question

WenRuiZhaoOPS-4707 avatar image
0 Votes"
WenRuiZhaoOPS-4707 asked srbhatta-msft answered

Using AKS private cluster can't access internet from pod

We are using free account to test private cluster used by our case. But we found after we create a private cluster we can't reach to internet from pods . As the document said , All pods in an AKS cluster can send and receive traffic without limitations, by default. And also outbound traffic no limitation, did i miss something here? any suggestion ?

azure-kubernetes-service
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

srbhatta-msft avatar image
0 Votes"
srbhatta-msft answered

Hello @WenRuiZhaoOPS-4707 ,

Thanks for reaching out to Microsoft QnA Platform!
There is no limitation on outbound traffic from a private AKS cluster.
In a private cluster, the control plane or API server has internal IP addresses that are defined in the RFC1918 - Address Allocation for Private Internet document. By using a private cluster, you can ensure network traffic between your API server and your node pools remains on the private network only.

Have you followed any specific document to create the private AKS cluster such as this - Create private AKS cluster ?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes,we are refer to that document to create private AKS cluster , first time we use network policy none( we have none, Azure network, Calico options) , it's not working to access the internet. And also our subnet in Vnet have none NSG setting and Route.
But second time we are selecting Calico network policy , then we can reach internet from pod , so it's confused to me what's diff here , and what's "none" network policy by default setting ?

0 Votes 0 ·
srbhatta-msft avatar image srbhatta-msft WenRuiZhaoOPS-4707 ·

Hello @WenRuiZhaoOPS-4707 , Thanks for reaching back. So, when you deploy an AKS cluster and select "None" as network policy, then it means there is no Network Policy Manager deployed. so, even if you have deployed network policies they will not be enforced. This should not affect the connectivity from your Pod. It looks like some infrastructure network issue in this case as to why your Pod was not able to reach the Internet with "None" enabled. Do you still have the same setup? If yes, then can you check if the pod is able to establish connectivity to other pods in the same cluster? It can also be that there might have been some configuration on the load balancer level which is causing this particular issue, or maybe port exhaustion? It is difficult to determine without troubleshooting the infrastructure here.

When you enable Calico network policy, there will be a separate Policy manager for Calico deployed to each worker node in the AKS cluster that will enforce the defined network policies.

I hope this helps?

0 Votes 0 ·