10 septembre 202110 septembre 2021

AKS | Scale-down Mode to delete/deallocate nodes in Azure Kubernetes Service (AKS)

Hi!

By default, scale-up operations performed manually or by the cluster autoscaler require the allocation and provisioning of new nodes, and scale-down operations delete nodes. Scale-down Mode allows you to decide whether you would like to delete or deallocate the nodes in your Azure Kubernetes Service (AKS) cluster upon scaling down.

When an Azure VM is in the Stopped (deallocated) state, you will not be charged for the VM compute resources. However, you will still need to pay for any OS and data storage disks attached to the VM. This also means that the container images will be preserved on those nodes.

Limitations:

Ephemeral OS disks are not supported
Spot node pools are not supported

# Install the aks-preview extension
az extension add --name aks-preview

# Update the extension to make sure you have the latest version installed
az extension update --name aks-preview

az feature register --namespace "Microsoft.ContainerService" --name "AKS-ScaleDownModePreview"
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-ScaleDownModePreview')].{Name:name,State:properties.state}"

# In this example, we create a new node pool with 20 nodes and specify that upon scale-down, nodes are to be deallocated via --scale-down-mode Deallocate
az aks nodepool add --node-count 20 --scale-down-mode Deallocate --node-osdisk-type Managed --max-pods 10 --name nodepool2 --cluster-name myAKSCluster --resource-group myResourceGroup

# By scaling the node pool and changing the node count to 5, we will deallocate 15 nodes
az aks nodepool scale --node-count 5 --name nodepool2 --cluster-name myAKSCluster --resource-group myResourceGroup

# Deleting previously deallocated nodes
az aks nodepool update --scale-down-mode Delete --name nodepool2 --cluster-name myAKSCluster --resource-group myResourceGroup

# The default behavior of AKS without using Scale-down Mode is to delete your nodes when you scale-down your cluster. Using Scale-down Mode, this can be explicitly achieved by setting --scale-down-mode Delete
az aks nodepool add --enable-cluster-autoscaler --min-count 1 --max-count 10 --max-pods 10 --node-osdisk-type Managed --scale-down-mode Delete --name nodepool3 --cluster-name myAKSCluster --resource-group myResourceGroup

Maxime.

3 septembre 20213 septembre 2021

Advanced Threat Protection for Azure Cosmos DB

Hi!

In this article, I will show you how you can enable Advanced Threat Protection for Azure Cosmos DB. This will help you to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Two types of alerts can be detected:

Access from unusual locations: This alert is triggered when there is a change in the access pattern to an Azure Cosmos account, where someone has connected to the Azure Cosmos DB endpoint from an unusual geographical location. In some cases, the alert detects a legitimate action, meaning a new application or developer’s maintenance operation. In other cases, the alert detects a malicious action from a former employee, external attacker, etc.

Unusual data extraction: This alert is triggered when a client is extracting an unusual amount of data from an Azure Cosmos DB account. This can be the symptom of some data exfiltration performed to transfer all the data stored in the account to an external data store.

It can currently trigger the following alerts:

Alert	Description	MITRE tactics	Severity
PREVIEW – Access from an unusual location to a Cosmos DB account	Indicates that there was a change in the access pattern to an Azure Cosmos DB account. Someone has accessed this account from an unfamiliar IP address, compared to recent activity. Either an attacker has accessed the account, or a legitimate user has accessed it from a new and unusual geographical location. An example of the latter is remote maintenance from a new application or developer.	Exploitation	Medium
PREVIEW – Unusual amount of data extracted from a Cosmos DB account	Indicates that there was a change in the data extraction pattern from an Azure Cosmos DB account. Someone has extracted an unusual amount of data compared to recent activity. An attacker might have extracted a large amount of data from an Azure Cosmos DB database (for example, data exfiltration or leakage, or an unauthorized transfer of data). Or, a legitimate user or application might have extracted an unusual amount of data from a container (for example, for maintenance backup activity).	Exfiltration	Medium

To enable Advanced Threat Protection for Azure Cosmos DB:

Select your Azure Cosmos DB account > Settings > Advanced security (preview) > Advanced Threat Protection (Preview) On > Save.

Maxime.

20 août 202120 août 2021

AKS | Update the Service Principal Credentials

Hi,

In this article, I will show you how you can update the service principals of your AKS cluster.

Check the expiration of your service principal:

SP_ID=$(az aks show --resource-group myResourceGroup --name myAKSCluster \
--query servicePrincipalProfile.clientId -o tsv)
az ad sp credential list --id "$SP_ID" --query "[].endDate" -o tsv

Update the service principal:

az aks update-credentials \
--resource-group myResourceGroup \
--name myAKSCluster \
--reset-service-principal \
--service-principal $SP_ID \
--client-secret $SP_SECRET

Update the AKS cluster with the new AAD Application credentials:

az aks update-credentials \
--resource-group myResourceGroup \
--name myAKSCluster \
--reset-aad \
--aad-server-app-id \
--aad-server-app-secret \
--aad-client-app-id

Maxime.