Fixes Azure.AKS.AuthorizedIPs for private cluster Azure#2677 (Azure#2679)

Author: BernieWhite

docs/CHANGELOG-v1.md

@@ -32,6 +32,12 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 ## Unreleased
 
+What's changed since v1.33.0:
+
+- Bug fixes:
+  - Fixed `Azure.AKS.AuthorizedIPs` is not valid for a private cluster by @BernieWhite.
+    [#2677](https://github.com/Azure/PSRule.Rules.Azure/issues/2677)
+
 ## v1.33.0
 
 What's changed since v1.32.1:

docs/en/rules/Azure.AKS.AuthorizedIPs.md

@@ -1,7 +1,8 @@
 ---
+reviewed: 2024-02-07
 severity: Important
 pillar: Security
-category: Design
+category: SE:06 Network controls
 resource: Azure Kubernetes Service
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.AuthorizedIPs/
 ---
@@ -20,30 +21,184 @@ Access to the API server is required by various cluster functions as well as all
 All activities performed against the cluster require authorization.
 To improve cluster security, the API server can be restricted to a limited set of IP address ranges.
 
-Restricting authorized IP addresses for the API server as the following limitations:
+Restricting authorized IP addresses for the API server has the following limitations:
 
 - Requires AKS clusters configured with a Standard Load Balancer SKU.
 - This feature is not compatible with clusters that use Public IP per Node.
+- This feature is not compatible with AKS private clusters.
 
-When configuring this feature you must specify the IP address ranges that will be authorized.
+When configuring this feature, you must specify the IP address ranges that will be authorized.
 To allow only the outbound public IP of the Standard SKU load balancer, use `0.0.0.0/32`.
 
+You should add these ranges to the allow list:
+
+- Include output IP addresses for cluster nodes
+- Any range where administration will connect to the API server, including CI/CD systems, monitoring, and management systems.
+
 ## RECOMMENDATION
 
 Consider restricting network traffic to the API server endpoints to trusted IP addresses.
-Include output IP addresses for cluster nodes and any range where administration will occur from.
 
 ## EXAMPLES
 
+### Configure with Azure template
+
+To deploy clusters that pass this rule:
+
+- Set the `properties.apiServerAccessProfile.authorizedIPRanges` property to a list of authorized IP ranges.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.ContainerService/managedClusters",
+  "apiVersion": "2023-11-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "identity": {
+    "type": "UserAssigned",
+    "userAssignedIdentities": {
+      "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
+    }
+  },
+  "properties": {
+    "kubernetesVersion": "[parameters('kubernetesVersion')]",
+    "disableLocalAccounts": true,
+    "enableRBAC": true,
+    "dnsPrefix": "[parameters('dnsPrefix')]",
+    "agentPoolProfiles": "[variables('allPools')]",
+    "aadProfile": {
+      "managed": true,
+      "enableAzureRBAC": true,
+      "adminGroupObjectIDs": "[parameters('clusterAdmins')]",
+      "tenantID": "[subscription().tenantId]"
+    },
+    "networkProfile": {
+      "networkPlugin": "azure",
+      "networkPolicy": "azure",
+      "loadBalancerSku": "standard",
+      "serviceCidr": "[variables('serviceCidr')]",
+      "dnsServiceIP": "[variables('dnsServiceIP')]"
+    },
+    "apiServerAccessProfile": {
+      "authorizedIPRanges": [
+        "0.0.0.0/32"
+      ]
+    },
+    "autoUpgradeProfile": {
+      "upgradeChannel": "stable"
+    },
+    "oidcIssuerProfile": {
+      "enabled": true
+    },
+    "addonProfiles": {
+      "azurepolicy": {
+        "enabled": true
+      },
+      "omsagent": {
+        "enabled": true,
+        "config": {
+          "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
+        }
+      },
+      "azureKeyvaultSecretsProvider": {
+        "enabled": true,
+        "config": {
+          "enableSecretRotation": "true"
+        }
+      }
+    }
+  },
+  "dependsOn": [
+    "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
+  ]
+}
+```
+
+### Configure with Bicep
+
+To deploy resource that pass this rule:
+
+- Set the `properties.apiServerAccessProfile.authorizedIPRanges` property to a list of authorized IP ranges.
+
+For example:
+
+```bicep
+resource cluster 'Microsoft.ContainerService/managedClusters@2023-11-01' = {
+  location: location
+  name: name
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${identity.id}': {}
+    }
+  }
+  properties: {
+    kubernetesVersion: kubernetesVersion
+    disableLocalAccounts: true
+    enableRBAC: true
+    dnsPrefix: dnsPrefix
+    agentPoolProfiles: allPools
+    aadProfile: {
+      managed: true
+      enableAzureRBAC: true
+      adminGroupObjectIDs: clusterAdmins
+      tenantID: subscription().tenantId
+    }
+    networkProfile: {
+      networkPlugin: 'azure'
+      networkPolicy: 'azure'
+      loadBalancerSku: 'standard'
+      serviceCidr: serviceCidr
+      dnsServiceIP: dnsServiceIP
+    }
+    apiServerAccessProfile: {
+      authorizedIPRanges: [
+        '0.0.0.0/32'
+      ]
+    }
+    autoUpgradeProfile: {
+      upgradeChannel: 'stable'
+    }
+    oidcIssuerProfile: {
+      enabled: true
+    }
+    addonProfiles: {
+      azurepolicy: {
+        enabled: true
+      }
+      omsagent: {
+        enabled: true
+        config: {
+          logAnalyticsWorkspaceResourceID: workspaceId
+        }
+      }
+      azureKeyvaultSecretsProvider: {
+        enabled: true
+        config: {
+          enableSecretRotation: 'true'
+        }
+      }
+    }
+  }
+}
+```
+
 ### Configure with Azure CLI
 
 ```bash
 az aks update -n '<name>' -g '<resource_group>' --api-server-authorized-ip-ranges '0.0.0.0/32'
 ```
 
+### Configure with Azure PowerShell
+
+```powershell
+Set-AzAksCluster -Name '<name>' -ResourceGroupName '<resource_group>' -ApiServerAccessAuthorizedIpRange '0.0.0.0/32'
+```
+
 ## LINKS
 
-- [Network security](https://learn.microsoft.com/azure/architecture/framework/security/design-network)
-- [Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)](https://docs.microsoft.com/azure/aks/api-server-authorized-ip-ranges)
-- [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)](https://docs.microsoft.com/azure/aks/operator-best-practices-cluster-security#secure-access-to-the-api-server-and-cluster-nodes)
-- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)
+- [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking)
+- [Secure access to the API server using authorized IP address ranges in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/api-server-authorized-ip-ranges)
+- [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/azure/aks/operator-best-practices-cluster-security#secure-access-to-the-api-server-and-cluster-nodes)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)

docs/examples-aks.bicep

@@ -130,7 +130,7 @@ resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31'
 }
 
 // An example AKS cluster
-resource cluster 'Microsoft.ContainerService/managedClusters@2023-07-01' = {
+resource cluster 'Microsoft.ContainerService/managedClusters@2023-11-01' = {
   location: location
   name: name
   identity: {
@@ -158,6 +158,11 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2023-07-01' = {
       serviceCidr: serviceCidr
       dnsServiceIP: dnsServiceIP
     }
+    apiServerAccessProfile: {
+      authorizedIPRanges: [
+        '0.0.0.0/32'
+      ]
+    }
     autoUpgradeProfile: {
       upgradeChannel: 'stable'
     }
@@ -185,7 +190,7 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2023-07-01' = {
 }
 
 // An example AKS cluster with pools defined.
-resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-07-01' = {
+resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {
   location: location
   name: name
   identity: {
@@ -240,6 +245,97 @@ resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-07-01
       serviceCidr: serviceCidr
       dnsServiceIP: dnsServiceIP
     }
+    apiServerAccessProfile: {
+      authorizedIPRanges: [
+        '0.0.0.0/32'
+      ]
+    }
+    autoUpgradeProfile: {
+      upgradeChannel: 'stable'
+    }
+    oidcIssuerProfile: {
+      enabled: true
+    }
+    addonProfiles: {
+      azurepolicy: {
+        enabled: true
+      }
+      omsagent: {
+        enabled: true
+        config: {
+          logAnalyticsWorkspaceResourceID: workspaceId
+        }
+      }
+      azureKeyvaultSecretsProvider: {
+        enabled: true
+        config: {
+          enableSecretRotation: 'true'
+        }
+      }
+    }
+  }
+}
+
+// An example private AKS cluster with pools defined.
+resource privateCluster 'Microsoft.ContainerService/managedClusters@2023-11-01' = {
+  location: location
+  name: name
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${identity.id}': {}
+    }
+  }
+  properties: {
+    kubernetesVersion: kubernetesVersion
+    disableLocalAccounts: true
+    enableRBAC: true
+    dnsPrefix: dnsPrefix
+    agentPoolProfiles: [
+      {
+        name: 'system'
+        osDiskSizeGB: 0
+        minCount: 3
+        maxCount: 5
+        enableAutoScaling: true
+        maxPods: 50
+        vmSize: 'Standard_D4s_v5'
+        type: 'VirtualMachineScaleSets'
+        vnetSubnetID: clusterSubnetId
+        mode: 'System'
+        osDiskType: 'Ephemeral'
+      }
+      {
+        name: 'user'
+        osDiskSizeGB: 0
+        minCount: 3
+        maxCount: 20
+        enableAutoScaling: true
+        maxPods: 50
+        vmSize: 'Standard_D4s_v5'
+        type: 'VirtualMachineScaleSets'
+        vnetSubnetID: clusterSubnetId
+        mode: 'User'
+        osDiskType: 'Ephemeral'
+      }
+    ]
+    aadProfile: {
+      managed: true
+      enableAzureRBAC: true
+      adminGroupObjectIDs: clusterAdmins
+      tenantID: subscription().tenantId
+    }
+    networkProfile: {
+      networkPlugin: 'azure'
+      networkPolicy: 'azure'
+      loadBalancerSku: 'standard'
+      serviceCidr: serviceCidr
+      dnsServiceIP: dnsServiceIP
+    }
+    apiServerAccessProfile: {
+      enablePrivateCluster: true
+      enablePrivateClusterPublicFQDN: false
+    }
     autoUpgradeProfile: {
       upgradeChannel: 'stable'
     }