![\"Aporeto](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2018\/08\/Aporeto_Graphic-1024x463.webp\")
<\/figure>\n\n\n\nHow Aporeto works<\/h4>\n\n\n\n\n- Pick an application and visualize it;<\/li>\n\n\n\n
- Generate and simulate security policy;<\/li>\n\n\n\n
- Enforce the security policy.<\/li>\n<\/ul>\n\n\n\n
You can visualize the application of your choice by deploying Aporeto as an AKS DaemonSet (see #A in diagram above). If you control the virtual machines on which your application component run, you may also deploy Aporeto as a Docker container or a userland process (see #B in diagram above).<\/p>\n\n\n\n
Aporeto auto-generates application security policy by ingesting Kubernetes Network Policies and RBAC. You also have the option of leveraging your application dependency graph that Aporeto creates to describe the application\u2019s behavioral intent as policies. In every case, you may audit and edit auto-generated policies and inject human wisdom when necessary.<\/p>\n\n\n\n
Once you have policies, you may simulate their enforcement at runtime to evaluate the effects of your security policies without interrupting operations. When satisfied that your security policies are solid, you may lockdown your application and protected it with a Zero Trust approach.<\/p>\n\n\n\n
Because Aporeto untethers application security from the network and infrastructure, one key benefit of Aporeto\u2019s approach for protecting your containers, microservices and cloud applications is that you can have a consistent security approach even in a hybrid or multi-cloud setting. As you gain experience with Aporeto in a single cluster setting, you will quickly realize how easy it is to have a consistent security posture in multi-cluster and multi-cloud settings without any infrastructure or operational complexity.<\/p>\n\n\n\n
Five Steps to Enforce Network and Service Layer Access Policies in AKS Clusters<\/h4>\n\n\n\nStep 1: Prepare environment<\/h5>\n\n\n\n
You will need the following binaries installed in your path.<\/p>\n\n\n\n
\n- az (see\u00a0https:\/\/docs.microsoft.com\/en-us\/cli\/azure\/install-azure-cli?view=azure-cli-latest<\/a>)<\/li>\n\n\n\n
- kubectl (see\u00a0https:\/\/kubernetes.io\/docs\/tasks\/tools\/install-kubectl\/<\/a>)<\/li>\n<\/ol>\n\n\n\n
Step 2: Setup Aporeto<\/h5>\n\n\n\n
Using a browser login select the desired namespace where the cluster will be placed. The select and expand \u201cSystem\u201d and then select \u201cKubernetes Clusters\u201d. Click on the \u201c+\u201d icon (top right). Give the cluster the name \u201caks1\u201d and leave all defaults as they are. Click on create. This will create the cluster and cause a file with the name aks1.tar.gz (assuming you named the cluster aks1) to be downloaded to your browser download directory. Take note of this file as we will need it later.<\/p>\n\n\n\n
Step 3: Create AKS (Kubernetes Cluster on AKS)<\/h5>\n\n\n\n
If you have not already done so, log into Azure with the following Powershell or Bash commands:<\/p>\n\n\n
\naz login\n<\/pre><\/div>\n\n\nThen create a working directory with the following Powershell or Bash commands:<\/p>\n\n\n
\nmkdir -p aks; cd aks\n<\/pre><\/div>\n\n\nMove the file downloaded in the previous step into the working directory.<\/p>\n\n\n\n
Create the Kubernetes cluster on AKS with the following Powershell or Bash commands.<\/p>\n\n\n
\naz group create --name aporeto_lab --location eastus\naz aks create --resource-group aporeto_lab --name aks1 --node-count 2 --generate-ssh-keys\naz aks get-credentials --resource-group aporeto_lab --name aks1 -f kube.cfg\n<\/pre><\/div>\n\n\nSet the kubectl config file in the environment.<\/p>\n\n\n\n
With PowerShell<\/em><\/p>\n\n\n\n$loc = Get-Location Set-Variable -Name “KUBECONFIG” -Value “$loc\/kube.cfg”<\/p>\n\n\n\n
With Bash<\/em><\/p>\n\n\n\nexport KUBECONFIG=$PWD\/kube.cfg\n<\/pre><\/div>\n\n\nand then verify that the nodes are operational with the following Powershell or Bash commands:<\/p>\n\n\n
\nkubectl --kubeconfig kube.cfg get nodes\n<\/pre><\/div>\n\n\nyou should see something like this:<\/p>\n\n\n
\n->kubectl get nodes\nNAME STATUS ROLES AGE VERSION\naks-nodepool1-82983338-0 Ready agent 3m v1.9.6\naks-nodepool1-82983338-1 Ready agent 3m v1.9.6\n<\/pre><\/div>\n\n\nStep 4: Join the AKS Cluster to Aporeto<\/h5>\n\n\n\n
Extract the contents of the file aks1.tar.gz and create the kubernetes resources with the bash commands (or Powershell equivalent. This may require a utility such as 7zip).<\/p>\n\n\n
\nmkdir -p kube_aporeto\ntar xfv aks1.tar.gz -C kube_aporeto\nkubectl create -f kube_aporeto\n<\/pre><\/div>\n\n\nthen check the status with the command:<\/p>\n\n\n
\nkubectl get pods -n kube-system\n<\/pre><\/div>\n\n\nyou should see something like:<\/p>\n\n\n
\n->kubectl get pods -n kube-system\nNAME READY STATUS RESTARTS AGE\naporeto-enforcer-fkf46 1\/1 Running 0 23s\naporeto-enforcer-v4k5r 1\/1 Running 0 23s\naporeto-kubesquall-h4m5d 1\/1 Running 0 21s\nazureproxy-79c5db744-t2654 1\/1 Running 2 4m\nheapster-55f855b47-drbb2 2\/2 Running 0 3m\nkube-dns-v20-7c556f89c5-mcg6z 3\/3 Running 0 4m\nkube-dns-v20-7c556f89c5-xhts7 3\/3 Running 0 4m\nkube-proxy-h5rqq 1\/1 Running 0 4m\nkube-proxy-s7rkq 1\/1 Running 0 4m\nkube-svc-redirect-92tvv 1\/1 Running 0 4m\nkube-svc-redirect-h2dmp 1\/1 Running 0 4m\nkubernetes-dashboard-546f987686-7gzln 1\/1 Running 2 4m\ntunnelfront-66fd996c74-dlpdm 1\/1 Running 0 4m\n<\/pre><\/div>\n\n\nStep 5: Roll up your sleeves and dig in with a demo app<\/h5>\n\n\n\n
Clone the github repo https:\/\/github.com\/aporeto-inc\/apowine.git<\/a> and then follow the instructions in the README.md file. By following this tutorial, you will learn how to enforce network and service layer access policies in your AKS cluster.<\/p>\n\n\n\nEnjoy your AKS Cluster with Aporeto Security!<\/h4>\n\n\n\n
Now that you have connected your AKS Kubernetes cluster to Aporeto, you can visualize it in real time and on historical bases using the Aporeto UI. You can also connect your private cloud workload to your Aporeto account and view your distributed application\u2019s end-to-end operations centrally.<\/p>\n\n\n\n
You can find instructions for connecting non-AKS workloads to Aporeto by perusing the document (click on \u201cSwitch to Accounts\u201d (top right corner user icon, immediate right of the \u201c?\u201d mark icon). As always, you can request support directly in Aporeto\u2019s Console or via this link<\/a>.<\/p>\n\n\n\nAporeto\u2019s powerful security capabilities unlock the following use cases, among others:<\/p>\n\n\n\n
You can visualize the application of your choice by deploying Aporeto as an AKS DaemonSet (see #A in diagram above). If you control the virtual machines on which your application component run, you may also deploy Aporeto as a Docker container or a userland process (see #B in diagram above).<\/p>\n\n\n\n
Aporeto auto-generates application security policy by ingesting Kubernetes Network Policies and RBAC. You also have the option of leveraging your application dependency graph that Aporeto creates to describe the application\u2019s behavioral intent as policies. In every case, you may audit and edit auto-generated policies and inject human wisdom when necessary.<\/p>\n\n\n\n
Once you have policies, you may simulate their enforcement at runtime to evaluate the effects of your security policies without interrupting operations. When satisfied that your security policies are solid, you may lockdown your application and protected it with a Zero Trust approach.<\/p>\n\n\n\n
Because Aporeto untethers application security from the network and infrastructure, one key benefit of Aporeto\u2019s approach for protecting your containers, microservices and cloud applications is that you can have a consistent security approach even in a hybrid or multi-cloud setting. As you gain experience with Aporeto in a single cluster setting, you will quickly realize how easy it is to have a consistent security posture in multi-cluster and multi-cloud settings without any infrastructure or operational complexity.<\/p>\n\n\n\n
Five Steps to Enforce Network and Service Layer Access Policies in AKS Clusters<\/h4>\n\n\n\nStep 1: Prepare environment<\/h5>\n\n\n\n
You will need the following binaries installed in your path.<\/p>\n\n\n\n
- \n
- az (see\u00a0https:\/\/docs.microsoft.com\/en-us\/cli\/azure\/install-azure-cli?view=azure-cli-latest<\/a>)<\/li>\n\n\n\n
- kubectl (see\u00a0https:\/\/kubernetes.io\/docs\/tasks\/tools\/install-kubectl\/<\/a>)<\/li>\n<\/ol>\n\n\n\n
Step 2: Setup Aporeto<\/h5>\n\n\n\n
Using a browser login select the desired namespace where the cluster will be placed. The select and expand \u201cSystem\u201d and then select \u201cKubernetes Clusters\u201d. Click on the \u201c+\u201d icon (top right). Give the cluster the name \u201caks1\u201d and leave all defaults as they are. Click on create. This will create the cluster and cause a file with the name aks1.tar.gz (assuming you named the cluster aks1) to be downloaded to your browser download directory. Take note of this file as we will need it later.<\/p>\n\n\n\n
Step 3: Create AKS (Kubernetes Cluster on AKS)<\/h5>\n\n\n\n
If you have not already done so, log into Azure with the following Powershell or Bash commands:<\/p>\n\n\n
\naz login\n<\/pre><\/div>\n\n\n
Then create a working directory with the following Powershell or Bash commands:<\/p>\n\n\n
\nmkdir -p aks; cd aks\n<\/pre><\/div>\n\n\n
Move the file downloaded in the previous step into the working directory.<\/p>\n\n\n\n
Create the Kubernetes cluster on AKS with the following Powershell or Bash commands.<\/p>\n\n\n
\naz group create --name aporeto_lab --location eastus\naz aks create --resource-group aporeto_lab --name aks1 --node-count 2 --generate-ssh-keys\naz aks get-credentials --resource-group aporeto_lab --name aks1 -f kube.cfg\n<\/pre><\/div>\n\n\n
Set the kubectl config file in the environment.<\/p>\n\n\n\n
With PowerShell<\/em><\/p>\n\n\n\n
$loc = Get-Location Set-Variable -Name “KUBECONFIG” -Value “$loc\/kube.cfg”<\/p>\n\n\n\n
With Bash<\/em><\/p>\n\n\n
\nexport KUBECONFIG=$PWD\/kube.cfg\n<\/pre><\/div>\n\n\n
and then verify that the nodes are operational with the following Powershell or Bash commands:<\/p>\n\n\n
\nkubectl --kubeconfig kube.cfg get nodes\n<\/pre><\/div>\n\n\n
you should see something like this:<\/p>\n\n\n
\n->kubectl get nodes\nNAME STATUS ROLES AGE VERSION\naks-nodepool1-82983338-0 Ready agent 3m v1.9.6\naks-nodepool1-82983338-1 Ready agent 3m v1.9.6\n<\/pre><\/div>\n\n\n
Step 4: Join the AKS Cluster to Aporeto<\/h5>\n\n\n\n
Extract the contents of the file aks1.tar.gz and create the kubernetes resources with the bash commands (or Powershell equivalent. This may require a utility such as 7zip).<\/p>\n\n\n
\nmkdir -p kube_aporeto\ntar xfv aks1.tar.gz -C kube_aporeto\nkubectl create -f kube_aporeto\n<\/pre><\/div>\n\n\n
then check the status with the command:<\/p>\n\n\n
\nkubectl get pods -n kube-system\n<\/pre><\/div>\n\n\n
you should see something like:<\/p>\n\n\n
\n->kubectl get pods -n kube-system\nNAME READY STATUS RESTARTS AGE\naporeto-enforcer-fkf46 1\/1 Running 0 23s\naporeto-enforcer-v4k5r 1\/1 Running 0 23s\naporeto-kubesquall-h4m5d 1\/1 Running 0 21s\nazureproxy-79c5db744-t2654 1\/1 Running 2 4m\nheapster-55f855b47-drbb2 2\/2 Running 0 3m\nkube-dns-v20-7c556f89c5-mcg6z 3\/3 Running 0 4m\nkube-dns-v20-7c556f89c5-xhts7 3\/3 Running 0 4m\nkube-proxy-h5rqq 1\/1 Running 0 4m\nkube-proxy-s7rkq 1\/1 Running 0 4m\nkube-svc-redirect-92tvv 1\/1 Running 0 4m\nkube-svc-redirect-h2dmp 1\/1 Running 0 4m\nkubernetes-dashboard-546f987686-7gzln 1\/1 Running 2 4m\ntunnelfront-66fd996c74-dlpdm 1\/1 Running 0 4m\n<\/pre><\/div>\n\n\n
Step 5: Roll up your sleeves and dig in with a demo app<\/h5>\n\n\n\n
Clone the github repo https:\/\/github.com\/aporeto-inc\/apowine.git<\/a> and then follow the instructions in the README.md file. By following this tutorial, you will learn how to enforce network and service layer access policies in your AKS cluster.<\/p>\n\n\n\n
Enjoy your AKS Cluster with Aporeto Security!<\/h4>\n\n\n\n
Now that you have connected your AKS Kubernetes cluster to Aporeto, you can visualize it in real time and on historical bases using the Aporeto UI. You can also connect your private cloud workload to your Aporeto account and view your distributed application\u2019s end-to-end operations centrally.<\/p>\n\n\n\n
You can find instructions for connecting non-AKS workloads to Aporeto by perusing the document (click on \u201cSwitch to Accounts\u201d (top right corner user icon, immediate right of the \u201c?\u201d mark icon). As always, you can request support directly in Aporeto\u2019s Console or via this link<\/a>.<\/p>\n\n\n\n
Aporeto\u2019s powerful security capabilities unlock the following use cases, among others:<\/p>\n\n\n\n
- kubectl (see\u00a0https:\/\/kubernetes.io\/docs\/tasks\/tools\/install-kubectl\/<\/a>)<\/li>\n<\/ol>\n\n\n\n