8 hours 33 minutes
Welcome to this demonstration on Azure Communities Service security. This lesson is part of the six Madu off the desert 500 Microsoft Azure Security technologies. Cows now for simplicity have been referring to the aggravation a que has going forward.
Here's some information on the tasks that will be completing in this demonstration.
We'll start by creating on a ks cluster Wouldn't configure Vobis access control fun Azure Didiza on the cluster who fought to protect a cluster by configuring devised I p ranges on Finally validate our configuration Let's get right into this.
So in the first ask I'll be creating an ache Es cluster
Anissa Visual representation off What? RB Dean Happy creating an A K s cluster That's going to have to note in eight on I'll be creating its use in the azure Pato
So here I am in the azure Pato. If I go, I'd and click on Create a resource And if I said for Coop abilities and I can say the option to create a competitive savage, so why don't click on that and I'll click on create now for the Results group, I have an existing research group called a key s allergy. So go ahead and select that FISA script.
Fatty kubernetes cluster name.
I'll be using Super Clouds. A k has Bobby changing. That's 202 because I already have civil one existing for the regional lived on us, UK South for the communities version. I'll leave that as the fought off 1.16 point 10 Now for the note size, I'll be changing that
house. Select a newer generation, which is the detour s victory on a click on Select On. For the not count, our change starts to just two.
The best practice, if you're doing anything in production, is to have a minimum off three. If I go ahead and click next for not pose and you can see that it's gonna be creating a Lennox, not pool. If I wanted to hard additional not booze. I can go ahead and click on the had option here, and I have the option to select the NOx or Windows, not full.
So this is what I meant when I mentioned of into TRV
part off this lesson that we can have a mixture off Windows and Linux not pulls in the same cluster, however great, and cancel this. Now I'll leave all of the configuration at the default setting, and I'll go ahead and click on next authentication Now for the authentication. You see that we have the option to configure the
cluster infrastructure, authentication matter
and what dismisses the methods that it close that would used to authenticate to azure Haiti in other, to be able to make configuration changes for cluster related resources, I will leave that as the default service principal now obeys access control. I will be configuring that in the next us so I'll leave that has enabled actually just live all the options as default on our click. Next for networking.
Now in the networking section,
I can either live without basic, in which case a Joe Quiet and create a new virtual network for me. Or, if I have an existing virtual network and sub net again, quiet and select advanced, in which case I'll have the option to select an existing 58 fetch on network. How leave that as basic
Now you can see the option here to specify a private cluster,
so I'll leave that as disabled, but we can go ahead and configure that option if you wanted to live everything else as default on our just quiet and click on review. Plus, create on after the validation has passed out wide and click on create. So that would take a few minutes to complete. So quiet and possibly cutting. And once it completed,
I resumed recording, and we can go through the next tasks
so the deployment completed successfully, so it only took a few minutes to complete. So let's go ahead to the next task.
So in the next task, how become figure of involved is access control for the A KS cluster in the air care service in Hasher? Have your signing to those to a user called Brenda. How be assigning the job? Anita Service closed Admin Vaux on the A joke amenities service contribute of all, which would give her permission
to be able to manage cluster.
So here I am, back in the azure pot off I go ahead and click on Goto this us. And if I click on access control now, if I go ahead and click on had on I click on Hardball assignment and the first road I be a sign in is the service cluster. Add mineral,
and you can see that this well out brain that's a list cluster at mean credentials. If I go ahead and select statue O on, I select Spring the night, click on Safe. Now if I go ahead and click on hard Again and I click on hardball assignment.
But this time around I'll be assigning the service contributor wrote to bring the If I Go Ahead and select Brender on if I click on Safe. So now I have distributes assigned
in the next task. I'll be configuring, Otto advised I p address ranges from Mike es Cluster on s a visual representation of what are between, by the fault, the cluster As a public I p that's accessible toe all Internet I p addresses. So what? I'll be doing this RV configuring an authorized IAP leased to lock that down.
Now for the next task, I'll be using the azure cloud shell to do that. So what? I'll do you side quieted click on cloud shell.
So the first thing that out do is I'll be authenticating to the communities ap I seven. And to do that abuse in the is that a ks? Get credentials commands. If I guide and copy on defy paste this command. So that is that a key has get credentials.
The results group off my kubernetes cluster. And if I said the name of the close to correctly to 02 on, if I press enter to that
now you can see that it's downloaded the proper cube configuration foul. And now, if I go ahead and test out if I run Keogh City, Hell
and I pressed. Enter to that
you can see that I can just keep city our commands to interact Wheat, the a p a set of my cluster. So that's good. So the nation that obedience are very fine, the current configuration off the authorized IAP least. So to do that, I'll be running this command
and that is that a k a show again, the research group on the name off my cluster. But then Nam, specifying the query for the A P I sever access profile fig wide and press enter to that and you can see that the Auto Vice I P ranges is currently such to know that's the default. So our quiet on updates that so let's clear the screen a bit.
Toho updates that I'll be isn't this comment
now that is that a ks updates the name of my cluster, the resource group of my cluster on I'm specifying the A P I sever authorized by Provenge is on. I can put the vengeance off I p address that I want to. Marcus trusted here for my demonstration. I have to bootle the Knox machines hair Andi.
I'll be configuring one off them to be trusted, and the other one will remain untrusted. So the world I'll be configuring to be trusted will be the one on the left on site.
So if I glide and grab the I P address for that which I made it not off earlier
for quiet and paste, the high P address on If I pressed enter to that
and now that's applied. So let's go ahead and very fight that again
by running the previous command. So I go ahead and press enter to run that again, and you can see that now it's applied to the authorized I p ranges.
So in the final task off this demonstration are validating the configuration that I've just done
on as official representation of what are between have been connecting from two separate machines as I should your head here
and I'll be logging in as Brenda. And what I'll be doing is when I connect to the communities a p I. Sarah from the trust that I p. I expect that to be approved and for my commands to work. Now. If I connect from the other high P, which is not matters trusted, I expect that to fail.
So here I am, on my tool in ox machines. So I told you earlier that the system that I have on the left hand side is the one that I might distrusted. And one on the right hand side is one that's not Matt as trust it.
So on the left hand side what I'll do your soldiers go ahead and authentic kids to the a p a. Seven
Frank Quiet and Peace. That command so is the same is that a ks Get credentials command
on. If I go ahead and press enter to, that's
and that says it's much. Now go ahead and run the same thing on this other system and our press enter to that.
Now that's matched. So if I quiet on type, keep city hell
on if I press enter
and now I can see the notes that I have in the pool
if I go ahead and do the same thing on the right and site on, if I press enter to, that's so let's try that again
and you can see that I'm not getting any response and I'm not going to get in a response because it's not on the list of trust that I P addresses. That request will not before field.
So he has a somebody off the tax double completed in this demonstration.
We started by creating an A. K s cluster
with any conflict. Verb is access control for Hickey is cluster,
but configured theater vise i p address ranges on bill violated at our configuration.
Thanks very much for watching. And I'll see you in the next lesson.