Configuring and Securing ACR and AKS
Introduction
This lab walkthrough documents the configuration and security of Azure Container Registry (ACR) and Azure Kubernetes Service (AKS), including role assignments, firewall rules, DNS settings, and validation steps. It demonstrates real-world cloud security practices using Azure CLI, PowerShell, and the Azure Portal.
Step 1: Launch Cloud Shell and Prepare for AKS Deployment
I began by launching Azure Cloud Shell and reviewing the tutorial instructions for deploying AKS and ACR. This step sets the foundation for the lab.
πΈ Screenshot:
Step 2: Troubleshoot Deployment Policy Restriction
While deploying the AKS cluster, I encountered a policy error due to location restrictions. Azure Policy blocked the resource creation, which I resolved by selecting an approved region.
πΈ Screenshot:
Step 3: View Resource Groups in Azure Portal
I reviewed existing resource groups to confirm the correct environment and subscription context before proceeding with cluster and registry setup.
πΈ Screenshot:
Step 4: Assign AcrPull Role to AKS Identity
To allow AKS to pull images from ACR securely, I assigned the AcrPull role to the clusterβs managed identity using the Azure Portal.
πΈ Screenshot:
Step 5: Configure Azure Firewall Application Rule
I created an application rule collection named AllowGvn to permit outbound HTTPS access to specific domains like Google and Bing.
πΈ Screenshot:
Step 6: Add Network Rule Collection
To control internal traffic, I added a network rule collection that allows UDP traffic between defined IP ranges and ports.
πΈ Screenshot:
Step 7: Configure Custom DNS Servers
I configured custom DNS servers (Google and Cloudflare) on the nic-firewall network interface to ensure reliable name resolution.
πΈ Screenshot:
Step 8: Validate Firewall Rules from Test VM
Using nslookup and curl from the test VM, I validated that outbound traffic was correctly routed through Azure Firewall.
πΈ Screenshot:
Step 9: Create Virtual Network and Subnets
I created a virtual network named FirewallVNet with three subnets: AzureFirewallSubnet, Workload-SN, and Jump-SN, to segment traffic and enforce security boundaries.
πΈ Screenshot:
Step 10: Test Access to Workload VM
I logged into the workload VM (rsrv-lwrk) via Remote Desktop and confirmed connectivity and profile loading.
πΈ Screenshot:
Step 11: Confirm Public IP Routing via Browser
From the VM, I browsed to http://10.0.1.4 and http://10.0.2.4 to test firewall rules. The first succeeded, the second was blocked β confirming rule enforcement.
πΈ Screenshot:
Step 12: Terminate Remote Desktop Sessions and Begin Cleanup
After validation, I terminated all RDP sessions and began resource cleanup to avoid unnecessary charges.
πΈ Screenshot:
Step 13: Create Resource Group via PowerShell
Using Azure Cloud Shell, I created a new resource group named AZ500LabRG.
1
New-AzResourceGroup -Name "AZ500LabRG" -Location "East US"
πΈ Screenshot:
Step 14: Remove AzureFirewallRG via PowerShell
I removed the AzureFirewallRG resource group using PowerShell to clean up lab resources.
1
Remove-AzResourceGroup -Name AzureFirewallRG -Force -AsJob
πΈ Screenshot:
Step 15: Verify Azure Firewall Deployment
Finally, I verified the Azure Firewall deployment status using PowerShell.
1
Get-AzFirewall -ResourceGroupName AzureResourceGroup
πΈ Screenshot:
Conclusion
This lab demonstrates end-to-end deployment and security configuration for ACR and AKS, including:
- Role-based access control
- DNS and firewall rule enforcement
- Network segmentation
- Real-world validation from VMs
- Resource cleanup using PowerShell
It reflects my ability to troubleshoot, automate, and document technical workflows in a cloud security context.