Part 3 - In-scope workload / The landing zone of a PCI-DSS compliant application inside Microsoft Azure
The last article was about shared responsibility between the three parties that are involved Microsoft Azure, Kubernetes (AKS) and the customer. In today's post, we tackle Azure Kubernetes Services and where the workload would need to run. Azure Kubernetes Services (AKS) runs all the payloads where card data are decrypted and processed. It is required to run in a private cluster with no direct access to the internet. All the traffic must be limited to the private network, without direct access to and from the internet. It applies for workloads that process card data (in-scope) A dedicated node pool with a subnet is used for in-scope components (services handling card data). The payload runs in isolated node pools, isolated from the rest of the system. Additional node pools can be created for workloads that are not out-of-scope of PCI-DSS. Using such a topology, we can move the services from out-of-scope to in-scope seamless without significant changes in the architecture of the inf...