Fortinet white logo
Fortinet white logo

Cookbook

Azure Kubernetes (AKS) SDN connector

Azure Kubernetes (AKS) SDN connector

Azure SDN connectors support dynamic address groups based on Azure Kubernetes (AKS) filters.

To filter out the Kubernetes IP addresses, the following address filters have been introduced:

k8s_cluster

Kubernetes cluster name.

k8s_namespace

Namespace of a Kubernetes service or pod.

k8s_svcname

Kubernetes service name.

k8s_nodename

Kubernetes node name.

k8s_region

Kubernetes node region.

k8s_podname

Kubernetes pod name.

k8s_label.xxx

Name of label of a Kubernetes resource (cluster/service/node/Pod).

To enable an Azure SDN connector to fetch IP addresses from Azure Kubernetes:
  1. Configure the Azure SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New, and select Azure.
    3. Configure as shown substituting the region, tenant and client IDs, and client secret for your deployment. The update interval is in seconds.

      Screenshot of SDN connector configuration for Azure AKS

  2. Create a dynamic firewall address for the configured K8S SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address as shown, selecting the desired filter in the Filter dropdown list. In this example, the Azure SDN connector will automatically populate and update IP addresses only for instances that belong to the zhmKC cluster:

      Screenshot of Azure Kubernetes setup displaying the creation of dynamic firewall address

  3. Ensure that the K8S SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for instances that belong to the zhmKC cluster as configured in step 2:

To configure an Azure Kubernetes SDN connector through the CLI:
  1. Configure an SDN connector for Kubernetes:

    config system sdn-connector

    edit "azure1"

    set type azure

    set tenant-id "942b80cd-1b14-42a1-8dcf-4b21dece61ba"

    set client-id "14dbd5c5-307e-4ea4-8133-68738141feb1"

    set client-secret xxxxx

    set update-interval 30

    next

    end

  2. Create a dynamic firewall address for the SDN connector with a supported Kubernetes filter. In this example, the Azure SDN connector will automatically populate and update IP addresses only for instances that belong to the zhmKC cluster:

    config firewall address

    edit "az-k8s-cluster"

    set type dynamic

    set sdn "azure1"

    set filter "K8S_Cluster=zhmKC"

    next

    end

  3. Confirm that the Azure SDN connector resolves dynamic firewall IP addresses using the configured filter: :

    config firewall address

    edit "az-k8s-cluster"

    set uuid c3859270-1919-51e9-4a99-47d8caf97a01

    set type dynamic

    set sdn "azure1"

    set filter "K8S_Cluster=zhmKC"

    config list

    edit "10.240.0.4"

    next

    edit "10.240.0.5"

    next

    edit "10.244.0.10"

    next

    end

    next

    end

Azure Kubernetes (AKS) SDN connector

Azure Kubernetes (AKS) SDN connector

Azure SDN connectors support dynamic address groups based on Azure Kubernetes (AKS) filters.

To filter out the Kubernetes IP addresses, the following address filters have been introduced:

k8s_cluster

Kubernetes cluster name.

k8s_namespace

Namespace of a Kubernetes service or pod.

k8s_svcname

Kubernetes service name.

k8s_nodename

Kubernetes node name.

k8s_region

Kubernetes node region.

k8s_podname

Kubernetes pod name.

k8s_label.xxx

Name of label of a Kubernetes resource (cluster/service/node/Pod).

To enable an Azure SDN connector to fetch IP addresses from Azure Kubernetes:
  1. Configure the Azure SDN connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click Create New, and select Azure.
    3. Configure as shown substituting the region, tenant and client IDs, and client secret for your deployment. The update interval is in seconds.

      Screenshot of SDN connector configuration for Azure AKS

  2. Create a dynamic firewall address for the configured K8S SDN connector:
    1. Go to Policy & Objects > Addresses.
    2. Click Create New, then select Address.
    3. Configure the address as shown, selecting the desired filter in the Filter dropdown list. In this example, the Azure SDN connector will automatically populate and update IP addresses only for instances that belong to the zhmKC cluster:

      Screenshot of Azure Kubernetes setup displaying the creation of dynamic firewall address

  3. Ensure that the K8S SDN connector resolves dynamic firewall IP addresses:
    1. Go to Policy & Objects > Addresses.
    2. Hover over the address created in step 2 to see a list of IP addresses for instances that belong to the zhmKC cluster as configured in step 2:

To configure an Azure Kubernetes SDN connector through the CLI:
  1. Configure an SDN connector for Kubernetes:

    config system sdn-connector

    edit "azure1"

    set type azure

    set tenant-id "942b80cd-1b14-42a1-8dcf-4b21dece61ba"

    set client-id "14dbd5c5-307e-4ea4-8133-68738141feb1"

    set client-secret xxxxx

    set update-interval 30

    next

    end

  2. Create a dynamic firewall address for the SDN connector with a supported Kubernetes filter. In this example, the Azure SDN connector will automatically populate and update IP addresses only for instances that belong to the zhmKC cluster:

    config firewall address

    edit "az-k8s-cluster"

    set type dynamic

    set sdn "azure1"

    set filter "K8S_Cluster=zhmKC"

    next

    end

  3. Confirm that the Azure SDN connector resolves dynamic firewall IP addresses using the configured filter: :

    config firewall address

    edit "az-k8s-cluster"

    set uuid c3859270-1919-51e9-4a99-47d8caf97a01

    set type dynamic

    set sdn "azure1"

    set filter "K8S_Cluster=zhmKC"

    config list

    edit "10.240.0.4"

    next

    edit "10.240.0.5"

    next

    edit "10.244.0.10"

    next

    end

    next

    end