Enable company's network ip range via AKS authorised range or network security group?

Tanul 1,251

Team,

We need to allow only our organization's ip range to access our AKS environment. Should we use "AKS authorized ranges feature" or "network security group inbound security rule".

We want to disable our AKS environment's accessibility over public internet.

Please suggest. Thank you.

Regards,
Tanul

1 answer

risolis 8,701 Reputation points

2022-05-23T18:40:46.233+00:00

Hello @Tanul

Thank you for your post.

I would like to know more details about your AKS environment if it is possible.

-Do you have CNI plug-in or Basic networking on your AKS cluster?
-Do you have any Azure FW/Network virtual appliance on your Vnet?
-Are you using the default routing or UDR routing?
-Do you have any nginx or load balancer hosted on your cluster?

Looking forward to your feedback,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
risolis 8,701 Reputation points

2022-05-23T18:45:58.21+00:00

Besides that, also check this out below:

Tanul 1,251 Reputation points

2022-05-23T19:03:57.097+00:00

@risolis ,

First question:-
Second question:- Don't have any firewall.

Last question:- Kong

Could you please suggest where to search on azure portal for the answer to this query:-

-Are you using the default routing or UDR routing?

risolis 8,701 Reputation points

2022-05-23T19:16:46.723+00:00

@Tanul

Sorry for overwhelming with too much question hehehe

Please check this doc which is the one that might fit into your scenario.

https://learn.microsoft.com/en-us/azure/aks/egress-outboundtype

Note
Outbound type of UDR requires there is a route for 0.0.0.0/0 and next hop destination of NVA (Network Virtual Appliance) in the route table. The route table already has a default 0.0.0.0/0 to Internet, without a Public IP to SNAT just adding this route will not provide you egress. AKS will validate that you don't create a 0.0.0.0/0 route pointing to the Internet but instead to NVA or gateway, etc. When using an outbound type of UDR, a load balancer public IP address for inbound requests is not created unless a service of type loadbalancer is configured. A public IP address for outbound requests is never created by AKS if an outbound type of UDR is set.

Looking forward to your feedback,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

risolis 8,701 Reputation points

2022-05-24T03:44:30.587+00:00

Hi @Tanul ,

I hope you are fine.

I am thinking of this concern as well as if further support is required until this moment.

Looking forward to your response,

Best Regards,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Tanul 1,251 Reputation points

2022-05-24T05:22:11.083+00:00

@risolis , Are you sure this is necessary. I still remember doing that 2 years back. I have done some ip whitelisting thing. But now I forgot. I haven’t done anything like this udr customer routing etc. My query is to just allow my company’s ip range to access the AKS environment.

@vipullag-MSFT , @KarishmaTiwari-MSFT , Hello Karishma/Vipul, Sorry for disturbing. Could you please look into this issue once. Are we in the right direction?

Regards,

risolis 8,701 Reputation points

2022-05-24T05:44:59.313+00:00

Hi @Tanul

Thanks for your response and I fully understand your concern.

A second opinion is always good!

Now let me put it in this way or simple words.... After you are double-confirming that there is not IPsec tunnel either an EP circuit. You can use what is called Application security group and take a look at it below:

https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups

That will be for restring ingress traffic cause for egress traffic no NSG can be used.

BR,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Tanul 1,251 Reputation points

2022-05-24T08:02:08.35+00:00

@risolis , I think this is more of Azure VM web servers related thing. As far as I remember in 2019 I have just added the ip ranges in NSG and inbound from other Ip's have stopped to AKS. I still can't recall what I have done as I got confused with this authorized ip ranges feature of AKS. I have never read anything like Application security group etc. Totally forgot :(

risolis 8,701 Reputation points

2022-05-24T18:27:45.377+00:00

@Tanul

Many thanks for your answer.

I have seen the following thread and I wonder if the same concern there is the same one here:

https://learn.microsoft.com/en-us/answers/questions/860708/does-aks-authorised-ranges-impacts-the-overall-on.html?childToView=862551#answer-862551

Looking forward to your answer.

BR,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Tanul 1,251 Reputation points

2022-05-24T19:54:30.797+00:00

@risolis , That was more of specific to authorized ip ranges. But I still don't know if these are not gonna help then what is the purpose of this feature.

risolis 8,701 Reputation points

2022-05-25T06:38:08.86+00:00

@Tanul

Understood.

Ok let me try to make clear all of this and focus on the next statement below:

We want to disable our AKS environment's accessibility over public internet.

If I am not mistaken, when you stated that detail above I would think that you have a nginx/Load balancer instance...

That's why I was asking at the very beginning the next question:

Do you have any nginx or load balancer hosted on your cluster?

So If there is no Azure FW or any other type(Vendor) FW as well as ER(ExpressRoute) on your enviroment, You are using a PIP(Public IP) on nginx/Load balancer...

If that is the case your PIP address is linked to FQDN or you are using the PIP without doing any FQDN mapping.

Am I correct?

Looking forward to your response.

BR,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Tanul 1,251 Reputation points

2022-05-25T16:29:52.317+00:00

@risolis , Correct so this is the kind of structure. We have public ip and connected with Standard Azure load balancer which come on its own with AKS. My ask is to disable the accessibility of AKS api server over public internet. Means, executing kubectl command(successfully from my laptop) only when I'm sitting in office or connected to VPN if I'm working from home.

risolis 8,701 Reputation points

2022-05-25T17:34:03.233+00:00

Hello @Tanul

Thanks a lot for that additional info...

So based on what you gathered previously, you might be looking for this:

https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard

This is similar for what you were stating about a simple whitelist tht you used to set up.

Cheers,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Tanul 1,251 Reputation points

2022-05-25T17:45:09.09+00:00

@risolis , But don't you think authorized ip ranges feature of kubernetes is also doing the same thing. Or, let me do one thing.. I'll connect with my network team tomorrow and take the ip ranges from them.. After that I'll do this.. Will share the update with you after that.. Will that work. At least I can show you some progress?? :)

We also have Azure virtual machines with private ip address. Without being in office or vpn in wfh we aren't able to connect them. I'm trying to replicate something like that here in AKS as well. But exactly don't know how this has been done with VM's as I'm pretty new with all these.

risolis 8,701 Reputation points

2022-05-25T18:15:00.92+00:00

@Tanul

Almost they are.... Sure if you can keep us posted about it will be appreciated!!

Just as an advice, when you shall be doing all of this please do it on a Maintenance window : )

Talk to you soon.

Have a good one!

Tanul 1,251 Reputation points

2022-05-25T18:18:09.403+00:00

@risolis , I'll spin up a new one. :)
Sign in to comment

Share via

Enable company's network ip range via AKS authorised range or network security group?

1 answer