Hey everyone,
We've transitioned our monolithic .NET applications into microservices and deployed them on Amazon EKS. We're using an Application Load Balancer (ALB) to handle path-based routing since these are stateless APIs. The setup goes like this: traffic from the Internet goes to the ALB with SSL certificates managed by ACM, which then routes to our app pods listening on port 80.
Our architecture includes an ALB controller alongside FluxCD for continuous deployment. I'm curious about how secure this setup is generally. We have Palo Alto Inspection Firewalls in place within our central security account that scan incoming traffic from the Internet and have policies to block any malicious IPs.
Do you all think we should implement additional certificates or Kubernetes resources to enhance security in our EKS environment? I'm pretty new to Kubernetes, so any advice is greatly appreciated!
Thanks in advance!
4 Answers
You might want to consider provisioning certificates on your pods to secure the connection between the ALB and your backend services. Right now, the traffic is passing unencrypted, which isn't ideal. It's an extra layer of security that could really protect your data in transit.
Instead of relying solely on the Palo Alto firewalls, consider adding a Web Application Firewall (WAF) on your ALB. Also, don't forget to enable ALB access logs if Palo Alto isn’t already doing that. If you’re really worried about security and your threat model involves snooping within your VPC, think about implementing TLS from the ALB to your pods. However, you won't be able to use ACM for that addition, so keep that in mind!
Yes, it’s good to have Palo Alto logs, but make sure your VPC infrastructure is as per the guidelines from Palo Alto for optimal configuration.
Your cluster's shared nature will determine how you implement security. Using Network Policies with Istio can help you lock down pod-to-pod communication. It’s a great way to keep the security team satisfied by ensuring only necessary communications are taking place, plus it’s the right security approach.
Regarding your reliance on Palo Alto firewalls, if that’s mandatory from your security team, then definitely consider using CloudFront with WAF and ALB. Implementing AWS Shield Advanced organization-wide is also smart and relatively cost-effective if you’re scaling. In fact, if your app has regulatory data, end-to-end MTLS via tools like Envoy or Istio on EKS may also appeal to security teams that emphasize strict encryption practices.
Just so you know, Amazon EC2's supported instance types actually encrypt traffic within a VPC and between peered VPCs at the network layer, so it’s not necessarily in the clear.