Azure-docs: "The virtual network for the AKS cluster must allow outbound internet connectivity."
I appreciate that this feedback is very close in nature to that raised in https://github.com/MicrosoftDocs/azure-docs/issues/18882, however, I feel that it's also sufficiently different in nature to warrant a new ticket.
In the discussion in https://github.com/MicrosoftDocs/azure-docs/issues/18882, the opening point is that "Our network security team will not allow open access to the Internet for AKS nodes, or anything else."
We do not have that exact issue - we have deployed an AKS into an existing subnet, which has an NSG that does permit all outbound connections via TCP, to ports 80 and 443, to the NSG service tag of "Internet".
However, our NSG does not then permit any other form of outbound traffic.
Nevertheless, in our view, our subnet meets the requirement stated in the documentation that "The virtual network for the AKS cluster must allow outbound internet connectivity."
However, we find that our AKS does not work correctly - specifically, once deployed, we cannot seem to connect to the cluster as expected.
If we then remove the "deny-by-default" NSG rule that blocks other forms of outbound traffic (other than outbound internet connectivity, which is permitted), the AKS will start to work.
This seems to suggest, therefore, that the requirement that the "virtual network for the AKS cluster must allow outbound internet connectivity" is not the complete story - there must be some other outbound connectivity requirements.
Based on the comment in https://github.com/MicrosoftDocs/azure-docs/issues/18882 that "AKS builds new and upgraded nodes by pulling components from various Microsoft and 3rd party locations", perhaps some of the Microsoft locations means Azure services, rather than public Microsoft websites?
If so, would it be possible to understand what Azure services an AKS needs outbound connectivity to?
Thanks.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 22ad4873-c73d-4b90-2063-927a1060d2a2
- Version Independent ID: 8e6643ad-7333-a786-8712-3d17291e12a7
- Content: Configured advanced networking in Azure Kubernetes Service (AKS)
- Content Source: articles/aks/configure-advanced-networking.md
- Service: container-service
- GitHub Login: @iainfoulds
- Microsoft Alias: iainfou
andrewatfornax
All 6 comments
Ah. FYI, allowing outbound traffic to the "AzureCloud" service tag solves the issue. This would be helpful if it could please be added to the documentation as something else that is required in addition to outbound connectivity to the Internet service tag.
Thanks!
andrewatfornax
on 13 Dec 2018
@iainfoulds @seanmck could either of you comment further on this?
mimckitt
on 13 Dec 2018
Our engineering team is working on validating a locked down set of traffic and rules that will be included in a future doc update. Would target the doc to be updated in the first couple of weeks of January, pending any engineering delays.
@MicahMcKittrick-MSFT For now, #please-close
iainfoulds
on 14 Dec 2018
@iainfoulds Any update on this doc? Could you point me to it if possible please
dterei
on 5 Apr 2019
@iainfoulds @seanmck - any updates here on doc
stephen-cairns
on 21 May 2019
This feature is currently available in preview - https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic
iainfoulds
on 21 May 2019
Related issues
AronT-TLV
·
3Comments
monteledwards
·
3Comments
jharbieh
·
3Comments
JeffLoo-ong
·
3Comments
behnam89
·
3Comments
Most helpful comment
Our engineering team is working on validating a locked down set of traffic and rules that will be included in a future doc update. Would target the doc to be updated in the first couple of weeks of January, pending any engineering delays.
@MicahMcKittrick-MSFT For now, #please-close