Kubernetes Clusters with Private Nodes

Risk Level: High (not acceptable risk)

Rule ID: AKS-005

Ensure that your Azure Kubernetes Service (AKS) clusters are deployed with private nodes in order to enhance your Kubernetes workload's security and isolation. AKS cluster private nodes are nodes with no public IP addresses.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

By removing public IP addresses from Azure Kubernetes Service (AKS) cluster nodes, you can limit access to internal networks exclusively. This reduces the attack surface, improves data privacy, and allows for stricter control over network traffic, aligning with security best practices for sensitive workloads.

Audit

To determine if your Azure Kubernetes Service (AKS) clusters were created with private nodes, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Kubernetes service for Value, then choose Apply to list the AKS clusters available in the selected subscription.

05 Click on the name (link) of the AKS cluster that you want to examine.

06 In the resource navigation panel, under Settings, choose Node pools to list the node pools provisioned for the selected AKS cluster.

07 Click on the name (link) of the node pool that you want to examine.

08 In the left navigation panel, choose Overview, select the Properties tab, and check the Public IPs per node attribute value under Node pool to determine if the node pool's nodes have public IP addresses. If Public IPs per node is set to Enabled, the nodes in the selected node pool were assigned public IPs.

09 Repeat steps no. 7 and 8 for each node pool deployed for the selected AKS cluster. If one or more node pools are configured with public IP addresses, the selected Azure Kubernetes Service (AKS) cluster was not created with private nodes only.

10 Repeat steps no. 5 – 9 for each AKS cluster provisioned in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription:

az aks list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AKS cluster names:

Name                     ResourceGroup
-----------------------  ------------------------------
cc-project5-aks-cluster  cloud-shell-storage-westeurope
cc-ai-project-cluster    cloud-shell-storage-westeurope

06 Run aks show command (Windows/macOS/Linux) with the name of the AKS cluster that you want to examine (and the associated resource group) as the identifier parameters, to determine if the nodes deployed for the selected AKS cluster have public IP addresses:

az aks show
	--name cc-project5-aks-cluster
	--resource-group cloud-shell-storage-westeurope
	--output table
	--query='agentPoolProfiles[].{Name:name,enableNodePublicIp:enableNodePublicIp}'

07 The command output should return the Public IP feature status (True for enabled, False for disabled) for each node pool provisioned for the selected cluster:

Name          EnableNodePublicIp
-----------   ------------------
miningpool1   True
miningpool2   True
miningpool3   True

If the aks show command output returns True for one or more node pools, as shown in the example above, the selected Azure Kubernetes Service (AKS) cluster was not created with private nodes only.

08 Repeat steps no. 6 and 7 for each AKS cluster available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your AKS cluster nodes are private, you must disable public IP addresses for the nodes at the node pool level. To redeploy your AKS cluster node pools without public IPs, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

05 Click on the name (link) of the AKS cluster that you want to configure.

06 In the resource navigation panel, under Settings, choose Node pools to list the node pools provisioned for the selected AKS cluster.

07 Click on the name (link) of the node pool that you want to re-create and copy the necessary configuration details such as mode, Operating System, Kubernetes version, node size, scale method, and so on. This configuration information will be required later when the new node pool will be deployed.

08 Navigate back to the Node pools page, choose Add node pool, and perform the following actions to deploy a new node pool with private nodes:

For Basics, provide the following information:
1. Provide a unique name for the node pool in the Node pool name box.
2. For Mode, select the node pool mode (must match the mode of the source pool).
3. For OS SKU, select the OS type for the nodes within the node pool (must match the source pool configuration).
4. For Kubernetes version, select the latest stable version of Kubernetes supported by AKS (recommended).
5. For Availability zones, select at least two Availability Zones. Availability Zones (AZs) are used to protect your applications from datacenter failures.
6. For Node size, click on the Choose a size (link), and select the appropriate VM size for the nodes (must match the source pool configuration).
7. For Scale method, choose Autoscale - Recommended, and set the minimum and maximum node count required for autoscaling.
8. Choose Next: Optional settings > to continue the setup process.
For Optional settings, provide the following information:
1. For Max pods per node, configure the maximum number of pods that can be run on a node (must match the source pool configuration).
2. Ensure that the Enable public IP per node checkbox is unchecked. Nodes within the node pool will be prevented from receiving public IP addresses.
3. For Maximum surge definition, choose Default.
4. For Node drain timeout, use the setting slider to configure the drain timeout for the nodes within the node pool.
5. For Labels, create the necessary label sets. Labels are key-value pairs that can be used to categorize or add identifying information to AKS resources such as cluster nodes.
6. For Taints, create the necessary taints. Taints are tuples used in conjunction with tolerations in order to determine which pods can be scheduled on which nodes.
7. Choose Next: Tags > to continue the setup.
For Tags, create the necessary tag sets (must match the tagging of the source pool), then choose Review + Create to validate the configuration information provided during setup.
For Review + create, review the node pool configuration details, then choose Create to deploy a new node pool with private nodes.

09 (Optional) Cordon and drain the non-compliant (source) node pool in order to migrate the workload.

10 (Optional) Click on the name (link) of the non-compliant node pool that you want to remove and choose Delete. In the confirmation box, choose Yes to remove the node pool from the selected AKS cluster.

11 Repeat steps no. 7 - 10 for each node pool that you want to redeploy.

12 Repeat steps no. 5 - 11 for each AKS cluster that you want to configure, available in the selected subscription.

13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run aks nodepool show command (Windows/macOS/Linux) with the name of the AKS cluster node pool that you want to re-create as the identifier parameter, to describe all the configuration information available for the selected node pool. This configuration information will be required later when the new node pool will be deployed:

az aks nodepool show
	--name miningpool1
	--cluster-name cc-project5-aks-cluster
	--resource-group cloud-shell-storage-westeurope

05 The command output should return the requested configuration information:

{
	"availabilityZones": null,
	"capacityReservationGroupId": null,
	"count": 2,
	"creationData": null,
	"currentOrchestratorVersion": "1.31.7",
	"enableAutoScaling": false,
	"enableEncryptionAtHost": false,
	"enableFips": false,
	"enableNodePublicIp": true,
	"enableUltraSsd": false,
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"scaleDownMode": "Delete",

	...

	"spotMaxPrice": null,
	"tags": null,
	"type": "Microsoft.ContainerService/managedClusters/agentPools",
	"typePropertiesType": "VirtualMachineScaleSets",
	"upgradeSettings": {
		"drainTimeoutInMinutes": null,
		"maxSurge": "10%",
		"nodeSoakDurationInMinutes": null
	},
	"vmSize": "Standard_A2_v2",
	"vnetSubnetId": null,
	"windowsProfile": null,
	"workloadRuntime": null
}

06 Run aks nodepool add command (Windows/macOS/Linux) to create a new node pool with private nodes for your AKS cluster using the configuration information returned in the previous step. If the --enable-node-public-ip parameter is not included in the command request, the nodes within the node pool will not receive public IP addresses (the command does not produce an output):

az aks nodepool add
	--name "privatepool1"
	--cluster-name "cc-project5-aks-cluster"
	--resource-group "cloud-shell-storage-westeurope"
	--max-pods 250
	--node-count 2
	--node-vm-size "Standard_A2_v2"
	--no-wait

07 (Optional) Cordon and drain the non-compliant (source) node pool in order to migrate the workload.

08 Run aks nodepool delete command (Windows/macOS/Linux) to remove the non-compliant node pool from your AKS cluster (the command does not produce an output):

az aks nodepool delete
	--cluster-name "cc-project5-aks-cluster"
	--resource-group "cloud-shell-storage-westeurope"
	--name "miningpool1"

09 Repeat steps no. 4 - 8 for each node pool that you want to redeploy.

10 Repeat steps no. 4 - 9 for each AKS cluster that you want to configure, available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
Create node pools for a cluster in Azure Kubernetes Service (AKS)
Use instance-level public IPs in Azure Kubernetes Service (AKS)
Resize node pools in Azure Kubernetes Service (AKS)

Publication date May 12, 2025

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related AKS rules