This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 12%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
Hi, we have an AKS cluster which has Postgres deployed in it. We want to deploy the same cluster to a paired region, but the two Postgres servers must be able to see and talk to each other. Do we need to implement peering between the VNets in each region in order for the two Postgres pods in AKS to see and talk to each other?
Thanks ahead of time
@richardwolford-7948 , Thank you for your question.
Please do correct me if I am wrong. AKS cluster A with Postgres workload instance A is deployed in Azure region A and AKS cluster B with Postgres workload instance B is deployed in Azure region B. You want Postgres workload instance A and Postgres workload instance B to be able to talk to each other.
LoadBalancer or a public Ingress. [Reference] You can also refer to AKS Baseline for multi-region clusters and Network Topology in Baseline architecture for AKS Clusters.
----------
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.
Yes, this helps very much, and you are correct in what we are wanting. Since postgres doesn't support active/active, we are going to use a trigger-based tool (I hate it btw) so that if Posgress in AKS A has a write, that write is propogated to AKS B. I want to not use the Internet and would prefer to peer the VNETs. If I peer the VNETs, I assume AKS A can speak to AKS B and we can use the private IPs of the pods to communicate provided that the ports are exposed on both AKS clusters. We are using CNI for networking.
Does this sound workable?
@richardwolford-7948 , Thank you for your response.
Yes, since you are using Azure CNI as the network plugin for the AKS clusters, the Pod IPs are going to be assigned from the AKS VNET/subnets. If the two Virtual Networks are peered, then please ensure that the Effective Inbound Network Security Group rules associated with either subnet in the two virtual networks, must allow traffic to ports: Any from source: VirtualNetwork to destination: Any on the requisite protocol(s).
To summarize, this is a very viable solution.
----------
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.
Thank you very much, I was hoping this was viable solution, it was brought up by my team that direct communications between AKS may not be possible as per my design and I wanted someone else to weigh in on this, it's good to know that Microsoft gives it the thumbs up :)
Enabling network policies for me it work only for pod-to-pod connections between the two subnets.
Instead I need to call a service on the second subnet, in order to use the service IP in a private DNS zone, that of course is almost static.
The worst is that I'm having different network troubleshooting results from azure portal.
Doing the same network test from the same virtual machine, but in two different point of azure portal gives different results.
The first is from the virtual machines view, the second from the virtual network view.
Please look here the complete description:
https://learn.microsoft.com/en-us/answers/questions/715582/aks-connect-to-external-service-on-a-different-aks.html
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 3%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EER%3C/text%3E%3C/svg%3E)
Hi @SRIJIT-BOSE-MSFT , honestly at pod level with peering solution it all can be solved.
but what if the pod accesses the ClusterIP Service in a different cluster?? so our goals we just need a different balancing service using the ClusterIP type in a private network?
Hi @richardwolford-7948
Yes, choose two regions paired together.
An AKS cluster is deployed into a single region. To protect your system from region failure, deploy your application into multiple AKS clusters across different regions. When planning where to deploy your AKS cluster, consider:
AKS region availability
Choose regions close to your users.
AKS continually expands into new regions.
Azure paired regions
For your geographic area, choose two regions paired together.
AKS platform updates (planned maintenance) are serialized with a delay of at least 24 hours between paired regions.
Recovery efforts for paired regions are prioritized where needed.
Service availability
Decide whether your paired regions should be hot/hot, hot/warm, or hot/cold.
Do you want to run both regions at the same time, with one region ready to start serving traffic? Or,
Do you want to give one region time to get ready to serve traffic?
for more details
https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-multi-region
If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.
Hello, thank you for your response. We are running hot/hot with a front door directing traffic for us. BUT, with two AKS clusters, which we have, how would one cluster's pods talk to the pods in the second AKS cluster? Would they talk to each other using the external load balancer of the other AKS cluster, or would pairing the regions allow them to talk to each other directly? My guess is that we would use the external load balancers.
Thanks,
Richard
@richardwolford-7948 , the public Load Balancer is used for outbound traffic only to the Internet (0.0.0.0/0) when outboundType is set to loadBalancer (which is default; Can be set to UDR. Please check this document). Traffic to Private IP addresse(s) within the Virtual Network or peered virtual networks travel over the Azure global backbone network. So your pod on one cluster can directly talk to the Private IP address of a Pod on another Cluster deployed in a peered Virtual Network (CNI network plugin on both clusters) over the Azure global backbone network without having to travel over the Internet, thereby not being routed over the public Load Balancer.