This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 28.999999999999996%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEG%3C/text%3E%3C/svg%3E)
Hi. I have a requirement to connect to a SAAS API via Site-to-Site VPN but they only allow one private IP to send and receive the traffic. I have a K8s cluster in AKS and my system has 2 deployments that will be hitting their API, a HTTPS web service and Queue management service for async jobs. Starting there, it will be impossible to have one single IP for egress and ingress, not to mention that multiple pods could be created for high availability (so more pods == more IPs). How can i met this requirement?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 39%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERN%3C/text%3E%3C/svg%3E)
VPN gateway will have one public IP address. AKS clusters services such as HTTPs Web service and Queue management will have virtual network private IP addresses. so, both ingress and egress traffic will flow through public IP address from Azure to SAAS API.
Please reply if you have more questions.
Thanks Raviraj for your reply :)
In that case, if i give the VPN Gateway, when they make an http request, how would i route it to my pod? Maybe i'm missing something?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 74%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Hello Enrique Gutierrez,
Inbound connections, you typically need to expose your services via a public endpoint.
Deploy an Azure Application Gateway with WAF (Web Application Firewall) that can be pre-configured with your AKS services.
The Application Gateway can act as a reverse proxy, directing incoming requests to the appropriate services in your AKS cluster
Create a azure lb to manage the inbound traffic. point your DNS records to the Load Balancer, which then routes traffic to your services based on the configuration.
Need to have the VPN gateway configured to accept connections from the SaaS provider’s network and route them appropriately within your VNet.
configure Network Security Groups and routing tables to ensure that inbound traffic from the VPN is routed to the AGW or ALB, and then to your AKS services.
Make sure that all outbound traffic from your AKS to the SaaS provider appears to come from a single IP address.
Hope this helps you