How to restrict source public IP addresses for egress traffic when using AKS (Azure Kubernetes Service)

[As of March, 31, 2021]

The original entry is here (English) and there (Japanese).

Objectives

Ingress controller of Azure Kubernetes Service (AKS) can allow ingress traffic from specified public IP addresses, but how about egress traffic? Without any configuration, source public IP addresses of egress traffic from AKS are chosen at random. This behavior is not good for some API providers, because they would like to allow only incoming traffic from specified public IP addresses. In this entry, I summarized three ways to restrict IP addresses used for egress traffic from AKS.

Control egress traffic for cluster nodes in Azure Kubernetes Service (AKS)

This topology is similar to an environment where proxy is located on premises for internet access. As you see the diagram below, egress traffic are routed to subnet of firewall with UDR (user defined route). In this case, we should not block any internal subnet traffic within AKS cluster.

https://docs.microsoft.com/azure/firewall/media/integrate-lb/firewall-lb-asymmetric.png

We have to pay attention to blocking internal subnet traffic, as you can read the following passage.

Blocking internal subnet traffic using network security groups (NSGs) and firewalls is not supported. To control and block the traffic within the cluster, use Network Policies.

In this case, you configure outbound rules for load balancer.

NAT gateway was introduced in March 2020 and we can deploy NAT gateway onto subnet. NAT gateway can have at least one public IP address. When a pod sends egress traffic, one of public IP assigned to NAT gateway is used as source IP.

Typically, each node pool consists of VMSS (Virtual Machine Scale Sets) and is connected to single subnet. However, we can assign unique subnet to each node pool (preview). When assigning NAT gateway to each subnet, a pod running on each node pool uses different source IP.

We can also assign public IP to each node in node pool (preview). When a pod running on a node sends egress traffic, public IP assigned to the node is used as source IP.

Resources

Cloud Solution Architect @Microsoft, focusing on Application Development. ❤️Java (JVM/GraalVM) and open source technologies. All views are my own. Ex-🥑.