KhushbuP presents a detailed overview of the general availability of Layer 7 Network Policies for Azure Kubernetes Service (AKS), explaining how these new capabilities enhance security and observability for containerized workloads.

Layer 7 Network Policies for AKS: General Availability for Enterprise-Grade Security

Author: KhushbuP

Azure Kubernetes Service (AKS) now supports Layer 7 (L7) Network Policies in General Availability (GA), leveraging Cilium and Advanced Container Networking Services (ACNS). This milestone enables Azure users to secure microservices with fine-grained, application-aware controls for mission-critical workloads.

What Are L7 Network Policies?

L7 Network Policies allow you to define security rules for Kubernetes workloads based on specific application-layer protocols (like HTTP methods and paths), not just L3 (IP) or L4 (port) traffic. This enhances defense-in-depth by enforcing policies such as:

Allowing only specific HTTP methods (e.g., GET, POST)
Restricting access to designated URL paths
Preventing lateral movement from compromised services

Practical Example: Securing a Multi-Tier Retail Application

Consider a retail application running on AKS with three microservices:

frontend-app: Presents the user interface and product information
inventory-api: Backend for product stock levels (read-only for the frontend)
payment-gateway: Processes transactions (accepts only POSTs from the frontend)

Challenge: A traditional L4 policy can’t stop a compromised frontend from sending harmful requests (like DELETE) to the inventory API.

L7 Solution: With Cilium L7 policies, restrict the frontend to only send safe HTTP requests (GET) to the inventory API:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: protect-inventory-api
spec:
  endpointSelector:
    matchLabels:
      app: inventory-api
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: frontend-app
    toPorts:
    - ports:
      - port: "8080"
        protocol: TCP
      rules:
        http:
        - method: "GET"
          path: "/api/inventory/.*"

Allowed: Frontend GET requests to /api/inventory/item123
Blocked: Any DELETE/POST requests, even from compromised pods

Apply the same pattern for the payment-gateway, ensuring only POSTs to /process-payment are accepted.

Zero Trust Network Security with Enhanced Controls

L7 policies complement traditional L3/L4 restrictions and advanced egress controls, including:

FQDN Filtering: Allow egress only to approved external domains.
Cluster-Wide Policies (CCNP): Use CiliumClusterwideNetworkPolicy to enforce uniform policies across all namespaces.

CCNP Example: Egress Policy with FQDN Filtering

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: allow-egress-to-example-com
spec:
  endpointSelector: {}
  egress:
    - toFQDNs:
        - matchPattern: "*.example.com"
      toPorts:
        - ports:
            - port: "443"
              protocol: TCP
            - port: "80"
              protocol: TCP

This restricts all pods to outbound connections only on ports 80 and 443 to subdomains of example.com.

Operational Observability

Security is only as strong as its visibility. All L7 policy actions and blocks are auditable in Azure Managed Grafana dashboards, simplifying threat detection and incident response.

Getting Started

To enable L7 policies in your AKS cluster:

Follow the Layer 7 Policy Overview
See How to Apply L7 Policy for a guided scenario

Upgrade today to leverage application-aware security and observability, and help Microsoft improve by sharing your feedback.

This post appeared first on “Microsoft Tech Community”. Read the entire article here