Azure-docs: Security groups.

Thanks for the feedback! We are currently investigating and will update you shortly.

@airwolfnh which link are you following? This doc is referring to creating a cluster but I do not see anything regarding Security Groups

The link I am following it's on the top of this page. Yes, there is no security groups on your doc, that's why I am asking, how to add security groups with AKS? I added them manually on my terraform, now how to link it do the subnet that AKS has created for me?

@airwolfnh : You need to see Terraform with Network Security groups, that will be the right place to go.
https://www.terraform.io/docs/providers/azurerm/r/subnet.html

Thanks @SamirFarhat!

@airwolfnh let us know if that link helps.

I know how to create a subnet on terraform, that's not what I asked. I asked how do I use the subnet that AKS created for me and attach my security group to it.

Got it. If you go to the resource group that your AKS cluster is in you will see the Vnet that was created and is associated with it:

From there you can select the Vnet -> Subnets -> Select your subnet

Then you can associate whatever NSG you like to the Subnet.

Sure, I also know that, I am asking how to do that with terraform :)

@airwolfnh then I believe it is answered in the link shared by @SamirFarhat

Sorry for not making my self clear. Let's try again.
I know how to create a subnet and attach the security group to the subnet on terraform.
The problem is when you are using terraform to create the AKS cluster, it creates the subnet for you, so you can't attach the subnet to the security group because you can only do that when you are creating the subnet, that's when you attach the security group on terraform. How can I attach my security group on a subnet created by the AKS terraform api call? I can only do that manually after everything has been created as you already suggested, but I don't want to do that manually, I want to do all that on terraform.

I would assume you could just update the NIC using terraform and include the NSG settings
https://www.terraform.io/docs/providers/azurerm/r/network_interface.html

@TomArcher do you have any idea? I am not overly familiar with terraform.

To make it more easier to understand, think about how would you extend your terraform example by adding a security group and attaching it to the subnet that was created by aks?

@airwolfnh I will assign to the content author to review and see if we can get this info added to the examples.

@TomArcher can you take a look?

Thanks, @airwolfnh for your feedback, and @MicahMcKittrick-MSFT for helping out. I've sent an email to the Terraform provider PM to see what he thinks is the best way to proceed. He's out sick today, but I'll try to connect with him later this week, or early next week.

@airwolfnh Sorry for taking so long to get back to you. From the Terraform PM, this cannot currently be done using Terraform. We are following up with the AKS team to see if they can modify their API to allow the specification of an NSG during creation.

@MicahMcKittrick-MSFT As this is not a doc bug, I'm attaching the #please-close tag for our Issues team to close.

has there been any update or progress on this ? I'm hitting the same issue. I create AKS with Terraform, which in turn creates its own NSG. I would be nice to assign the NSG to the specific AKS subnet as part of the automation, without doing it manually afterwards. Kind of defeats the whole point of automating.

@mariojacobo, NSG that is created by AKS cluster in node resources group, is accociated with AKS nodes NICs, not with subnet (I am using Virtual Machine Scaling Set and it looks like that for my case).
So, if you're provisioning cluster with subnet that was created in advance (for example, with terraform), you can also create the NSG tied with this subnet.
The doc explains that

Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one

So you can just create your own NSG in front of dynamic AKS NSG.

@maxkochubey - we ended up just not assigning the NSG to any subnets, leaving the NSG at the NIC level only, since there is nothing else in the same subnet. We wanted a cleaner solution, without the need to have 2 NSGs, so this works for us.