Skip to main content

Managed Network Security Groups

Azure Kubernetes Services is used to run workloads and expose services (Human-Machine Interface / User Interface and/or Application Programing Interface). When publishing interfaces to internet, it's very common to have few attackers that perform scans our services to identify potential vulnerabilities. To avoid security breach, the Trustnest platform security policy recommends limiting the service exposition to TCP/443, with security mechanisms that analyses the content of the queries (such as a WAF - Web Application Firewall) and a blacklist IP that blocks malicious IP provided by Trustnest threat intelligence service.

To make the developer journey easier, k8saas provides a default configured firewall following the cloud security best practices.

The firewall used is based on Azure Network Security Group


Synthesis of the rules:


  • HTTPS/HTTP is allowed from anywhere (including internet)
  • All others ports are blocked from internet (especially SSH/RDP/FTP/FTPS)
  • All communication in the cluster are allowed (pod to pod communications)


  • All ports are allowed to internet (except these listed in the following rule)
  • SSH/RDP/FTP/FTPS are blocked to internet
  • All communication in the cluster are allowed (pod to pod communications)

Use cases

  • Expose a Human-Machine Interface (HMI) to users - TCP:443
  • Expose a Application Programming Interface (API) to third party system - TCP:443


How to enable this pre-configured firewall ?

By default, cluster has the only HTTPS open and malicious IPs have been blocked. No action is required by customer.

How to request an exception

This section describes the process to get specific NSG access configuration.

Customer Exception Request Flow

  1. (Requester) Describe the network flow
    • Functional explanation of the flow
    • From/to
    • Why?
  2. (Requester) Send a request with all the flow information on the TrustNestK8SaaS Service Catalog
  3. (plafform team) Security team approbation The request will be reviewed by the security team and approved
  4. (plafform team) Exception deployment Once security team has approved the network access access, the change will be applied to the customer cluster

How restrict access to authorized IPs only

This case will restrict HTTPS and cluster accesses by only a list of authorized IPs.

Open a ticket on the TrustNestK8SaaS Service Catalog .

Note: You have also the possibility to enable a light whitelisting following the All in one application publication service / section "Configure a whitelist".

Technical description / architecture


The following diagram show the 3 different level of firewall rules applied on AKS cluster.

  • Subscription level The first level is applied for the entire subcription, it consists to block Inbound and Outbound connections from Malicious IPs. These Malicious IPs are suspicious IPs reported by the security team.
  • Cluster level The level is applied by cluster, it consists to configure http/https and vnet access. These rules are uniform between cluster.
  • Customer exception level contains rule modifications specific accesses. Any configuration access at this level is an exception and requires approbation by the security team

FW Rule Levels

Default NSG rules

Cluster100k8saas_backlisted_ips_rule_inbound [legacy]*InboundDeny[Malicious IPs]Any
Subcription202k8saas_nsg_rule_blacklist_ip_inbound*InboundDeny[Malicious IPs]Any
Cluster100k8saas_backlisted_ips_rule_outbound [legacy]*OutboundDenyAny[Malicious IPs]
Subcription202k8saas_nsg_rule_blacklist_ip_outbound*OutboundDenyAny[Malicious IPs]

Next steps