This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 4%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
As in title.
Hi Andrew,
By default, AKS clusters have unrestricted outbound internet access. This level of network access allows nodes and services you run to access external resources as needed. If you wish to restrict egress traffic, a limited number of ports and addresses must be accessible to maintain healthy cluster maintenance tasks. The simplest solution to securing outbound addresses is using a firewall device that can control outbound traffic based on domain names. Azure Firewall can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination. You can also configure your preferred firewall and security rules to allow these required ports and addresses.
Reference: https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress
Hi Mutaz,
Thanks for the answer.
Can I also check:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 80%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi Andrew,
Yes, you can do it by using Azure Stack HCI.
Azure Kubernetes Service (AKS) on Azure Stack HCI and Windows Server is an on-premises Kubernetes implementation of AKS. AKS on Azure Stack HCI and Windows Server automates running containerized applications at scale. AKS makes it quicker to get started hosting Linux and Windows containers in your datacenter.
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/hybrid/aks-baseline
https://learn.microsoft.com/en-us/azure/aks/hybrid/overview
Hi Surbi,
Thanks for your reply.
Can Azure Kubernetes Service (AKS) on Azure Stack HCI and Windows Server be deployed on an air-gapped on-premises network?
Hi Andrew,
Azure Stack HCI --https://learn.microsoft.com/en-us/azure-stack/hci/faq
Does Azure Stack HCI require continuous connectivity to the cloud?
No. Azure Stack HCI is designed to handle periods of limited or zero connectivity.
What happens if my network connection to the cloud temporarily goes down?
While your connection is down, all host infrastructure and VMs continue to run normally, and you can use edge-local tools for management. You would not be able to use features that directly rely on cloud services. Information in the Azure portal also would become out-of-date until Azure Stack HCI is able to sync again.
How long can Azure Stack HCI run with the connection down?
At the minimum, Azure Stack HCI needs to sync successfully with Azure once per 30 consecutive days.
What happens if the 30-day limit is exceeded?
If Azure Stack HCI hasn’t synced with Azure in more than 30 consecutive days, the cluster’s connection status will show Out of policy in the Azure portal and other tools, and the cluster will enter a reduced functionality mode. In this mode, the host infrastructure stays up and all current VMs continue to run normally. However, new VMs can’t be created until Azure Stack HCI is able to sync again. The internal technical reason is that the cluster’s cloud-generated license has expired and needs to be renewed by syncing with Azure.