AKS clusters enforce Kubernetes network policies so that pod-to-pod traffic is governed by explicit ingress and egress rules. The finding evaluates whether a cluster has network policy enforcement enabled to support fine-grained, label-based segmentation between workloads.
Risk
Without network policy, pods can talk to any pod:
- Easy lateral movement after a pod compromise
- Unrestricted access to backend services and data
- Covert exfiltration/C2 via East-West traffic
This harms confidentiality and integrity and amplifies the blast radius of runtime exploits.
Run this check with Prowler CLI
prowler azure --checks aks_network_policy_enabled
Recommendation
Enable network policy enforcement and apply least privilege segmentation.
- Start with a
deny-allbaseline, allow only required flows - Define both ingress and egress policies
- Use consistent labels/namespaces
- Layer with defense in depth (RBAC, node isolation, private networking) for zero-trust East-West control.
Remediation
CLI
az aks update --resource-group <RESOURCE_GROUP> --name <CLUSTER_NAME> --network-policy calico
Native IaC
Terraform
Other
- In Azure Portal, go to Kubernetes services and select your cluster
- Open Networking (or Settings > Networking)
- Set Network policy to Azure or Calico
- Click Save to apply
Source Code
Resource Type
microsoft.containerservice/managedclusters
References
- https://learn.microsoft.com/en-us/azure/aks/use-network-policies
- https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-network-security#ns-2-connect-private-networks-together
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AKS/enable-network-policy-support.html