Create a managed or user-assigned NAT gateway for your Azure Kubernetes Service (AKS) cluster
While you can route egress traffic through an Azure Load Balancer, there are limitations on the number of outbound flows of traffic you can have. Azure NAT Gateway allows up to 64,512 outbound UDP and TCP traffic flows per IP address with a maximum of 16 IP addresses.
This article shows you how to create an Azure Kubernetes Service (AKS) cluster with a managed NAT gateway and a user-assigned NAT gateway for egress traffic. It also shows you how to disable OutboundNAT on Windows.
Before you begin
- Make sure you're using the latest version of Azure CLI.
- Make sure you're using Kubernetes version 1.20.x or above.
- Managed NAT gateway is incompatible with custom virtual networks.
Create an AKS cluster with a managed NAT gateway
Create an AKS cluster with a new managed NAT gateway using the
az aks create
command with the--outbound-type managedNATGateway
,--nat-gateway-managed-outbound-ip-count
, and--nat-gateway-idle-timeout
parameters. If you want the NAT gateway to operate out of availability zones, specify the zones using--zones
.az aks create \ --resource-group myResourceGroup \ --name myNatCluster \ --node-count 3 \ --outbound-type managedNATGateway \ --nat-gateway-managed-outbound-ip-count 2 \ --nat-gateway-idle-timeout 4
Important
If no value for the outbound IP address is specified, the default value is one.
Update the number of outbound IP addresses
Update the outbound IP address or idle timeout using the
az aks update
command with the--nat-gateway-managed-outbound-ip-count
or--nat-gateway-idle-timeout
parameter.az aks update \ --resource-group myResourceGroup \ --name myNatCluster\ --nat-gateway-managed-outbound-ip-count 5
Create an AKS cluster with a user-assigned NAT gateway
This configuration requires bring-your-own networking (via Kubenet or Azure CNI) and that the NAT gateway is preconfigured on the subnet. The following commands create the required resources for this scenario.
Create a resource group using the
az group create
command.az group create --name myResourceGroup \ --location southcentralus
Create a managed identity for network permissions and store the ID to
$IDENTITY_ID
for later use.IDENTITY_ID=$(az identity create \ --resource-group myResourceGroup \ --name myNatClusterId \ --location southcentralus \ --query id \ --output tsv)
Create a public IP for the NAT gateway using the
az network public-ip create
command.az network public-ip create \ --resource-group myResourceGroup \ --name myNatGatewayPip \ --location southcentralus \ --sku standard
Create the NAT gateway using the
az network nat gateway create
command.az network nat gateway create \ --resource-group myResourceGroup \ --name myNatGateway \ --location southcentralus \ --public-ip-addresses myNatGatewayPip
Create a virtual network using the
az network vnet create
command.az network vnet create \ --resource-group myResourceGroup \ --name myVnet \ --location southcentralus \ --address-prefixes 172.16.0.0/20
Create a subnet in the virtual network using the NAT gateway and store the ID to
$SUBNET_ID
for later use.SUBNET_ID=$(az network vnet subnet create \ --resource-group myResourceGroup \ --vnet-name myVnet \ --name myNatCluster \ --address-prefixes 172.16.0.0/22 \ --nat-gateway myNatGateway \ --query id \ --output tsv)
Create an AKS cluster using the subnet with the NAT gateway and the managed identity using the
az aks create
command.az aks create \ --resource-group myResourceGroup \ --name myNatCluster \ --location southcentralus \ --network-plugin azure \ --vnet-subnet-id $SUBNET_ID \ --outbound-type userAssignedNATGateway \ --enable-managed-identity \ --assign-identity $IDENTITY_ID
Disable OutboundNAT for Windows (preview)
Windows OutboundNAT can cause certain connection and communication issues with your AKS pods. Some of these issues include:
- Unhealthy backend status: When you deploy an AKS cluster with Application Gateway Ingress Control (AGIC) and Application Gateway in different VNets, the backend health status becomes "Unhealthy." The outbound connectivity fails because the peered networked IP isn't present in the CNI config of the Windows nodes.
- Node port reuse: Windows OutboundNAT uses port to translate your pod IP to your Windows node host IP, which can cause an unstable connection to the external service due to a port exhaustion issue.
- Invalid traffic routing to internal service endpoints: When you create a load balancer service with
externalTrafficPolicy
set to Local, kube-proxy on Windows doesn't create the proper rules in the IPTables to route traffic to the internal service endpoints.
Windows enables OutboundNAT by default. You can now manually disable OutboundNAT when creating new Windows agent pools.
Note
OutboundNAT can only be disabled on Windows Server 2019 node pools.
Prerequisites
You need to use
aks-preview
and register the feature flag.Install or update
aks-preview
using theaz extension add
oraz extension update
command.# Install aks-preview az extension add --name aks-preview # Update aks-preview az extension update --name aks-preview
Register the feature flag using the
az feature register
command.az feature register --namespace Microsoft.ContainerService --name DisableWindowsOutboundNATPreview
Check the registration status using the
az feature list
command.az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/DisableWindowsOutboundNATPreview')].{Name:name,State:properties.state}"
Refresh the registration of the
Microsoft.ContainerService
resource provider usaz provider register --namespace Microsoft.ContainerService
Your clusters must have a managed NAT gateway (which may increase the overall cost).
If you're using Kubernetes version 1.25 or older, you need to update your deployment configuration.
If you need to switch from a load balancer to NAT gateway, you can either add a NAT gateway into the VNet or run
az aks upgrade
to update the outbound type.
Manually disable OutboundNAT for Windows
Manually disable OutboundNAT for Windows when creating new Windows agent pools using the
az aks nodepool add
command with the--disable-windows-outbound-nat
flag.Note
You can use an existing AKS cluster, but you may need to update the outbound type and add a node pool to enable
--disable-windows-outbound-nat
.az aks nodepool add \ --resource-group myResourceGroup --cluster-name myNatCluster --name mynodepool --node-count 3 --os-type Windows --disable-windows-outbound-nat
Next steps
For more information on Azure NAT Gateway, see Azure NAT Gateway.
Feedback
Submit and view feedback for