[As of April 17, 2020]
Ingress controller of Azure Kubernetes Service (AKS) can allow ingress traffic from specified public IP addresses, but how about egress traffic? Without any configuration, source public IP addresses of egress traffic from AKS are chosen at random. This behavior is not good for some API providers, because they would like to allow only incoming traffic from specified public IP addresses. In this entry, I summarized three ways to restrict IP addresses used for egress traffic from AKS.
1. Azure Firewall
Control egress traffic for cluster nodes in Azure Kubernetes Service (AKS)
This topology is similar to an environment where proxy is located on premises for internet access. As you see the diagram below, egress traffic are routed to subnet of firewall with UDR (user defined route). In this case, we should not block any internal subnet traffic within AKS cluster.
Blocking internal subnet traffic using network security groups (NSGs) and firewalls is not supported. To control and block the traffic within the cluster, use Network Policies.https://docs.microsoft.com/azure/aks/limit-egress-traffic
2. Standard Load Balancer
Provide your own public IPs or prefixes for egress
Typically, a load balancer locates in front of backend service nodes, but in this case, you would understand this topology more easily if you regard access to backend service nodes as internet access.
3. Virtual Network NAT
What is Virtual Network NAT?
Designing virtual networks with NAT gateway resources
This feature has been introduced in March 2020. NAT gateway can have public IP addresses, and source IPs of outbound traffic are used from these public IP addresses. We can create a NAT Gateway per each subnet.
Integrate Azure Firewall with Azure Standard Load Balancer
Use a static public IP address for egress traffic in Azure Kubernetes Service (AKS)