01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az account list
--query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
[
"abcdabcd-1234-abcd-1234-abcdabcdabcd",
"abcd1234-abcd-1234-abcd-abcd1234abcd"
]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az account set
--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az aks list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup}'
05 The command output should return the requested AKS cluster names:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
Name ResourceGroup
------------------------------- ------------------------------
cc-project5-private-aks-cluster cloud-shell-storage-westeurope
cc-private-data-mining-cluster cloud-shell-storage-westeurope
06 Run aks show command (Windows/macOS/Linux) with the name of the AKS cluster that you want to examine (and the associated resource group) as identifier parameters, to determine if selected Azure AKS cluster is private:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az aks show
--name cc-project5-private-aks-cluster
--resource-group cloud-shell-storage-westeurope
--query '{enablePrivateCluster:apiServerAccessProfile.enablePrivateCluster}'
07 The command output should return the requested configuration information:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
{
"enablePrivateCluster": true
}
If the command output returns
true for the
"enablePrivateCluster" configuration attribute, as shown in the example above, the selected Azure Kubernetes Service (AKS) cluster is private and you can continue the Audit process with the next step. Otherwise, the Audit process ends here.
08 Run again aks show command (Windows/macOS/Linux) to describe the configuration status of the Public FQDN feature, available for the selected private AKS cluster:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
az aks show
--name cc-project5-private-aks-cluster
--resource-group cloud-shell-storage-westeurope
--query 'apiServerAccessProfile.enablePrivateClusterPublicFqdn'
09 The command output should return the requested configuration status:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
true
If the
aks show command output returns
true, as shown in the example above, the Public FQDN feature is not disabled for the selected private Azure Kubernetes Service (AKS) cluster.
10 Repeat steps no. 6 - 9 for each AKS cluster available within the selected Azure subscription.
11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.