Disable HTTP application routing add-on#

Security · Azure Kubernetes Service · Rule · 2021_12 · Important

Disable HTTP application routing add-on in AKS clusters.

Description#

The HTTP application routing add-on is designed to quickly expose HTTP endpoints to the public internet. This may be helpful in some limited scenarios, but should not be used in production.

When exposing application endpoints consider using an ingress controller that supports:

Security filtering behind web application firewall (WAF).
Encryption in transit over TLS.
Multiple replicas.

Azure Kubernetes Service provides several ingress controller options including:

Application routing add-on — an NGINX-based managed ingress controller add-on.
Application Gateway Ingress Controller (AGIC) — an ingress controller which integrates with Application Gateway.
Application Gateway for Containers — is the successor to AGIC that additional features and scale.

HTTP application routing add-on (preview) for Azure Kubernetes Service (AKS) will be retired on 03 March 2025.

Recommendation#

Consider disabling the HTTP application routing add-on in your AKS cluster. Also consider migrating to an alternative ingress controller.

Examples#

Configure with Azure template#

To deploy AKS clusters that pass this rule:

Set Properties.addonProfiles.httpApplicationRouting.enabled to false.

For example:

Azure Template snippet

{
    "type": "Microsoft.ContainerService/managedClusters",
    "apiVersion": "2021-07-01",
    "name": "[parameters('clusterName')]",
    "location": "[parameters('location')]",
    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
        }
    },
    "properties": {
        "kubernetesVersion": "[parameters('kubernetesVersion')]",
        "enableRBAC": true,
        "dnsPrefix": "[parameters('dnsPrefix')]",
        "agentPoolProfiles": "[variables('allPools')]",
        "aadProfile": {
            "managed": true,
            "enableAzureRBAC": true,
            "adminGroupObjectIDs": "[parameters('clusterAdmins')]",
            "tenantID": "[subscription().tenantId]"
        },
        "networkProfile": {
            "networkPlugin": "azure",
            "networkPolicy": "azure",
            "loadBalancerSku": "standard",
            "serviceCidr": "[variables('serviceCidr')]",
            "dnsServiceIP": "[variables('dnsServiceIP')]",
            "dockerBridgeCidr": "[variables('dockerBridgeCidr')]"
        },
        "autoUpgradeProfile": {
            "upgradeChannel": "stable"
        },
        "addonProfiles": {
            "httpApplicationRouting": {
                "enabled": false
            },
            "azurepolicy": {
                "enabled": true,
                "config": {
                    "version": "v2"
                }
            },
            "omsagent": {
                "enabled": true,
                "config": {
                    "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
                }
            },
            "kubeDashboard": {
                "enabled": false
            },
            "azureKeyvaultSecretsProvider": {
                "enabled": true,
                "config": {
                    "enableSecretRotation": "true"
                }
            }
        }
    },
    "tags": "[parameters('tags')]",
    "dependsOn": [
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
    ]
}

Configure with Bicep#