question

ChristianBOkeme-9781 avatar image
0 Votes"
ChristianBOkeme-9781 asked ·

Connecting from AKS to on premise server

Hi, I have an AKS cluster with azure CNI networking and a vnet gateway which links our onpremise environment to azure via a site to site VPN.

In trying to ping a server on premise from aks I noticed the outbound IP being used is the pods node IP, how do I manage this taking into consideration that our network team is allowed to only grant permissions to single IP's not ranges

azure-kubernetes-service
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

TravisCragg-MSFT avatar image
0 Votes"
TravisCragg-MSFT answered ·

I would highly recommend that your networking team revisit their rules on address ranges.

If this is not an option, you can start by reading the AKS Egress documentation. It is mostly designed for public egress, but you will still be able to get useful information.

The ideal way to control the egress IP is to use a UDR to route all traffic to a NVA which will SNAT the traffic so that it all appears to come from a single IP. There are many solutions for this for public egress, but for private egress your options are to use Azure Firewall to SNAT a Private IP Range or use a 3rd party NVA that does something similar. The biggest drawback of the configuration is the cost associated with having an Azure Firewall added to your VNET.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.