How to restrict source public IP addresses for egress traffic when using AKS (Azure Kubernetes Service)

Objectives

Ingress controller of Azure Kubernetes Service (AKS) can allow ingress traffic from specified public IP addresses, but how about egress traffic? Without any configuration, source public IP addresses of egress traffic from AKS are chosen at random. This behavior is not good for some API providers, because they would like to allow only incoming traffic from specified public IP addresses. In this entry, I summarized three ways to restrict IP addresses used for egress traffic from AKS.

1. Azure Firewall

Control egress traffic for cluster nodes in Azure Kubernetes Service (AKS)

https://docs.microsoft.com/azure/firewall/media/integrate-lb/firewall-lb-asymmetric.png

2. Standard/Basic Load Balancer

In this case, you configure outbound rules for load balancer.

3. Virtual Network NAT

NAT gateway was introduced in March 2020 and we can deploy NAT gateway onto subnet. NAT gateway can have at least one public IP address. When a pod sends egress traffic, one of public IP assigned to NAT gateway is used as source IP.

4. Assign Public IP to each node in node pool

We can also assign public IP to each node in node pool (preview). When a pod running on a node sends egress traffic, public IP assigned to the node is used as source IP.

Resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akihiro Nishikawa

Akihiro Nishikawa

53 Followers

Cloud Solution Architect @ Microsoft. Passionate about Java (JVM/GraalVM) and open source technologies. All views are my own.