This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 69%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Hi, I have an AKS cluster with azure CNI networking and a vnet gateway which links our onpremise environment to azure via a site to site VPN.
In trying to ping a server on premise from aks I noticed the outbound IP being used is the pods node IP, how do I manage this taking into consideration that our network team is allowed to only grant permissions to single IP's not ranges
I would highly recommend that your networking team revisit their rules on address ranges.
If this is not an option, you can start by reading the AKS Egress documentation. It is mostly designed for public egress, but you will still be able to get useful information.
The ideal way to control the egress IP is to use a UDR to route all traffic to a NVA which will SNAT the traffic so that it all appears to come from a single IP. There are many solutions for this for public egress, but for private egress your options are to use Azure Firewall to SNAT a Private IP Range or use a 3rd party NVA that does something similar. The biggest drawback of the configuration is the cost associated with having an Azure Firewall added to your VNET.