Azure-docs: List of public internet endpoints required by AKS

Thanks for the feedback! We are currently investigating and will update you shortly.

This is the exact situation my organization is running into. We are looking to adopt AKS as a solution for future k8 deployments but this is a major barrier to considering AKS as a serious solution. Please consider modifying this requirement.

Adding @aanandr @sauryadas @amanohar for input.

Cc: @slack @neilpeterson

@aanandr, @sauryadas, @amanohar and update on this ask?

I think we are referring to the reverse tunnel that is setup from the cluster to the master which is then used by the master to manage agent nodes. This tunnel is setup to a master public endpoint.
I dont know the IPs of these endpoints, @sauryadas would know.

@aanandr I am referring to any endpoints that are external to the VNET in which the AKS cluster is deployed. Deployment of AKS requires pulling images for the kubernetes components (hyperkube, kube-dns, kube-scheduler, etc) It also requires updating the underlying Ubuntu via apt-get. We have looked at the acs-engine code base and there is even access to Google DNS (8.8.8.8/8.8.4.4) to test outbound connectivity. Going through the acs-engine code base is not sufficient, as the external dependencies could change. If MS can lock down the public endpoints and document them with each release, that would be helpful. Note, Redhat does this for Openshift specifically for this reason.

@sauryadas any thoughts on this one?

Unfortunately we do not have an exhaustive list of public endpoints that could be used to deny public internet access from a VNET running AKS. That said, customers have been asking for this with increasing frequency, so it's something we are actively looking into.

/cc @khenidak @brendandburns

Thanks for confirming this @gabrtv!

@jungho I will close this out for now as there is nothing that can be added to the doc at this time. Thank you for bringing this up though and rest assured the team is looking into how we can publicize this type of information in the future.

@MicahMcKittrick-MSFT Does it make sense to keep the issue open to that everyone knows it is in the backlog and being prioritized?

@jungho the issue is still visible on the document so when others come they can still see it. Without any actual ETA on when we might get that information publicized I would opt to just close for now.

I will assign the issue to @gabrtv so he can keep it in his system for tracking

@jungho We maintain a fairly comprehensive list of the overall compute IP address ranges used by the Microsoft Azure datacenters, but not sure if this fits your needs and/or is too much - https://www.microsoft.com/en-us/download/details.aspx?id=41653. This list is updated weekly, and lead time is provided for new ranges. Does this help for the time being?

Yes, thanks Lain!

On Thu, Jul 5, 2018, 4:45 PM Iain Foulds notifications@github.com wrote:

@jungho https://github.com/jungho We maintain a fairly comprehensive
list of the overall compute IP address ranges used by the Microsoft Azure
datacenters, but not sure if this fits your needs and/or is too much -
https://www.microsoft.com/en-us/download/details.aspx?id=41653. This list
is updated weekly, and lead time is provided for new ranges. Does this help
for the time being?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/azure-docs/issues/10284#issuecomment-402861825,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ASXGZaHLrsZ4k35pLJTG1EwEUOnazTdGks5uDojfgaJpZM4Up5mU
.

@iainfoulds I don't think the link you provided is the correct. It is trying to sell me a Surface Pro. ;-)

@jungho That should be the correct link--scroll down a bit (under the Surface Pro image) to see the Download button:

Here's the link without the en-us locale identifier, in case redirection isn't working correctly for you:

https://www.microsoft.com/download/details.aspx?id=41653