Disable HTTP application routing add-on#
Security · Azure Kubernetes Service · Rule · 2021_12 · Important
Disable HTTP application routing add-on in AKS clusters.
Description#
The HTTP application routing add-on is designed to quickly expose HTTP endpoints to the public internet. This may be helpful in some limited scenarios, but should not be used in production.
When exposing application endpoints consider using an ingress controller that supports:
- Security filtering behind web application firewall (WAF).
- Encryption in transit over TLS.
- Multiple replicas.
Azure provides a production ready ingress controller Application Gateway Ingress Controller (AGIC).
HTTP application routing add-on (preview) for Azure Kubernetes Service (AKS) will be retired on 03 March 2025.
Recommendation#
Consider disabling the HTTP application routing add-on in your AKS cluster. Also consider using Application Gateway Ingress Controller (AGIC) instead to protect application endpoints.
Examples#
Configure with Azure template#
To deploy AKS clusters that pass this rule:
- Set
Properties.addonProfiles.httpApplicationRouting.enabledtofalse.
For example:
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-07-01",
"name": "[parameters('clusterName')]",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
}
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"enableRBAC": true,
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": "[variables('allPools')]",
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
"tenantID": "[subscription().tenantId]"
},
"networkProfile": {
"networkPlugin": "azure",
"networkPolicy": "azure",
"loadBalancerSku": "standard",
"serviceCidr": "[variables('serviceCidr')]",
"dnsServiceIP": "[variables('dnsServiceIP')]",
"dockerBridgeCidr": "[variables('dockerBridgeCidr')]"
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"addonProfiles": {
"httpApplicationRouting": {
"enabled": false
},
"azurepolicy": {
"enabled": true,
"config": {
"version": "v2"
}
},
"omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"kubeDashboard": {
"enabled": false
},
"azureKeyvaultSecretsProvider": {
"enabled": true,
"config": {
"enableSecretRotation": "true"
}
}
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
]
}
Configure with Bicep#
To deploy AKS clusters that pass this rule:
- Set
Properties.addonProfiles.httpApplicationRouting.enabledtofalse.
For example:
resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {
location: location
name: clusterName
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
kubernetesVersion: kubernetesVersion
enableRBAC: true
dnsPrefix: dnsPrefix
agentPoolProfiles: allPools
aadProfile: {
managed: true
enableAzureRBAC: true
adminGroupObjectIDs: clusterAdmins
tenantID: subscription().tenantId
}
networkProfile: {
networkPlugin: 'azure'
networkPolicy: 'azure'
loadBalancerSku: 'standard'
serviceCidr: serviceCidr
dnsServiceIP: dnsServiceIP
dockerBridgeCidr: dockerBridgeCidr
}
autoUpgradeProfile: {
upgradeChannel: 'stable'
}
addonProfiles: {
httpApplicationRouting: {
enabled: false
}
azurepolicy: {
enabled: true
config: {
version: 'v2'
}
}
omsagent: {
enabled: true
config: {
logAnalyticsWorkspaceResourceID: workspaceId
}
}
kubeDashboard: {
enabled: false
}
azureKeyvaultSecretsProvider: {
enabled: true
config: {
enableSecretRotation: 'true'
}
}
}
}
tags: tags
}
Links#
- SE:06 Network controls
- HTTP application routing
- Enable Application Gateway Ingress Controller add-on for an existing AKS cluster
- Azure deployment reference