question

Israelxmargin-3431 avatar image
0 Votes"
Israelxmargin-3431 asked TravisCragg-MSFT commented

aks+ firewall control egress traffic with multiple IPs

My basic problem is to run multiple containers that make HTTP requests to a test server. I need to control the egress traffic with multiples IPs. I need that each pod or a set of pod have different outbound IPs. I am using azure AKS. So far I follow the documentation from: https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic#restrict-egress-traffic-using-azure-firewall The above works fine. I need to run another container with a different outbound IP address. For that I created a new Ip address, add it to the firewall, created a new Kubernetes service, connect the container to it and also create a new NAT rules connecting the service IP to the new public IP. That didn't work: the source Ip registered by the test server is the same public IP wich is the first public IP of the firewall.

The Documentation also states that: "If needed, you can generalize the steps above to forward the traffic to your preferred egress solution, following the Outbound Type userDefinedRoute documentation."

For that, I create a cluster with vm-set-type of VirtualMachineScaleSets and load-balancer-sku of Standard. Try the above steps and it didn't work. Also, I created a new route on the Route table connecting the internet to the new public IP.. nothing I am lack of ideas. I don't know if I mess something up. Anyway.. Any idea is welcome. Thanks in advance.

azure-kubernetes-serviceazure-firewall
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Sam-Cogan avatar image
0 Votes"
Sam-Cogan answered TravisCragg-MSFT commented

Routing your outbound traffic through an Azure Firewall with multiple IP's will not result in a different IP per pod or service. Azure Firewall has no idea what is running on your AKS cluster and just see's traffic coming from the cluster IP's. It will route traffic outbound using one of the external IP's for the Azure Firewall picked at random.

There really isn't a good way to do what you want and get a different external egress IP for each pod, without using some sort of proxy in the middle.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

what do you suggest me do to?

0 Votes 0 ·

@Israelxmargin-3431 As this is a limit with the functionality of Azure Firewall, your best bet is to change your requirements, or try to use AKS's egress functionality to control the IP by pod.

0 Votes 0 ·