question

SebastianPacheco-6836 avatar image
0 Votes"
SebastianPacheco-6836 asked SebastianPacheco-6836 edited

application gateway and encryption aks

I have 2 very simple questions, but I don't know them.

  1. How do I know which version (v1 or v2) of application gateway I have configured? It just says: SKU: Standard

  2. AKS uses "encryption at-rest with a platform-managed key" by default, but this is based on a symmetric or asymmetric algorithm and uses some encryption algorithm (DES, 3DES, AES....)

Thank you very much.

azure-application-gatewayazure-disk-encryption
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered SebastianPacheco-6836 edited

Hello @SebastianPacheco-6836 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Please find the answers to your queries below:

How do I know which version (v1 or v2) of application gateway I have configured? It just says: SKU: Standard

Standard/WAF is v1 SKU App gateway. Standard v2/WAF v2 is v2 SKU App gateway.
You can see the same while creating an Application gateway as below:

182330-image.png

AKS uses "encryption at-rest with a platform-managed key" by default, but this is based on a symmetric or asymmetric algorithm and uses some encryption algorithm (DES, 3DES, AES....)

The Encryption at Rest designs in Azure uses symmetric encryption to encrypt and decrypt large amounts of data. Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.

For more information on encryption at-rest with a platform-managed key, please refer the below docs:
https://docs.microsoft.com/en-us/azure/aks/enable-host-encryption
https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



image.png (17.7 KiB)
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GitaraniSharmaMSFT-4262 , thanks!

then... the information of the O.S of the "AKS NODES" are activated with 256-bit AES algorithms. --->Is this by default or do you have to activate something? In the link it indicates something about registering EncryptionAtHost

I had read that Azure Storage was with 256-bit AES, but I had not found anything regarding the O.S of the aks nodes

Thanks!

0 Votes 0 ·

Hi @GitaraniSharmaMSFT-4262

This appears on my portal:
Tier: WAF V2
is that Standard v2?


2.-
then... the information of the O.S of the aks nodes are activated with 256-bit AES algorithms.

Is this by default or do you have to activate something? In the link it indicates something about registering EncryptionAtHost

I had read that Azure Storage was with 256-bit AES, but I had not found anything regarding the O.S of the aks nodes

0 Votes 0 ·

Hello @SebastianPacheco-6836 ,

1) WAF V2 is Application gateway V2 SKU with Web Application Firewall (WAF).
Refer : https://docs.microsoft.com/en-us/azure/application-gateway/overview-v2

2) As mentioned in this doc, with host-based encryption, the data stored on the VM host of your AKS agent nodes' VMs is encrypted at rest and flows encrypted to the Storage service. This means the temp disks are encrypted at rest with platform-managed keys. The cache of OS and data disks is encrypted at rest with either platform-managed keys or customer-managed keys depending on the encryption type set on those disks. By default, when using AKS, OS and data disks are encrypted at rest with platform-managed keys, meaning that the caches for these disks are also by default encrypted at rest with platform-managed keys.

You can confirm the same in Azure portal while creating a AKS cluster as below:

182808-image.png

The registration mentioned in the doc is regarding first time registration of the feature, if not done already. If not done, you will not be able to see the default encryption option in Azure portal as shown above.
It is a one-time registration only. Once done, you don't have to do it again and I believe you should already have this feature registered. You can confirm the same by going to the screen shown in the above screenshot in your Azure portal.

0 Votes 0 ·
image.png (46.7 KiB)
SebastianPacheco-6836 avatar image SebastianPacheco-6836 GitaraniSharmaMSFT-4262 ·
  1. ok, thanks!

When I create the AKS cluster I select the "encryption at-rest with a platform-managed key" option, but then when I read the document you indicate, I don't see anywhere that the "EncryptionAtHost" feature is registered on my platform.

I wanted to make sure that when selecting the option ("encryption at-rest with a platform-managed key") the disks of the NODES are automatically encrypted and I don't have to do anything else... I can't find the "EncryptionAtHost" feature

sorry, it's a bit confusing.

0 Votes 0 ·
Show more comments