How to restrict source public IP addresses for egress traffic when using AKS (Azure Kubernetes Service)

[As of April 17, 2020]

Objectives

Ingress controller of Azure Kubernetes Service (AKS) can allow ingress traffic from specified public IP addresses, but how about egress traffic? Without any configuration, source public IP addresses of egress traffic from AKS are chosen at random. This behavior is not good for some API providers, because they would like to allow only incoming traffic from specified public IP addresses. In this entry, I summarized three ways to restrict IP addresses used for egress traffic from AKS.

1. Azure Firewall

Control egress traffic for cluster nodes in Azure Kubernetes Service (AKS)
https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic

This topology is similar to an environment where proxy is located on premises for internet access. As you see the diagram below, egress traffic are routed to subnet of firewall with UDR (user defined route). In this case, we should not block any internal subnet traffic within AKS cluster.

https://docs.microsoft.com/en-us/azure/firewall/media/integrate-lb/firewall-lb-asymmetric.png

Blocking internal subnet traffic using network security groups (NSGs) and firewalls is not supported. To control and block the traffic within the cluster, use Network Policies.

https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic

2. Standard Load Balancer

Provide your own public IPs or prefixes for egress
https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard#provide-your-own-public-ips-or-prefixes-for-egress

Typically, a load balancer locates in front of backend service nodes, but in this case, you would understand this topology more easily if you regard access to backend service nodes as internet access.

3. Virtual Network NAT

What is Virtual Network NAT?
https://docs.microsoft.com/en-us/azure/virtual-network/nat-overview
Designing virtual networks with NAT gateway resources
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway-resource

This feature has been introduced in March 2020. NAT gateway can have public IP addresses, and source IPs of outbound traffic are used from these public IP addresses. We can create a NAT Gateway per each subnet.

Resources

Integrate Azure Firewall with Azure Standard Load Balancer
https://docs.microsoft.com/en-us/azure/firewall/integrate-lb
Use a static public IP address for egress traffic in Azure Kubernetes Service (AKS)
https://docs.microsoft.com/en-us/azure/aks/egress

コメントを残す

以下に詳細を記入するか、アイコンをクリックしてログインしてください。

WordPress.com ロゴ

WordPress.com アカウントを使ってコメントしています。 ログアウト /  変更 )

Google フォト

Google アカウントを使ってコメントしています。 ログアウト /  変更 )

Twitter 画像

Twitter アカウントを使ってコメントしています。 ログアウト /  変更 )

Facebook の写真

Facebook アカウントを使ってコメントしています。 ログアウト /  変更 )

%s と連携中