Profile Applicability:
Level 2
Description:
Traffic to and from a load balancer should be encrypted to ensure the confidentiality and integrity of the data. This check ensures that TLS certificates are properly configured for HTTPS traffic to Azure Load Balancers, securing communications and preventing eavesdropping or tampering with data in transit.
Rationale:
Encrypting traffic with TLS (Transport Layer Security) helps protect data transmitted over the internet or between services within a private network. Without TLS encryption, data is transmitted in plaintext, which could be intercepted and exploited by attackers. By enforcing the use of HTTPS and applying TLS certificates, you ensure that all traffic is securely encrypted, thus maintaining data privacy and integrity.
Impact:
Pros:
Ensures data encryption in transit, preventing unauthorized access.
Complies with security best practices and regulatory requirements for data protection.
Enhances the security posture of your AKS environment and services exposed via load balancers.
Cons:
Requires proper management of TLS certificates, including renewal and revocation.
Performance overhead due to encryption and decryption processes.
Additional setup and configuration effort for integrating load balancers with TLS certificates.
Default Value:
By default, Azure Load Balancer does not provide SSL termination. It must be manually configured to support HTTPS with the appropriate TLS certificates.
Pre-requisites:
Ensure that you have TLS certificates available for use with the load balancer and that your services are configured to handle HTTPS traffic.
Remediation
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access the Load Balancer settings under the Networking section.
Review the frontend IP configuration for the Load Balancer.
Verify that the Load Balancer is configured to use HTTPS by checking the TLS/SSL settings and ensure a valid TLS certificate is associated.
Using Azure CLI:
Use the following command to check the load balancer configuration for HTTPS:
az network lb show --resource-group <resource-group-name> --name <load-balancer-name> --query "frontendIPConfigurations"
Ensure that the HTTPS listener is configured and that the correct TLS certificate is associated.
Implementation Plan:
Using Azure Console:
In the Azure portal, navigate to Azure Load Balancer and access the frontend IP configuration.
Under SSL settings, configure the load balancer to use HTTPS and associate a valid TLS certificate. You can either upload an existing certificate or configure Azure to use Azure Key Vault for certificate management.
Ensure that the backend pool is configured to accept HTTPS traffic from the load balancer.
Using Azure CLI:
To configure the load balancer with a TLS certificate, run the following command to add an HTTPS listener:
az network lb rule create --resource-group <resource-group-name> --lb-name <load-balancer-name> --name <rule-name> --protocol Tcp --frontend-port 443 --backend-port 443 --frontend-ip-name <frontend-ip-name> --backend-pool-name <backend-pool-name>
Upload the TLS certificate to Azure Key Vault or use an existing certificate in Azure App Service and bind it to the load balancer.
Verify that the configuration is correct by using the following command to check the SSL settings:
az network lb show --resource-group <resource-group-name> --name <load-balancer-name> --query "frontendIPConfigurations"
Backout Plan:
Using Azure Console:
If configuring TLS encryption causes issues, revert the load balancer settings by disabling HTTPS and restoring HTTP traffic.
Using Azure CLI:
Revert the load balancer to use HTTP instead of HTTPS by removing the TLS certificate configuration:
az network lb rule delete --resource-group <resource-group-name> --lb-name <load-balancer-name> --name <rule-name>