How do set a unique outbound IP/Subnet per namespace in a aks cluster

Siddhartha Mishra 1 Reputation point
2024-05-03T09:43:26.92+00:00

I want to have different outbound IPs (or route egress through unique VNET subnets) per namespace. I see that the recommendation is to have separate nodepools and attach different vnets to them. If I want the pods to share compute, however, what would be the best way to accomplish this?

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,194 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,883 questions
Azure NAT Gateway
Azure NAT Gateway
NAT Gateway is a fully managed service that securely routes internet traffic from a private virtual network with enterprise-grade performance and low latency.
24 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anveshreddy Nimmala 2,705 Reputation points Microsoft Vendor
    2024-05-06T04:08:00.7133333+00:00

    Hello Siddhartha Mishra,

    Welcome to microsoft Q&A, Thankyou for posting your query here.

    i. Azure CNI supports assigning each pod an IP from the subnet, allowing more granular control over networking.

    You can potentially configure Azure CNI to assign IPs from different subnet ranges based on namespace annotations

    Implement Kubernetes network policies that ensure pods communicate only within their designated subnets unless explicitly allowed.

    ii. Use an Egress Controller with IP Masquerading.

    You can use an egress controller like Istio, which supports complex routing rules and can act as an egress gateway.

    Configure Istio’s egress gateway to apply different masquerade rules based on the namespace of the outgoing request.

    https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/

    Set up NAT gateways in your VNET. Each NAT gateway will have its own public IP address.

    Configure routing rules to direct traffic from specific namespaces through specific NAT gateways.

    Modify your pod deployments to route their outbound traffic through the Istio egress gateway,

    which then routes the traffic through the appropriate NAT gateway based on the namespace.

    Hope this helps you.

    If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    d6dcecc3-be5f-4da1-97f3-ee0fc212a37f

    0 comments No comments