Azure-docs: NTP and Port 9000

Created on 26 Jul 2019 · 15Comments · Source: MicrosoftDocs/azure-docs

Azure firewall Application rule collections do not support UDP and TCP ports, only http/https/mssql.

How do we restrict:
ntp.ubuntu.com UDP:123
*.hcp.<location>.azmk8s.io HTTPS:443, TCP:22, TCP:9000
*.tun.<location>.azmk8s.io HTTPS:443, TCP:22, TCP:9000

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: a38439d0-0125-3445-1c0a-a03b940e315d
Version Independent ID: c6436a35-94b9-6396-3b13-9291f0a17b21
Content: Restrict egress traffic in Azure Kubernetes Service (AKS)
Content Source: articles/aks/limit-egress-traffic.md
Service: container-service
GitHub Login: @mlearned
Microsoft Alias: mlearned

Pri2 assigned-to-author container-servicsvc doc-enhancement triaged

Source

patpicos

👍2

Most helpful comment

Both this AKS feature plus Azure firewall in now GA, but Azure firewall cannot be used to fully implement it since it only support http/https for FQDN application rules. The article should reflect this.

theheatDK on 8 Oct 2019

👍6

All 15 comments

@patpicos Thanks for the question! We are investigating and will update you shortly.

CHEEKATLAPRADEEP-MSFT on 26 Jul 2019

@patpicos looking at the doc, the addresses you are interested in restricting appear under the required ports and addresses for AKS clusters in order to function properly.

https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic#required-ports-and-addresses-for-aks-clusters

This feature to restrict traffic is still in preview so as it moves to GA additional functionality will be added.

mimckitt on 26 Jul 2019

@MicahMcKittrick-MSFT Yes, they are required. My point/contention is that Azure firewall does not support

TCP ports with FQDN (Control plane on 9000/22)
UDP ports with FQDN (NTP)

A fall back would be to use IP address and Ports, but the IP's are ephemeral and therefore would be unmanageable.

patpicos on 26 Jul 2019

👍2

Same issue here - as Azure Firewall application rule only supports HTTP/HTTPS/MSSQL, it is not possible to add TCP 22/9000 for *.hcp.<location>.azmk8s.io and *.tun.<location>.azmk8s.io

For ntp.ubuntu.com, probably we can leverage nslookup to grab the IP addresses.

ssbkang on 29 Jul 2019

@patpicos @ssbkang thanks for the feedback on this. I am going to assign the issue to the content author to review and best determine how to handle this from a documentation standpoint.

mimckitt on 30 Jul 2019

What if we use network rules with Service Tags to open port 22 and port 9000 to the local region of the AKS cluster? This opens more than we'd like, but maybe it is the best we can do today. Hopfully we'll have FQDN tag for AKS in Azure FW before too long - or maybe FQDN filtering in network rules.

markgar on 23 Aug 2019

Is there any update on this?

stijnbrouwers on 2 Sep 2019

👍4

theheatDK on 8 Oct 2019

👍6

Hi, I can see the 9000 port is mentioned in networking rule section, please also correct the ntp rule documentation. and make note on how to convert 'ntp.ubuntu.com' to IP addresses in order to configure the ntp IP addresses. Thanks.

Expected:
in networking rule section:
UDP port 123 for all IP addresses of ntp.ubuntu.com is required for NTP time synchronization on Linux nodes.

Current:
ntp.ubuntu.com:123 mentioned in application rules.

tdihp on 20 Jan 2020

Any updates on this?

crgarcia12 on 1 Mar 2020

👍3

same issue here.
so what is the solution ? did anyone restricted egress traffic of his AKS using azure FW ?

shayfa-tr on 16 Mar 2020

an interim solution is to provision the AKS Cluster, then query it to find out the fqdn of the provisioned API Server and add the rule into the firewall.