Restrict certain AKS pod from External World

Sunil Yadav 25 Reputation points

I am using Application Gateway with WAF and application (pod1, pod2, pod3) running in AKS. I would like to Restrict certain pod (pod1 and pod2) access from External/Internet and only allow through certain IP addresses.

What could be the best approach to implement restriction if we have WAF and AKS.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
783 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,551 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 15,806 Reputation points Microsoft Employee

    @Sunil Yadav

    Welcome to the Microsoft Q&A forum.

    I think the best way to implement the required restriction will be to

    • Use Custom rules for Web Application Firewall v2 to apply the IP restriction. You can refer to this example here and use WAF custom rules to allow certain IP addresses to communicate with the Application Gateway.
    • Configure per-site WAF policies to apply WAF policies to individual listeners to allow for site-specific WAF configuration. As you need IP restrictions above for (pod1 and pod2) only you can implement a separate WAF policy which will contain the custom rule above to apply the restrictions. For pod3 you can have a different WAF policy to allow communication as per your requirements.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.