Connecting from AKS to on premise server

Christian B. Okeme 1 Reputation point

Hi, I have an AKS cluster with azure CNI networking and a vnet gateway which links our onpremise environment to azure via a site to site VPN.

In trying to ping a server on premise from aks I noticed the outbound IP being used is the pods node IP, how do I manage this taking into consideration that our network team is allowed to only grant permissions to single IP's not ranges

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,312 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. TravisCragg-MSFT 5,646 Reputation points Microsoft Employee

    I would highly recommend that your networking team revisit their rules on address ranges.

    If this is not an option, you can start by reading the AKS Egress documentation. It is mostly designed for public egress, but you will still be able to get useful information.

    The ideal way to control the egress IP is to use a UDR to route all traffic to a NVA which will SNAT the traffic so that it all appears to come from a single IP. There are many solutions for this for public egress, but for private egress your options are to use Azure Firewall to SNAT a Private IP Range or use a 3rd party NVA that does something similar. The biggest drawback of the configuration is the cost associated with having an Azure Firewall added to your VNET.

    0 comments No comments