Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Public FQDN for Private AKS Clusters

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Public FQDN feature is disabled for your private Azure Kubernetes Service (AKS) clusters. A public Fully Qualified Domain Name (FQDN) is a domain name that can be accessed over the Internet and resolves to a specific resource, such as a server or service, including private resources such as Azure AKS clusters. In Azure cloud, a public FQDN is automatically created when an AKS cluster is provisioned. This FQDN allows access to the Kubernetes API server over the Internet, which can be useful for managing and interacting with the cluster remotely. However, it also exposes the cluster to potential security risks.

Security

In private Azure Kubernetes Service (AKS) clusters, disabling the public FQDN enhances security by preventing external, unauthorized access. This ensures that the cluster is accessible only via a private endpoint, reducing the risk of exposure to attacks.

Audit

To determine if your private Azure AKS clusters are configured with a public FQDN, perform the following operations:

Checking the Public FQDN feature status for private Azure AKS clusters using Microsoft Azure Portal (Azure Console) is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az aks list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AKS cluster names:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Name                             ResourceGroup
-------------------------------  ------------------------------
cc-project5-private-aks-cluster  cloud-shell-storage-westeurope
cc-private-data-mining-cluster   cloud-shell-storage-westeurope

06 Run aks show command (Windows/macOS/Linux) with the name of the AKS cluster that you want to examine (and the associated resource group) as identifier parameters, to determine if selected Azure AKS cluster is private:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az aks show
  --name cc-project5-private-aks-cluster
  --resource-group cloud-shell-storage-westeurope
  --query '{enablePrivateCluster:apiServerAccessProfile.enablePrivateCluster}'

07 The command output should return the requested configuration information:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
	"enablePrivateCluster": true
}

If the command output returns true for the "enablePrivateCluster" configuration attribute, as shown in the example above, the selected Azure Kubernetes Service (AKS) cluster is private and you can continue the Audit process with the next step. Otherwise, the Audit process ends here.

08 Run again aks show command (Windows/macOS/Linux) to describe the configuration status of the Public FQDN feature, available for the selected private AKS cluster:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az aks show
  --name cc-project5-private-aks-cluster
  --resource-group cloud-shell-storage-westeurope
  --query 'apiServerAccessProfile.enablePrivateClusterPublicFqdn'

09 The command output should return the requested configuration status:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
true

If the aks show command output returns true, as shown in the example above, the Public FQDN feature is not disabled for the selected private Azure Kubernetes Service (AKS) cluster.

10 Repeat steps no. 6 - 9 for each AKS cluster available within the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your private Azure Kubernetes Service (AKS) clusters are not configured with a public FQDN, perform the following operations:

Disabling the Public FQDN feature for private Azure AKS clusters using Microsoft Azure Portal (Azure Console) is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks update command (OSX/Linux/UNIX) with the name of the private AKS cluster that you want to configure (and the associated resource group) as the identifier parameters, to disable the Public FQDN feature for the selected Azure AKS cluster:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az aks update
  --name cc-project5-private-aks-cluster
  --resource-group cloud-shell-storage-westeurope
  --disable-public-fqdn

05 The command output should return the configuration information available for the modified AKS cluster:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
	"aadProfile": {
		"adminGroupObjectIDs": [
			"abcdabcd-1234-abcd-1234-abcdabcdabcd"
		],
		"enableAzureRbac": true,
		"managed": true,
		"tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
	},

	...

	"apiServerAccessProfile": {
		"authorizedIpRanges": null,
		"disableRunCommand": null,
		"enablePrivateCluster": true,
		"enablePrivateClusterPublicFqdn": false,
		"privateDnsZone": "system"
	}
}

06 Repeat steps no. 4 and 5 for each AKS cluster that you want to configure, available in the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 21, 2024

Related AKS rules