How to restrict source public IP addresses for egress traffic when using AKS (Azure Kubernetes Service)

[As of March 31, 2021]

Objectives

Ingress controller of Azure Kubernetes Service (AKS) can allow ingress traffic from specified public IP addresses, but how about egress traffic? Without any configuration, source public IP addresses of egress traffic from AKS are chosen at random. This behavior is not good for some API providers, because they would like to allow only incoming traffic from specified public IP addresses. In this entry, I summarized three ways to restrict IP addresses used for egress traffic from AKS.

1. Azure Firewall

Control egress traffic for cluster nodes in Azure Kubernetes Service (AKS)
https://docs.microsoft.com/azure/aks/limit-egress-traffic

This topology is similar to an environment where proxy is located on premises for internet access. As you see the diagram below, egress traffic are routed to subnet of firewall with UDR (user defined route). In this case, we should not block any internal subnet traffic within AKS cluster.

https://docs.microsoft.com/azure/firewall/media/integrate-lb/firewall-lb-asymmetric.png

We have to pay attention to blocking internal subnet traffic.

Blocking internal subnet traffic using network security groups (NSGs) and firewalls is not supported. To control and block the traffic within the cluster, use Network Policies.

https://docs.microsoft.com/azure/aks/limit-egress-traffic

2. Standard/Basic Load Balancer

In this case, you configure outbound rules for load balancer.

Provide your own public IPs or prefixes for egress
https://docs.microsoft.com/azure/aks/load-balancer-standard#provide-your-own-public-ips-or-prefixes-for-egress
Use a static public IP address for egress traffic with a Basic SKU load balancer in Azure Kubernetes Service (AKS)
https://docs.microsoft.com/azure/aks/egress

3. Virtual Network NAT

NAT gateway was introduced in March 2020 and we can deploy NAT gateway onto subnet. NAT gateway can have at least one public IP address. When a pod sends egress traffic, one of public IP assigned to NAT gateway is used as source IP.

What is Virtual Network NAT?
https://docs.microsoft.com/azure/virtual-network/nat-overview
Designing virtual networks with NAT gateway resources
https://docs.microsoft.com/azure/virtual-network/nat-gateway-resource

Typically, each node pool, which consists of VMSS (Virtual Machine Scale Sets), is connected to single subnet. However, we can assign unique subnet to each node pool (preview). When assigning NAT gateway to each subnet, a pod running on each node pool uses different source IP.

Add a node pool with a unique subnet (preview)
https://docs.microsoft.com/azure/aks/use-multiple-node-pools#add-a-node-pool-with-a-unique-subnet-preview

4. Assign Public IP to each node in node pool

We can also assign public IP to each node in node pool (preview). When a pod running on a node sends egress traffic, public IP assigned to the node is used as source IP.

Assign a public IP per node for your node pools
https://docs.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools-preview

Resources

Integrate Azure Firewall with Azure Standard Load Balancer
https://docs.microsoft.com/azure/firewall/integrate-lb
Use a static public IP address for egress traffic in Azure Kubernetes Service (AKS)
https://docs.microsoft.com/azure/aks/egress

コメントを残す

以下に詳細を記入するか、アイコンをクリックしてログインしてください。

WordPress.com ロゴ

WordPress.com アカウントを使ってコメントしています。 ログアウト /  変更 )

Google フォト

Google アカウントを使ってコメントしています。 ログアウト /  変更 )

Twitter 画像

Twitter アカウントを使ってコメントしています。 ログアウト /  変更 )

Facebook の写真

Facebook アカウントを使ってコメントしています。 ログアウト /  変更 )

%s と連携中