![]() Required for Node API server communication. This port isn't required for private clusters.Īzure Global required FQDN / application rules Destination FQDN Required if running pods/deployments that access the API Server, those pods/deployments would use the API IP. If you're using custom DNS servers, you must ensure they're accessible by the cluster nodes.ĪPIServerPublicIP:443 (if running pods/deployments that access the API Server) This isn't required for nodes provisioned after March 2021.ĬustomDNSIP:53 (if using custom DNS servers) Required for Network Time Protocol (NTP) time synchronization on Linux nodes. *:123 or :123 (if using Azure Firewall network rules) *:9000 Or ServiceTag - AzureCloud.:9000 Or Regional CIDRs - RegionCIDRs:9000 Or APIServerPublicIP:9000 (only known after cluster creation) This isn't required for private clusters, or for clusters with the konnectivity-agent enabled. *:1194 Or ServiceTag - AzureCloud.:1194 Or Regional CIDRs - RegionCIDRs:1194 Or APIServerPublicIP:1194 (only known after cluster creation)įor tunneled secure communication between the nodes and the control plane. Planned maintenance operations that can change the API server IP are always communicated in advance.Īzure Global required network rules Destination Endpoint On rare occasions, if there's a maintenance operation, your API server IP might change.If you have an app or solution that needs to talk to the API server, you must add an additional network rule to allow TCP communication to port 443 of your API server's IP.This ensures all system communication between nodes and API server uses the API server FQDN and not the API server IP. AKS uses an admission controller to inject the FQDN as an environment variable to all deployments under kube-system and gatekeeper-system.Wildcard HTTP/HTTPS endpoints are dependencies that can vary with your AKS cluster based on a number of qualifiers.FQDN HTTP/HTTPS endpoints can be placed in your firewall device.IP address dependencies are for non-HTTP/S traffic (both TCP and UDP traffic).You can use them if you wish to configure a solution other than Azure Firewall. The following network and FQDN/application rules are required for an AKS cluster. Required outbound network rules and FQDNs for AKS clusters To control and block the traffic within the cluster, see Secure traffic between pods using network policies in AKS. Blocking internal subnet traffic using network security groups (NSGs) and firewalls isn't supported. AKS has no ingress requirements by default. This document covers only how to lock down the traffic leaving the AKS subnet. You can also configure your preferred firewall and security rules to allow these required ports and addresses. Azure Firewall can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination. The simplest solution to securing outbound addresses is using a firewall device that can control outbound traffic based on domain names. If you wish to restrict egress traffic, a limited number of ports and addresses must be accessible to maintain healthy cluster maintenance tasks. This level of network access allows nodes and services you run to access external resources as needed. The lack of static addresses means you can't use network security groups (NSGs) to lock down the outbound traffic from an AKS cluster.īy default, AKS clusters have unrestricted outbound internet access. The AKS outbound dependencies are almost entirely defined with FQDNs, which don't have static addresses behind them. For example, the cluster needs to pull base system container images from Microsoft Container Registry (MCR). These endpoints are required for the nodes to communicate with the API server or to download and install core Kubernetes cluster components and node security updates. In either case, the cluster has outbound, or egress, dependencies on services outside of the virtual network.įor management and operational purposes, nodes in an AKS cluster need to access certain ports and fully qualified domain names (FQDNs). ![]() This network can either be customized and pre-configured by you or it can be created and managed by AKS. BackgroundĪKS clusters are deployed on a virtual network. To see an example configuration using Azure Firewall, visit Control egress traffic using Azure Firewall in AKS. You can apply this information to any outbound restriction method or appliance. It contains the cluster requirements for a base AKS deployment and additional requirements for optional addons and features. This article provides the necessary details that allow you to secure outbound traffic from your Azure Kubernetes Service (AKS).
0 Comments
Leave a Reply. |