Azure Firewall Controller Deployment Workflow

The Azure Firewall Controller is a pod within your Kubernetes cluster which monitors a subset of Kubernetes Resources and translates them to Azure Firewall specific configuration and applies to the Azure Resource Manager (ARM).

Outline:

Prerequisites
Azure Resource Manager Authentication (ARM)
- Option 1: Using a Service Principal
Install Azure Firewall Controller using Helm

Prerequisites

This documents assumes you already have the following tools and infrastructure installed:
- Azure Firewall as the next hop to the AKS cluster. Please follow this documentation for the setup. Make sure to add additional rules in the firewall to allow node <-> api-server communication and also to allow access to images in the Microsoft Container Registry(MCR).
- Create an Active Directory Service Principal.
- If you are using Azure Cloud Shell it has all the tools already installed. Launch your shell from shell.azure.com or by clicking the link: Launch Azure Cloud Shell. If you choose to use another environment, please ensure the following command line tools are installed:
1. az - Azure CLI: installation instructions
2. kubectl - Kubernetes command-line tool: installation instructions
3. helm (version 3.7 or later) - Kubernetes package manager: installation instructions

Setup Kubernetes Credentials

For the following steps we need setup kubectl command, which we will use to connect to our new Kubernetes cluster. We will use az CLI to obtain credentials for Kubernetes.

Get credentials for your newly deployed AKS (read more):

az aks get-credentials --resource-group aksClusterResourceGroupName --name aksClusterName

Deploying cert-manager

Validation Webhooks are implemented for the CRD. In order for the API server to communicate with the webhook component, the webhook requires a TLS certificate that the apiserver is configured to trust. We are using cert-manager for provisioning the certificates for the webhook.

cert-manager Installation (read more):

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml

Azure Resource Manager Authentication

AFEC communicates with the Kubernetes API server and the Azure Resource Manager. It requires an identity to access these APIs.

Using a Service Principal

AFEC access to ARM can be possible by creating service principal. Follow the steps below to create an Azure Active Directory (AAD) service principal object.

Create an Active Directory Service Principal and make sure the created service principal has contributor access to the Azure Firewall.

az ad sp create-for-rbac --role Contributor --scopes /subscriptions/policySubscriptionId

Please record the appId (<azureClientId>), password(<azureClientSecret>), and tenant(<azureTenantId>) values - these will be used in the following steps to authenticate to azure.

Install Azure Firewall Controller as a Helm Chart

Helm is a package manager for Kubernetes. This document uses Helm version 3.7 or later. We will leverage it to install the azure-firewall-egress-controller package. Use Cloud Shell to install install the AFEC Helm package:

Install Helm chart

helm install [RELEASE_NAME] oci://mcr.microsoft.com/azfw/helmchart/afec --version 0.1.0 \
         --debug \
         --set fw.policyResourceID=<fwPolicyResourceID> \
         --set fw.policyResourceGroup=<fwPolicyResourceGroup> \
         --set fw.policySubscriptionId=<fwPolicySubscriptionId> \
         --set fw.policyName=<fwPolicyName> \
         --set fw.policyRuleCollectionGroup=<fwPolicyRuleCollectionGroup> \
         --set fw.policyRuleCollectionGroupPriority=<fwPolicyRuleCollectionGroupPriority> \
         --set auth.tenantId=<azureTenantId> \
         --set auth.clientId=<azureClientId> \
         --set auth.clientSecret=<azureClientSecret>

[RELEASE_NAME] can be any chosen name.
<azureTenantId> and <azureClientId> and <azureClientSecret> are values that were created in the previous section. If a Firewall Policy Resource Id is provided, individual fields of fwpolicySubscriptionId, fwpolicyResourceGroup and fwPolicyName will be ignored

Parameters

<fwpolicyResourceId> : ID of the Firewall Policy.
<fwpolicyResourceGroup> : Name of the Azure Resource group in which Azure Firewall Policy was created.
<fwpolicySubscriptionId> : The Azure Subscription ID in which Azure Firewall Policy resides. Example: a123b234-a3b4-557d-b2df-a0bc12de1234
<fwPolicyName> : Name of the Azure Firewall Policy that is attached to the firewall.
<fwPolicyRuleCollectionGroup> : The Rule Collection Group in the Firewall Policy dedicated to the Egress Controller.
<fwPolicyRuleCollectionGroupPriority> : The Priority of the Rule Collection Group in the Firewall Policy dedicated to the Egress Controller.
<azureTenantId> : The tenant ID of the Identity.
<azureClientId> : The client ID of the Identity.
<azureClientSecret> : The client Secret of the Identity.
To upgrade the chart

helm upgrade [RELEASE_NAME] oci://mcr.microsoft.com/azfw/helmchart/afec --version [LATEST_VERSION] \
         --debug \
         --set fw.policyResourceID=<fwPolicyResourceID> \
         --set fw.policyResourceGroup=<fwPolicyResourceGroup> \
         --set fw.policySubscriptionId=<fwPolicySubscriptionId> \
         --set fw.policyName=<fwPolicyName> \
         --set fw.policyRuleCollectionGroup=<fwPolicyRuleCollectionGroup> \
         --set fw.policyRuleCollectionGroupPriority=<fwPolicyRuleCollectionGroupPriority> \
         --set auth.tenantId=<azureTenantId> \
         --set auth.clientId=<azureClientId> \
         --set auth.clientSecret=<azureClientSecret>

[LATEST_VERSION] is the specific version to which you intend to upgrade your Helm release.

Verify the afc controller pods are ready.
```
kubectl get pods -n aks-egress-system
```
Check the log of the newly created pod to verify if it started properly.
```
kubectl logs <pod_name> -c manager -n aks-egress-system
```