For a brand-new microservices project in 2026, security isn’t just a “layer” you add at the end—it’s baked into the infrastructure. AKS has introduced several “secure-by-default” features that simplify this.
Here are the essential security best practices for your new setup:
1. Identity over Secrets (Zero Trust)
In 2026, storing connection strings or client secrets in Kubernetes “Secrets” is considered an anti-pattern.
- Best Practice: Use Microsoft Entra Workload ID.
- Why: Instead of your app having a password to access a database, your Pod is assigned a “Managed Identity.” Azure confirms the Pod’s identity via a signed token, granting it access without any static secrets that could be leaked.
- New in 2026: Enable Conditional Access for Workload Identities to ensure a microservice can only connect to your database if it’s running inside your specific VNet.
2. Harden the Host (Azure Linux 3.0)
The operating system running your nodes is part of your attack surface.
- Best Practice: Standardize on Azure Linux 3.0 (CBL-Mariner).
- Why: It is a “distroless-adjacent” host OS. It contains ~500 packages compared to the thousands in Ubuntu, drastically reducing the number of vulnerabilities (CVEs) you have to patch.
- Advanced Isolation: For sensitive services (like payment processing), enable Pod Sandboxing. This uses Kata Containers to run the service in a dedicated hardware-isolated micro-VM, preventing “container breakout” attacks where a hacker could jump from your app to the node.
3. Network “Blast Radius” Control
If one microservice is compromised, you don’t want the attacker to move laterally through your entire cluster.
- Best Practice: Use Cilium for Network Policy.
- Why: As of 2026, Cilium is the gold standard for AKS networking. It uses eBPF technology to filter traffic at the kernel level.
- Strategy: Implement a Default Deny policy. By default, no service should be able to talk to any other service unless you explicitly write a rule allowing it.
4. API Server Protection
The Kubernetes API server is the “front door” to your cluster. If someone gets in here, they own everything.
- Best Practice: Use API Server VNet Integration (Private Clusters).
- Why: This ensures your cluster’s management endpoint is not reachable from the public internet. It exists only inside your private network.
- Access Control: Use Microsoft Entra RBAC (Role-Based Access Control). Never use the “cluster-admin” local account. Link permissions to your team’s Entra ID groups so that when an employee leaves the company, their cluster access is revoked instantly.
5. Continuous Supply Chain Security
Security starts before the code even reaches AKS.
- Best Practice: Enable Defender for Cloud and Binary Authorization.
- Why: Defender for Cloud scans your images in the Azure Container Registry (ACR) for malware and secrets.
- Enforcement: Use Azure Policy for Kubernetes to block any deployment that hasn’t been scanned or isn’t coming from your trusted registry.
Summary Security Checklist
| Area | 2026 Standard |
| Identity | Microsoft Entra Workload ID (No Secrets) |
| OS | Azure Linux 3.0 with OS Guard |
| Network | Cilium with mTLS (Service Mesh) |
| Access | Private Cluster + Entra RBAC |
| Governance | Azure Policy “Restricted” Baseline |
Pro-Tip: Check your Secure Score in Microsoft Defender for Cloud weekly. It will give you a prioritized list of “quick fixes” for your specific AKS cluster based on real-time threats.
With a Service Mesh (specifically the Istio-based add-on for AKS), you are moving toward a “Zero Trust” network architecture. In this setup, the network is no longer trusted by default; every connection must be verified and encrypted.
Here is the 2026 security blueprint for running microservices with Istio on AKS.
1. Automated mTLS (Encryption in Transit)
By default, traffic between Kubernetes Pods is unencrypted. With Istio, you can enforce Strict Mutual TLS (mTLS) without changing a single line of application code.
- The Best Practice: Apply a
PeerAuthenticationpolicy at the namespace level set toSTRICT. - The Result: Any service that tries to connect via plain text will be instantly rejected by the sidecar proxy. This ensures that even if an attacker gains access to your internal network, they cannot “sniff” sensitive data (like headers or tokens) passing between services.
2. Identity-Based Authorization
IP addresses are ephemeral in Kubernetes and shouldn’t be used for security. Istio uses SPIFFE identities based on the service’s Kubernetes Service Account.
- The Best Practice: Use
AuthorizationPolicyto define “Who can talk to Whom.” - Example: You can create a rule that says the Email Service can only receive requests from the Orders Service, and only if the request is a
POSTto the/send-receiptendpoint. Everything else is blocked at the source.
3. Secure the “Front Door” (Ingress Gateway)
In 2026, the Kubernetes Gateway API has reached full GA (General Availability) for the AKS Istio add-on.
- The Best Practice: Use the
GatewayandHTTPRouteresources instead of the olderIngressobjects. - Security Benefit: It allows for better separation of concerns. Your platform team can manage the physical load balancer (the
Gateway), while your developers manage the routing rules (HTTPRoute) for their specific microservices.
4. Dapr + Istio: The “Power Couple”
Since you are building microservices, you might also use Dapr for state and messaging. In 2026, these two work together seamlessly but require one key configuration:
- The Best Practice: If both are present, let Istio handle the mTLS and Observability, and disable mTLS in Dapr.
- Why: Having two layers of encryption (“double wrapping” packets) adds significant latency and makes debugging network issues a nightmare.
5. Visualizing the “Blast Radius”
The biggest security risk in microservices is lateral movement.
- The Best Practice: Use the Kiali dashboard (integrated with AKS) to view your service graph in real-time.
- The Security Win: If you see a weird line of communication between your Public Web Frontend and your Internal Payment Database that shouldn’t exist, you’ve found a security hole or a misconfiguration before it becomes a breach.
Summary Security Checklist for Istio on AKS
| Task | 2026 Recommended Tool |
| Transport Security | PeerAuthentication (mode: STRICT) |
| Service Permissions | Istio AuthorizationPolicy |
| External Traffic | Kubernetes Gateway API (Managed Istio Ingress) |
| Egress (Outgoing) | Service Entry (Block all traffic to external sites except specific approved domains) |
| Auditing | Azure Monitor for Containers + Istio Access Logs |
Warning for 2026: Ensure your worker nodes have enough “headroom.” Istio sidecars (Envoy proxies) consume roughly 0.5 to 1.0 vCPU and several hundred MBs of RAM per Pod. For a project with many small microservices, this “sidecar tax” can add up quickly.
Infra Cloud Solutions 