Azure Network Security Group Auto Updates / Resets

Question

Azure Network Security Group Auto Updates / Resets

Glenn 1

I have a AKS three node cluster and in its network security group, I added (which i have done a number of times now) i list of IPs allowed to access the service.

However, Azure keeps resetting these for no reason what so ever. I have not updated / moved or changed this resource in any way, I have been building other resources, e.g. VMs to host other content. But this service has never been changed or edited by me, with either terrafrom, the CLI or the portal.

This was not set inside my terrafrom, but from the portal - mostly due to not knowing all the IPs I needed to add. But this terrafrom build has never been re-run to reset this?

Newer builds have been run to create complete new resources / resource groups, to the same account but not to this resource / group?

So why is my allow source IP list resetting / changing all the time?

Should I added the allowed IPs in my terrafrom and apply the update? Would that set it correctly, e.g. no reset?

I also get no warming that its been done - so i don't know when my hosted services are public

Thanks,

Ulan Yisaev (Nortal Consulting) 0 Reputation points

2023-02-19T12:42:30.4466667+00:00

Having the same issue - NSG rules of AKS cluster resetting spontaneously, I don't know why.

1 answer

Your answer

Ulan Yisaev (Nortal Consulting) 0 Reputation points

2023-02-19T12:42:30.4466667+00:00

Having the same issue - NSG rules of AKS cluster resetting spontaneously, I don't know why.

Answer 1

msrini-MSFT 9,286 Microsoft Employee

@Glenn ,

I would suggest you to check your activity logs to verify if there is a log for this change. If you find one, check which user/service principle is making this change.

Also, if you have enabled something like JIT, it will modify the source IP in your NSG. Check if you have JIT enabled.

Let me know if you have any questions.

Regards,
Karthik Srinivas

Glenn 1 Reputation point

2021-11-18T11:39:27.237+00:00

i will look into it - JIT is your just in time access, correct? then unless it was turned on by default, i have not turned that on
Glenn 1 Reputation point

2021-11-18T12:43:23.253+00:00

Ok I tried to have a look at the activity log - but it list no events at all. Is this something that needs to be enabled? I would have thought, that activity logs are on my default?

I do have just one rule for each port i have open, 80 & 443 and have a long list of IPs to allow to have access. is there a limit to the amount of IPs you can list?

also would it be better, or even possible to have a new rule for each IP? but for the same port? so there be like 3-5 rules for both port 80 and 443?
msrini-MSFT 9,286 Reputation points Microsoft Employee

2021-11-18T14:29:10.217+00:00

Activity logs are enabled by default. Go to the specific resource, in this case NSG and then check the activity log. Search for a longer period to see results.

JIT is not enabled by default.

yes you can have 2 rules for the same port but with different priority.
Glenn 1 Reputation point

2021-11-18T22:00:03.03+00:00
Ok so i got some logs. As of time i am posting this, 2hrs ago, it says it was changed... but i am not sure i understand by what.

So I have a AKS service that this NSG is for, and as per Azure config, the NSG, and VMs etc reside in there own resource group.... but on the log it states that the change was started by the main resource group - the one the K8s cluster is in?

So is this something inside the cluster that's doing this? i don't have any timed jobs (unless its something that was installed by default with a helm chart)

Whats installed on the cluster is:

argocd

contour

drone

harbour

linkered

postgres

rook-ceph

As far as i know, i have not ask any of these apps to re-configure the access to the ports.

However, i am thinking it might have something to do with contour? has that is talking to system via the NSG.

So i am guesting it might be better to see about setting limits on IPs within the contour config?
msrini-MSFT 9,286 Reputation points Microsoft Employee

2021-11-22T03:45:03.12+00:00

Can you check this issue> https://github.com/Azure/AKS/issues/570

Looks like this matches your problem.

Share via

Azure Network Security Group Auto Updates / Resets

1 answer

Your answer