Meet the speakers

Kevin Harris (00:01):
Welcome everyone to the Microsoft Azure Red Hat® OpenShift®, also known as ARO, video series. My name is Kevin Harris and I'm part of the Azure Global Black Belt App Innovation Team. I love to help customers and partners build cool cloud-native solutions on top of Azure, and I'll be one of your hosts today.

Anton Nesterov (00:15):
And I'm Anton Nesterov from Red Hat. Managed OpenShift Black Belt. A very similar role to yours, I guess <laugh>. And then today we're gonna talk about security.

Kevin Harris (00:24):
Interesting topic. Let's just jump into it. The typical one that I usually get when customers are starting out about security, especially in the context of Azure Red Hat OpenShift: how do I securely deploy a cluster? What's the first thing and first step I need to do?

How to securely deploy a cluster in Azure Red Hat OpenShift

Anton Nesterov (00:36):
Right! It all starts with security, doesn't it? Let's look at how this works in practice over at the board. So when we talk about networking with the customers, where many of them usually begin is making their clusters private. And that is making the two endpoints for the cluster, the API and the apps, inaccessible from public internet. Now here we stay in private on the ingress side. And when we talk about egress, the one thing that we often recommend is to route that traffic through a firewall instance and have that inspection happening for the internet-bound traffic. Another important feature that is there for ARO is a so-called egress lockdown. What is it? If we want the entire cluster to be isolated from internet, so not having the outbound internet connection at all, then the ARO still needs access to management endpoints in Azure to make sure that that is functioning. We add this private endpoint and well, essentially that is the egress lockdown. When we speak about networking for our ARO clusters. So this is our VNet, right? Many customers ask us: “is there any way to have more insight on what's going on inside those VNets and subnets?

What to know about VNets and subnets

Kevin Harris (02:25):
Yeah. The first place we'll start. So for every little piece inside here, we have what's called an NSG or Network Security Group. Yeah. You can think of it as an access control sub list for your VNet or for corresponding subnets. The other thing we do is we go through the process of enabling Network Watcher.

Anton Nesterov (02:44):
Mm-hmm. <affirmative> And that has logs.

Kevin Harris (02:47):
That grabs the NSG flow logs. Exactly. Dumps those to a storage account. Then from there, what we wanna do is we wanna dump that over to traffic analytics. Now this is a key piece. What traffic analytics does is inspects all those flow logs. It'll look for abnormal behavior, it’ll look for inconsistencies. You can see source IP addresses.

Anton Nesterov (03:08):
Anything fishy that is going on inside this.

Kevin Harris (03:09):
Exactly. So again, it's a visual way instead of looking through a manual or a bunch of manual logs. Now that we've talked about networking. So we looked at securing the cluster, we looked at observability inside. Next question we usually get, or at least that I get, is how do I deal with ARO itself and patch management? So how do I worry about the OS and security patches?

Patch management in Azure Red Hat OpenShift

Anton Nesterov (03:35):
Right? The one important thing to remember here is that ARO is OpenShift, and OpenShift can seamlessly update itself. Here ARO will just follow a channel, let's say it will be a 4.11 channel, and get any upgrades that are happening in there. The patching will be transparent and no downtimes are required. 

Kevin Harris (04:01):
Very cool. 

Anton Nesterov (04:02)
What differentiates ARO from OpenShift there is that this is the managed service. And on top of you having those updates rolling, you also have the Red Hat site reliability engineers monitoring a cluster and acting upon issues. Not just during updates, but that's an important crucial part that customers usually ask about.

Kevin Harris (04:29):
Yeah, that's very cool. It's definitely a differentiation for sure.

Anton Nesterov (04:31):
Exactly. Talking about differentiations, ARO is a native Azure service. What are other services, security related services maybe, in Azure that we can integrate with?

Security services in Azure

Kevin Harris (04:44):
I can probably think of two essentially off the top of my head. So the first one I'm gonna look at here is Azure Active Directory. So Azure Active Directory. What we can do here is we can take Azure Active Directory and we can supply it as an identity provider or IDP.

Anton Nesterov (05:01):
So Open ID Connect.

Kevin Harris (05:02):
Open ID Connect, exactly. Now what that allows me to do is use the same credentials I use to log into Azure AD, and I can now log into the ARO console or the ARO portal in that kind of context. So that allows me to take advantage of things like conditional access, multi-factor authentication, and all the other essential goodness, that comes with essentially Azure AD. Outside of not just identity, the other one I think about is Azure Key Vault.

Anton Nesterov (05:27):
Oh right. So we can offload the secrets and config map potentially.

Kevin Harris (05:33):
Yeah, I think for me it's about secrets, keys, and certificates. Stored in a secure manner. So you're not storing it on the cluster, you're storing it outside. Now that we've got these essentially security pieces in place, you talked about egress before. What about ingress? We didn't really talk about that. I mean, you talked about kind of the apps or the router endpoint, but suppose I need to expose something to the public internet. How do I do that?

Egress and ingress in Azure Red Hat OpenShift

Anton Nesterov (05:58):
True, true. So we have this private cluster, but we have an application that needs to be visible from the internet. So you can always add an ingress controller that is publicly visible, but that's probably not the best idea. One thing that we recommend a lot is using something more modern, like a CDN. In Azure we have Azure Front Door. Azure Front Door, right? And that's a CDN. You can benefit from all the good things of CDN is web application firewall, DDoS protection, and things like TLS offloading and other things. What happens is that this application that runs in ARO, we expose its DNS name through AFD, and then the user connects to AFD, AFD connects to a private link service inside our VNet, right? And now we are linked to our cluster. It's a bit more complicated than this, but you can absolutely dwell into details following the links in the description.

Kevin Harris (07:07):
So when we think about Azure Front Door, we think about global load balancer, traffic director. So again, I can see a lot of benefits, especially in that kind of context. If I was running multiple clusters in multiple regions and wanted to keep those things as secure as possible, in leveraging all those benefits you talked about. That's very cool.

Anton Nesterov (07:23):
Exactly. Kevin, the one thing that customers ask us in the conversation about security a lot is compliance. And I know that Azure is compliant with quite many standards. Does ARO get to benefit from any of this?

Compliance and Azure Red Hat OpenShift

Kevin Harris (07:41):
So we think about compliance and standards. We mainly think of Azure Trust Center. It covers off security, compliance, privacy, and trust needs. What we do on a six month rotation, we go through all of our Azure services and we align those against certifications like FedRAMP, FIPs, HIPAA, PCI compliance. ARO happens to be one of those services in the Azure Trust Center. So I can download the audit report and I can go through the process. I can check it against all the different compliances like FIPs, PCI compliance, FedRAMP, HIPAA and Audit Report is accessible for download at any tim. If you'd like to learn more about Azure Red Hat OpenShift and how it can help you scale to meet your key critical business needs, please check out the other videos in this series. Thanks.