Hey everyone! I've recently shifted our monolithic .NET applications to a microservices architecture and deployed them on EKS. We're using an Application Load Balancer (ALB) set up for path-based routing since our apps are stateless APIs. Our traffic flow looks something like this: Internet Traffic -> ALB (with SSL certs from ACM) -> app pods (all listening on port 80).
We configured this using the ALB controller and deployed through FluxCD for CI/CD. I'm curious if this setup is secure. We also have Palo Alto Inspection Firewalls installed that scrutinize incoming traffic and block any malicious IPs with specific security policies.
Do you think I should add more certificates or Kubernetes resources to bolster security on our EKS environment? I'm quite new to Kubernetes, so I'd really appreciate any insights or suggestions! Thanks in advance!
3 Answers
If I understand correctly, your security team is insisting on the use of Palo Alto firewalls, which isn't really up for debate. However, I'd recommend exploring options like CloudFront combined with WAF and ALB. Also, consider getting your organization AWS Shield Advanced for added protection; it's manageable and cost-effective at scale. Personally, I usually opt for Envoy or Istio for end-to-end mTLS to keep traffic encrypted across the board, especially if handling sensitive data is involved.
Consider adding a Web Application Firewall (WAF) on the ALB and enabling ALB access logs unless your Palo Alto setup already covers that. If your threat model includes potential risks like VPC snooping, you might want to establish TLS from the ALB to the pods for extra security, but keep in mind that ACM can't be used for that directly. The level of security you go for really depends on your specific needs, like if you're facing high DDoS risk, and budget constraints play a significant role too.
You should think about issuing certificates for your pods to secure the connection between the ALB and your backend services with TLS. Right now, the traffic within your network is passing unencrypted. The assumption that all VPC traffic is encrypted at the network layer only holds if you're using supported EC2 instance types, so it might be worth checking your environment.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux