.svg?alt=media&token=0f6df7c7-5b98-4a62-98b8-a54e38a8329e){kind=logo}
Configuring Egress and Ingress for AKS Ingress Controllers in Private Networks
Runbook for customers using private networks to configure Egress and Ingress for Azure
DuploCloud Azure Kubernetes Services (AKS) customers who require traffic to be strictly restricted within a private network may encounter cluster communication difficulties when deploying an AKS Ingress controller. This is because the API server uses a private IP address that routes to a firewall, blocking traffic flow to/from the Kubernetes resources. This runbook provides step-by-step instructions to configure egress and ingress traffic, ensuring secure and compliant communication through the firewall.
While transitive peering is not natively supported, you can have a transitive connection using a central firewall. For example, VNet A can peer to VNet B, and VNet B can peer to VNet C. If traffic is routed to a firewall within VNet B as the next hop, you can go from VNet A to VNet C without direct peering between them.
Use this Runbook if....
Use this procedure if you are an AKS customer deploying an ASK ingress controller in a private network situation with strict data privacy requirements such as:
Healthcare Organizations: Particularly those adhering to HITRUST compliance requirements, ensuring secure and compliant communication within their infrastructure.
Financial Institutions: Banks, insurance companies, and other financial services that require secure and regulated communication channels within their cloud infrastructure.
Large Enterprises: Companies with complex, private network setups that necessitate strict control over egress and ingress traffic for security and compliance.
Government Agencies: Entities that require stringent security measures and compliance with various regulations.
Any organization using AKS in a Private Network: Businesses running sensitive applications on AKS within a private network and facing communication challenges due to firewall restrictions.
For cases that utilize VPN gateways, the CIDR that is needed to allow traffic through a central firewall for Point to Site (P2S) connections should be the P2S configured CIDR block. NOT the subnet CIDR where the VPN Gateway resides.
Prerequisites
An existing AKS cluster deployed with Azure CNI.
A firewall configured to manage traffic.
Step 1. Configuring Egress Traffic
Create a Route Table for the AKS Subnet
Navigate to the Azure portal.
In your route table, create a new route with the following inputs:
Route name: Provide a name for the route.
Address prefix: Use a.b.c.d/e to route all traffic, where a, b, c, d, and e are the components for an IPv4 CIDR block; in this case the Application Gateway CIDR.
Next hop type: Select Virtual appliance.
Next hop address: Enter the firewall's private IP address.
Associate the Route Table with the AKS Subnet
In the Azure portal, navigate to the route table created in the previous step.
Configure Firewall Rules for Egress Traffic
Navigate to your firewall in the Azure portal.
Configure a new network rule with the following inputs:
Name: Provide a name for the rule.
Priority: Set the priority (lower numbers have higher priority).
Source address: Enter the address range of the AKS subnet.
Destination address: Specify the destination (internet or other services).
Protocol: Select the required protocol (TCP/UDP).
Action: Select Allow.
Step 2. Configuring Ingress Traffic
Use a V2 Gateway for Ingress
In the DuploCloud Portal, deploy an AKS ingress controller. This will automatically provision a version 2 (V2) gateway for handling ingress traffic.
Create a Route Table for the Application Gateway Subnet
Navigate to the Azure portal.
In your route table, create a new route with the following inputs:
Route name: Provide a name for the route.
Address prefix: Use the IP address range of the AKS services.
Next hop type: Select Virtual appliance.
Next hop address: Enter the firewall's private IP address.
Associate the Route Table with the Application Gateway Subnet
In the Azure portal, navigate to the route table created in the previous step.
Configure Firewall Rules for Ingress Traffic
Navigate to your firewall in the Azure portal.
Configure a new network rule with the following inputs:
Name: Provide a name for the rule.
Priority: Set the priority (lower numbers have higher priority).
Source address: Enter the address range of the application gateway subnet.
Destination address: Specify the AKS services.
Protocol: Select the required protocol (TCP/UDP).
Action: Select Allow.
Summary of Steps
Egress Traffic Routing:
Create a route table and add a route to send egress traffic to the firewall.
Associate this route table with the AKS subnet.
Configure the firewall to allow traffic from the AKS subnet.
Ingress Traffic Handling:
Ensure the AKS ingress controller provisions a V2 gateway.
Create a route table for the application gateway subnet to route traffic through the firewall.
Associate this route table with the application gateway subnet.
Configure the firewall to allow traffic from the application gateway subnet to the AKS services.
This Runbook ensures that egress and ingress traffic is securely managed, facilitating secure, compliant communication for users handling sensitive data.
Resources
Links to resources that may be helpful to users of this Runbook.
DuploCloud documentation for Azure (AKS) Ingress.
Last updated
