for container execution in the cloud environment, flanked by modern and advanced security tools, useful both to quickly solve any problems in this area and to improve the security postures of your environment.
