Does adding more IP in Standard load balancer increase SNAT ports in AKS VMSS?

Question

Does adding more IP in Standard load balancer increase SNAT ports in AKS VMSS?

Tanul 1,291

Hello,

If we add 2 ip's as outbound rule in the AKS standard load balancer targeting to same backend pool then does it increase the SNAT ports count to 64k*2.

If yes, can we use 1 default public ip which azure automatically creates and add one more by creating our own.

Please suggest. Thank you.

Kind Regards,

Tanul

Brian Kibichii kemboi 0 Reputation points

2023-05-31T13:28:37.2033333+00:00

Thank you Tanui

Adding more IP addresses to a Standard Load Balancer in an AKS VMSS does not directly increase the number of SNAT ports available. The number of SNAT ports in Azure is determined by the number of backend instances in the VMSS.

The allocation of SNAT ports in Azure is based on the number of backend instances in the VMSS, with each instance having access to 64,000 SNAT ports. So, if you have a single backend instance in your VMSS, you will have 64,000 SNAT ports available. If you have two backend instances, the total SNAT port count will be 128,000 (64,000 per instance).

Adding multiple IP addresses as outbound rules in the AKS standard load balancer targeting the same backend pool does not directly increase the SNAT port count. The availability of SNAT ports is tied to the number of backend instances, not the number of IP addresses.

Regarding your second question, it is indeed possible to use the default public IP automatically created by Azure and add another public IP of your own. You can create a standard load balancer in Azure and assign the default public IP to it. Additionally, you can create a separate public IP resource and associate it with the same standard load balancer. This allows you to have two public IP addresses available for your AKS cluster.

It is important to note that the number of SNAT ports will still be determined by the number of backend instances in the VMSS, regardless of the number of public IP addresses you have.

I hope I was able to answer your questions.
Tanul 1,291 Reputation points

2023-05-31T13:36:46.89+00:00

@Anonymous Oh got it. Then I think. Adding a new public ip will only makes sense if we are adding one new node pool. And using another ip as the outbound for another node pool. Am I correct?
Tanul 1,291 Reputation points

2023-05-31T13:38:41.7466667+00:00

@Anonymous One more query what is backend instance in VMSS. Does that mean one single machine in VMSS or a complete VMSS node pool of n number of machines.

If I'm not wrong backend means VM but backend instance is complete node pool. Am I correct?

1 answer

Your answer

Brian Kibichii kemboi 0 Reputation points

2023-05-31T13:28:37.2033333+00:00

Thank you Tanui

Adding more IP addresses to a Standard Load Balancer in an AKS VMSS does not directly increase the number of SNAT ports available. The number of SNAT ports in Azure is determined by the number of backend instances in the VMSS.

The allocation of SNAT ports in Azure is based on the number of backend instances in the VMSS, with each instance having access to 64,000 SNAT ports. So, if you have a single backend instance in your VMSS, you will have 64,000 SNAT ports available. If you have two backend instances, the total SNAT port count will be 128,000 (64,000 per instance).

Adding multiple IP addresses as outbound rules in the AKS standard load balancer targeting the same backend pool does not directly increase the SNAT port count. The availability of SNAT ports is tied to the number of backend instances, not the number of IP addresses.

Regarding your second question, it is indeed possible to use the default public IP automatically created by Azure and add another public IP of your own. You can create a standard load balancer in Azure and assign the default public IP to it. Additionally, you can create a separate public IP resource and associate it with the same standard load balancer. This allows you to have two public IP addresses available for your AKS cluster.

It is important to note that the number of SNAT ports will still be determined by the number of backend instances in the VMSS, regardless of the number of public IP addresses you have.

I hope I was able to answer your questions.
Tanul 1,291 Reputation points

2023-05-31T13:36:46.89+00:00

@Anonymous Oh got it. Then I think. Adding a new public ip will only makes sense if we are adding one new node pool. And using another ip as the outbound for another node pool. Am I correct?
Tanul 1,291 Reputation points

2023-05-31T13:38:41.7466667+00:00

@Anonymous One more query what is backend instance in VMSS. Does that mean one single machine in VMSS or a complete VMSS node pool of n number of machines.

If I'm not wrong backend means VM but backend instance is complete node pool. Am I correct?

Answer 1

Andrei Barbu 2,596 Microsoft Employee

Hello Tanul,

The previous answer (from Brian kemboi) is not correct.

Configuring the AKS Standard Load Balancer with more IPs will provide you more SNAT ports. Each IP has 64000 ports.

This is documented here: https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard#configure-the-allocated-outbound-ports
"Each IP address provided by a frontend provides 64k ephemeral ports for the load balancer to use as SNAT ports."

In that documentation you can find examples on how to calculate and also on how to update the number of LB outbound IP count or update the LB with your own IP.

Hopefully this is what you are looking for! If you have additional questions, please let us know in the comments.

If this has been helpful, please take a moment to accept answers as this helps increase visibility of this question for other members of the Microsoft Q&A community. Thank you for helping to improve Microsoft Q&A!

Tanul 1,291 Reputation points

2023-05-31T14:42:24.8+00:00

@Andrei Barbu Oh thank god you saved. One last query.. I have added one more ip in outbound and front end rule of load balancer. Now I've ssh the AKS node and checked the egress ip of that node by running command curl ifconfg.me. Its still showing the same ip created by azure which is 20.xx.xx.xx series. The ip which I have added in the out bound is of 40.xx.xx.xx series. However, I don't have any control on the series range. How to use the another ip created by me for egress in the node pools.
Tanul 1,291 Reputation points

2023-05-31T14:43:15.44+00:00

@Andrei Barbu Or both the ip's will act as round robin. Node pools is the backend can pick any one dynamically for egress
Andrei Barbu 2,596 Reputation points Microsoft Employee

2023-05-31T14:50:53.2533333+00:00

Honestly, I am not sure how the connections are distributed but I would assume round-robin. To make sure the configuration is correct, please help with the following information.

1 - Please provide all the steps on how you configured the 40.x.x.x IP address to be used by the AKS LB.
2 - If you open the LB and go to "Frontend IP configuration", will both, the 20.x.x.x and 40.x.x.x IP be shown there?
Tanul 1,291 Reputation points

2023-05-31T15:03:06.23+00:00
@Andrei Barbu

Steps are as follows:

Create a resource

Selected networking

Selected Public Ip address(the first option)

Then filled exactly like the image below and clicked review+create

Then opened standard load balancer available in MC_xxx group and added front end configuration

In front end config select the test ip and gateway load balancer option is set to None

Then clicked outbound rule

Selected fronted Ip address and backend pool was already selected to aksOutboundBackendPool

And didn't click anywhere else. That's how created the ip and added as outbound rule
Tanul 1,291 Reputation points

2023-05-31T17:05:33.05+00:00

@Andrei Barbu Is it correct or there is some other process. Could you please help. Really appreciate. Thank you.
Tanul 1,291 Reputation points

2023-05-31T18:25:32.4+00:00

@Andrei Barbu

I just found this line. You are saying that adding more ip will ad more ephemeral ports. Then what is the means of this line

Adding more IPs doesn't add more ports to any node, but it provides capacity for more nodes in the cluster
Andrei Barbu 2,596 Reputation points Microsoft Employee

2023-06-01T04:52:51.57+00:00

Hello @Tanul ! The way you added the IP is not the correct one. You need to do it via "az aks" commands. The LB is managed by AKS and if you modify it manually, the changed will be reverted back after any PUT operation.

Please make sure to carefully read https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard to understand how to properly manipulate your AKS LB.

Regarding "Adding more IPs doesn't add more ports to any node, but it provides capacity for more nodes in the cluster" that is correct. Any new public IP will have 64k ports, but you need to configure the LB to associate that ports to the nodes.

Your question was if adding a second IP if the SNAT ports will double and that's what I answered. What you mentioned is covered in the link that I initially sent: https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard#configure-the-allocated-outbound-ports. You'll have to use "az aks update" with "--load-balancer-outbound-ports" parameter to allocate that ports to the nodes.
Tanul 1,291 Reputation points

2023-06-01T07:11:38.32+00:00

@Andrei Barbu, Got it. Thank you so much
KarishmaTiwari-MSFT 20,777 Reputation points Microsoft Employee Moderator

2023-06-06T02:48:39.8033333+00:00

Tanul If the answer above helped, please don’t forget to Accept Answer and hit Yes for "was this answer helpful" wherever the information provided helps you. This can be beneficial to other community members for remediation for similar issues.

If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

Share via

Does adding more IP in Standard load balancer increase SNAT ports in AKS VMSS?

1 answer

Your answer