Control Egress/Ingress Traffic to AKS Cluster

Kasun Buddika 0 Reputation points
2024-05-09T10:23:45.46+00:00

Hello,

I run into an issue when placing an AKS cluster behind a BASIC Azure Firewall.

I am basically following this guide: https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic?tabs=aks-with-system-assigned-identities (with the exception where I use a basic firewall).

 

My firewall route table looks like this:User's image

Firewall policy contains following application rules:

User's image

Then DNAT rules to forward ingress traffic through the Firewall’s public IP.

User's image

When I try deploying the cluster into a subnet that has the Firewall RT associated nothing seems to work. Pods get stuck in a “Pending” state. I am using the Azure CNI network type and Calico network policy. One observation I made was that in this case pods do not get the IP assignment based on the subnet. As an example, when I deploy the cluster without the Firewall services get IP assignment with no issues (see the following image). But, with Firewall I get a "-" for Endpoint.

User's image

Can someone point me to where the issue can be?

Thank you.

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,189 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. vipullag-MSFT 26,411 Reputation points
    2024-05-09T15:49:33.8933333+00:00

    Hello Kasun Buddika

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    Based on the details shared, one possibility for the issue could be on the part where you set the API server authorized IP ranges.

    Can you make sure that you have set both the Firewall Public IP and Current IP. If you set one but not the other, then the other address range will be overwritten.

    Hope that helps.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.