Table of Contents
Is SSH Enabled on Azure Kubernetes Service (AKS) Nodes by Default?
Learn why SSH is enabled by default on AKS nodes for maintenance and troubleshooting. Understand the default security model, including key-based authentication and network restrictions, and discover the secure methods for connecting for AZ-500 exam.
Question
SSH is disabled on AKS nodes by default.
A. TRUE
B. FALSE
Answer
B. FALSE
Explanation
The correct answer is B. FALSE. Secure Shell (SSH) access is enabled by default on the Linux nodes within an Azure Kubernetes Service (AKS) cluster to facilitate maintenance and troubleshooting, but access is restricted and not open to the public internet.
AKS allows SSH from private IPs by default.
Default SSH Configuration and Security Model
When an AKS cluster is deployed, the underlying virtual machine nodes are configured with the SSH daemon (sshd) running. However, this access is secured by default through multiple layers of protection.
- Key-Based Authentication: AKS clusters are created with an SSH public key. Password-based authentication is disabled. To connect to a node, you must possess the corresponding private key that was specified during cluster creation. This prevents brute-force password attacks.
- Network Security Group (NSG) Restrictions: The Network Security Group automatically created for the AKS cluster’s virtual network contains rules that restrict SSH access. By default, inbound traffic on port 22 is only allowed from within the cluster’s own virtual network. This means you cannot directly SSH into a node from the public internet.
How to Securely Connect to an AKS Node
Because direct public access is blocked, connecting to an AKS node for troubleshooting requires a multi-step, secure approach.
- Use a Bastion Host or Jump Box: The standard method involves deploying a separate virtual machine (a “jump box” or “bastion host”) inside the same virtual network as the AKS cluster. An administrator first connects securely to this jump box and then, from the jump box, initiates an SSH connection to the private IP address of the target AKS node using the correct private key.
- Azure Bastion Service: A more managed approach is to use the Azure Bastion service, which provides secure RDP/SSH connectivity to virtual machines in a VNet directly from the Azure portal without exposing any public IP addresses on the VMs themselves.
- Using kubectl debug (Modern Approach): The recommended, Kubernetes-native approach for node access is the kubectl debug command. This command creates a privileged pod directly on the target node and provides an interactive shell. This method bypasses the need for SSH keys and jump boxes entirely and is managed through Kubernetes RBAC, making it a more secure and auditable solution.
While SSH is technically enabled, the combination of mandatory key-based authentication and network-level isolation ensures that it is not an insecure entry point by default.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.