Help
Blogs

Enhancing Cloud Security with Fortinet Solutions for Azure Kubernetes Service (AKS) Environments

tpontes
Staff
Staff
‎07-01-2025 04:36 AM

As organizations increasingly adopt cloud-native applications and containerized environments, ensuring robust security becomes paramount. The dynamic nature of these environments introduces unique challenges that require comprehensive security strategies. Fortinet offers a suite of solutions designed to address these challenges, providing visibility, control, and protection across your cloud infrastructure.

In this article, we will explore key aspects of cloud security, including code and container scanning, best practices for Azure Kubernetes Service (AKS), and advanced capabilities of FortiCNAPP for Kubernetes. We will also delve into the importance of monitoring egress traffic with FortiGate and securing ingress traffic with FortiWeb. By following these guidelines and leveraging Fortinet's solutions, organizations can enhance the security and efficiency of their cloud-native applications.

 

AKS Benchmark Best Practices

 

Azure Kubernetes Service (AKS) provides a managed Kubernetes environment, but securing it requires adherence to best practices. Implementing AKS benchmarks ensures that your clusters are configured securely and efficiently. These best practices cover areas such as security, reliability, and cost optimization. While exploring FortiCNAPP's capabilities for Kubernetes Security Posture Management (KSPM), it's important to understand how it can help maintain compliance and secure your AKS clusters.

 

Key Considerations:

  • Ensure the system:masters group is not used for user or component authentication after bootstrapping.
  • Run the kube-controller-manager with --use-service-account-credentials enabled.
  • Protect the root certificate (either an offline CA or a managed online CA with effective access controls).
  • Ensure intermediate and leaf certificates have an expiry date no more than 3 years in the future.
  • Implement a process for periodic access review, occurring no more than 24 months apart.

  • Follow Role Based Access Control (RBAC) Good Practices for authentication and authorization, ideally integrating with Microsoft Entra ID to centralize identity management, enforce least privilege access, and streamline periodic access reviews.

 

AKS.png

 

AKS Networking Best Practices for Visibility and Control

 

Networking is a foundational component of AKS security. The choice of Container Networking Interface (CNI) directly affects how traffic is routed, inspected, and controlled — especially when integrating with Fortinet solutions like FortiGate and FortiWeb.

 

Networking Recommendations:

  • Use Azure CNI (Subnet) when you need full pod IP visibility for traffic inspection and policy enforcement with FortiGate.
  • Avoid Kubenet, which NATs pod traffic and will be deprecated by March 31, 2028.
  • Consider Azure CNI Overlay for large-scale clusters with limited IP space, but note that pod IPs are not visible externally.
  • Plan your VNet and subnet CIDRs carefully to avoid IP exhaustion and ensure future scalability.
  • Apply User Defined Routes (UDRs) and NSGs to direct egress traffic through FortiGate for inspection and logging.
  • Use FortiWeb for ingress protection and FortiCNAPP for runtime visibility and policy enforcement.
  • Block pod access to the Azure Instance Metadata Service (IMDS) endpoint (Preview) to prevent unauthorized access to sensitive instance metadata and managed identity tokens. This feature restricts access from non-host network pods and is recommended for enhanced security.
⚠️ Azure Instance Metadata Service (IMDS): This feature is currently in Preview and not recommended for production environments. It may not be compatible with certain AKS add-ons such as Azure Monitor, Application Gateway Ingress Controller, and others.

 

 

Securing Kubernetes at Cloud Speed with FortiCNAPP

 

Code & Container Scanning: Understanding Vulnerabilities

 

In today's fast-paced development environments, containerized applications are becoming the norm. However, with this shift comes the critical need for robust security measures. Code and container scanning are essential practices to identify and mitigate vulnerabilities within containerized applications. These scans help detect issues in the base images, application code, and dependencies, ensuring that potential security weaknesses are addressed before deployment.

 

Key Considerations:

  • Minimize unnecessary content in container images.
  • Configure container images to run as unprivileged users.
  • Reference container images by sha256 digests or validate the image's digital signature at deploy time via admission control.
  • Regularly scan container images during creation and deployment, and patch known vulnerable software.

 

Container_Scanning.png

 Visibility into the vulnerabilities present in your containers.

 

FortiCNAPP for Kubernetes Admission Control

 

FortiCNAPP integrates seamlessly with Kubernetes Admission Controllers to enhance security during the deployment process. By using the ValidatingAdmissionWebhook, FortiCNAPP scans container images for vulnerabilities before they are deployed, ensuring that only secure images are allowed into the production environment. This proactive approach helps prevent the introduction of vulnerabilities and maintains the integrity of your Kubernetes clusters.

 

Key Considerations:

  • Enable an appropriate selection of admission controllers.
  • Enforce a pod security policy using Pod Security Admission or a webhook admission controller.
  • Securely configure the admission chain plugins and webhooks.

 

Admission_controller_FortiCNAPP.png

See Integrate with Kubernetes Admission Controller 

 

FortiCNAPP Pod Visibility

 

Visibility into Kubernetes pods is crucial for maintaining security and operational efficiency. FortiCNAPP offers both sidecar and agent options to monitor pod activity. These agents provide detailed insights into processes, network connections, and other critical metrics within the pods. By leveraging these visibility options, organizations can detect and respond to threats in real-time, ensuring the security of their containerized applications.

 

Key Considerations:

  • Apply appropriate Pod Security Standards policy for all namespaces and enforce it.
  • Set memory limits for workloads with a limit equal to or less than the request.
  • Enable Seccomp with appropriate syscalls profile for programs on supported nodes.
  • Enable AppArmor or SELinux with appropriate profiles for programs on supported nodes.

 

Pod_Visibility.png

 

Egress Traffic Visibility with FortiGate

 

Monitoring egress traffic is essential for detecting and preventing data exfiltration and other malicious activities. FortiGate provides comprehensive visibility into outbound traffic, allowing organizations to enforce security policies and detect anomalies. By analyzing egress traffic, FortiGate helps ensure that sensitive data remains secure and that potential threats are identified and mitigated promptly.

 

How FortiGate Enables Egress Control in AKS:

FortiGate leverages the Azure SDN Connector to dynamically discover and track Kubernetes resources such as pods, services, and namespaces. This integration allows FortiGate to:

  • Automatically populate dynamic address groups based on Kubernetes metadata (e.g., k8s_namespace, k8s_podname, k8s_label).
  • Apply granular firewall policies that adapt in real time as workloads scale or change.
  • Enforce security policies that block unauthorized egress traffic, including access to sensitive endpoints like the Kubernetes API, kubelet, and cloud metadata services.

 

Key Considerations:

  • Ensure CNI plugins in use support network policies.
  • Apply ingress and egress network policies to all workloads in the cluster.
  • Implement default network policies within each namespace, selecting all pods and denying everything.
  • Use a service mesh to encrypt all communications inside the cluster, if appropriate.
  • Ensure the Kubernetes API, kubelet API, and etcd are not exposed publicly on the Internet.
  • Filter access from workloads to the cloud metadata API.
  • Restrict the use of LoadBalancer and ExternalIPs.
  • Integrate FortiGate with AKS using the Azure SDN Connector to dynamically enforce policies based on Kubernetes context (For example, after implementing policies using Kubernetes labels or namespaces, FortiGate can automatically block egress access to the Kubernetes API or metadata endpoints for unauthorized pods — without manual IP management.)

 

Ingress Traffic Protection with FortiWeb

 

Securing incoming traffic is essential to protect Kubernetes applications from external threats. FortiWeb strengthens the security of ingress traffic by offering features like Web Application Firewall (WAF), SSL/TLS termination, and intelligent load balancing. These capabilities help block malicious requests, prevent data breaches, and ensure that only legitimate traffic reaches your applications.

While FortiWeb can also function as a Kubernetes Ingress Controller, its main value lies in enhancing the security of exposed services, regardless of how ingress is managed within the cluster.

 

Key Considerations:

  • Use WAF policies tailored to your application stack to detect and block common web exploits (e.g., SQL injection, XSS).
  • Terminate SSL/TLS at the edge to offload encryption overhead and inspect traffic securely.
  • Apply geo-blocking and IP reputation filtering to reduce exposure to known malicious sources.
  • Enable bot mitigation and DDoS protection to defend against automated and volumetric attacks.
  • Log and monitor ingress traffic patterns to detect anomalies and respond to threats in real time.
  • Integrate with Kubernetes-native tools (e.g., ConfigMaps, Secrets) for dynamic and secure configuration management.
  • Ensure high availability and failover for ingress traffic to maintain service continuity.

 

High Level DesignHigh Level Design

 

Conclusion

 

Securing cloud-native applications in Azure Kubernetes Service (AKS) environments requires a comprehensive and integrated approach. Fortinet delivers a robust strategy that enhances workload protection through solutions like FortiCNAPP, FortiGate, and FortiWeb — providing visibility, control, and security across the entire application lifecycle.

By following the best practices outlined in this article and leveraging Fortinet’s advanced security capabilities, organizations can significantly improve the resilience and efficiency of their Kubernetes deployments.

 

Ready to take your cloud security to the next level?


Connect with our Cloud Consulting Services team for expert guidance on advanced configurations and production deployments:
Email: consulting@fortinet.com
Learn more: Cloud Security Consulting Services

Popular Articles
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.