How do set a unique outbound IP/Subnet per namespace in a aks cluster

Question

I want to have different outbound IPs (or route egress through unique VNET subnets) per namespace. I see that the recommendation is to have separate nodepools and attach different vnets to them. If I want the pods to share compute, however, what would be the best way to accomplish this?

Answer 1

Hello Siddhartha Mishra,

Welcome to microsoft Q&A, Thankyou for posting your query here.

i. Azure CNI supports assigning each pod an IP from the subnet, allowing more granular control over networking.

You can potentially configure Azure CNI to assign IPs from different subnet ranges based on namespace annotations

Implement Kubernetes network policies that ensure pods communicate only within their designated subnets unless explicitly allowed.

ii. Use an Egress Controller with IP Masquerading.

You can use an egress controller like Istio, which supports complex routing rules and can act as an egress gateway.

Configure Istio’s egress gateway to apply different masquerade rules based on the namespace of the outgoing request.

https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/

Set up NAT gateways in your VNET. Each NAT gateway will have its own public IP address.

Configure routing rules to direct traffic from specific namespaces through specific NAT gateways.

Modify your pod deployments to route their outbound traffic through the Istio egress gateway,

which then routes the traffic through the appropriate NAT gateway based on the namespace.

Hope this helps you.

If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!