You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/includes/waf-containers-security.md
+6-2Lines changed: 6 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,11 @@ ms.date: 03/30/2023
9
9
### Design checklist
10
10
11
11
> [!div class="checklist"]
12
-
> -
12
+
> - Use managed identity authentication for your cluster to connect to Container insights.
13
+
> - Consider using Azure private link for your cluster to connect to your Azure Monitor workspace using a private endpoint.
14
+
> - Use traffic analytics to monitor network traffic to and from your cluster.
15
+
> - Enable network observability.
16
+
> - Ensure the security of the Log Analytics workspace supporting Container insights.
13
17
14
18
15
19
### Configuration recommendations
@@ -19,6 +23,6 @@ ms.date: 03/30/2023
19
23
| Use managed identity authentication for your cluster to connect to Container insights. |[Managed identity authentication](../containers/container-insights-authentication.md) is the default for new clusters. If you're using legacy authentication, you should [migrate to managed identity](../containers/container-insights-authentication.md#how-to-enable) to remove the certificate-based local authentication. |
20
24
| Consider using Azure private link for your cluster to connect to your Azure Monitor workspace using a private endpoint.| Azure managed service for Prometheus stores its data in an Azure Monitor workspace which uses a public endpoint by default. Connections to public endpoints are secured with end-to-end encryption. If you require a private endpoint, you can use [Azure private link](../logs/private-link-security.md) to allow your cluster to connect to the workspace through authorized private networks. Private link can also be used to force workspace data ingestion through ExpressRoute or a VPN.<br><br>See [Private Link for data ingestion for Managed Prometheus and Azure Monitor workspace](../essentials/private-link-data-ingestion.md) for details on configuring your cluster for private link. See [Use private endpoints for Managed Prometheus and Azure Monitor workspace](../essentials/azure-monitor-workspace-private-endpoint.md) for details on querying your data using private link. |
21
25
| Use traffic analytics to monitor network traffic to and from your cluster. |[Traffic analytics](../../network-watcher/traffic-analytics.md) analyzes Azure Network Watcher NSG flow logs to provide insights into traffic flow in your Azure cloud. Use this tool to ensure there's no data exfiltration for your cluster and to detect if any unnecessary public IPs are exposed. |
22
-
| Enable network observability |[Network observability add-on for AKS](https://techcommunity.microsoft.com/t5/azure-observability-blog/comprehensive-network-observability-for-aks-through-azure/ba-p/3825852) provides observability across the multiple layers in the Kubernetes networking stack. monitor and observe access between services in the cluster (east-west traffic). |
26
+
| Enable network observability.|[Network observability add-on for AKS](https://techcommunity.microsoft.com/t5/azure-observability-blog/comprehensive-network-observability-for-aks-through-azure/ba-p/3825852) provides observability across the multiple layers in the Kubernetes networking stack. monitor and observe access between services in the cluster (east-west traffic). |
23
27
| Ensure the security of the Log Analytics workspace supporting Container insights. | Container insights relies on a Log Analytics workspace. See [Best practices for Azure Monitor Logs](../best-practices-logs.md#security) for recommendations to ensure the security of the workspace. |
0 commit comments