question

richardwolford-7948 avatar image
0 Votes"
richardwolford-7948 asked AlessandroAffinito-9728 commented

AKS Communications across regions and VNEt peering

Hi, we have an AKS cluster which has Postgres deployed in it. We want to deploy the same cluster to a paired region, but the two Postgres servers must be able to see and talk to each other. Do we need to implement peering between the VNets in each region in order for the two Postgres pods in AKS to see and talk to each other?

Thanks ahead of time

azure-kubernetes-serviceazure-database-postgresql
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

srbose-msft avatar image
0 Votes"
srbose-msft answered AlessandroAffinito-9728 commented

@richardwolford-7948 , Thank you for your question.

Please do correct me if I am wrong. AKS cluster A with Postgres workload instance A is deployed in Azure region A and AKS cluster B with Postgres workload instance B is deployed in Azure region B. You want Postgres workload instance A and Postgres workload instance B to be able to talk to each other.

  • Postgres A and Postgres B can communicate with each other over the public internet if you are exposing both of them using Services of ServiceType LoadBalancer or a public Ingress. [Reference]

  • If you want Postgres A and Postgres B to talk over a secure tunnel on the internet, you can connect the Virtual Networks of the two AKS clusters using Azure VNet-to-VNet VPN

  • If you want Postgres A and postgres B to talk to each other over private internet, you can peer the Virtual Networks of the two AKS clusters.

You can also refer to AKS Baseline for multi-region clusters and Network Topology in Baseline architecture for AKS Clusters.


Hope this helps.

Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, this helps very much, and you are correct in what we are wanting. Since postgres doesn't support active/active, we are going to use a trigger-based tool (I hate it btw) so that if Posgress in AKS A has a write, that write is propogated to AKS B. I want to not use the Internet and would prefer to peer the VNETs. If I peer the VNETs, I assume AKS A can speak to AKS B and we can use the private IPs of the pods to communicate provided that the ports are exposed on both AKS clusters. We are using CNI for networking.

Does this sound workable?

0 Votes 0 ·

@richardwolford-7948 , Thank you for your response.

Yes, since you are using Azure CNI as the network plugin for the AKS clusters, the Pod IPs are going to be assigned from the AKS VNET/subnets. If the two Virtual Networks are peered, then please ensure that the Effective Inbound Network Security Group rules associated with either subnet in the two virtual networks, must allow traffic to ports: Any from source: VirtualNetwork to destination: Any on the requisite protocol(s).

To summarize, this is a very viable solution.


Hope this helps.

Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

1 Vote 1 ·

Thank you very much, I was hoping this was viable solution, it was brought up by my team that direct communications between AKS may not be possible as per my design and I wanted someone else to weigh in on this, it's good to know that Microsoft gives it the thumbs up :)

0 Votes 0 ·

Enabling network policies for me it work only for pod-to-pod connections between the two subnets.
Instead I need to call a service on the second subnet, in order to use the service IP in a private DNS zone, that of course is almost static.

The worst is that I'm having different network troubleshooting results from azure portal.
Doing the same network test from the same virtual machine, but in two different point of azure portal gives different results.
The first is from the virtual machines view, the second from the virtual network view.

Please look here the complete description:
https://docs.microsoft.com/en-us/answers/questions/715582/aks-connect-to-external-service-on-a-different-aks.html


0 Votes 0 ·
learn2skills avatar image
0 Votes"
learn2skills answered learn2skills edited

Hi @richardwolford-7948

Yes, choose two regions paired together.

An AKS cluster is deployed into a single region. To protect your system from region failure, deploy your application into multiple AKS clusters across different regions. When planning where to deploy your AKS cluster, consider:

AKS region availability
Choose regions close to your users.
AKS continually expands into new regions.
Azure paired regions
For your geographic area, choose two regions paired together.
AKS platform updates (planned maintenance) are serialized with a delay of at least 24 hours between paired regions.
Recovery efforts for paired regions are prioritized where needed.
Service availability
Decide whether your paired regions should be hot/hot, hot/warm, or hot/cold.
Do you want to run both regions at the same time, with one region ready to start serving traffic? Or,
Do you want to give one region time to get ready to serve traffic?

for more details
https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-multi-region



If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

richardwolford-7948 avatar image
0 Votes"
richardwolford-7948 answered srbose-msft commented

Hello, thank you for your response. We are running hot/hot with a front door directing traffic for us. BUT, with two AKS clusters, which we have, how would one cluster's pods talk to the pods in the second AKS cluster? Would they talk to each other using the external load balancer of the other AKS cluster, or would pairing the regions allow them to talk to each other directly? My guess is that we would use the external load balancers.

Thanks,

Richard

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@richardwolford-7948 , the public Load Balancer is used for outbound traffic only to the Internet (0.0.0.0/0) when outboundType is set to loadBalancer (which is default; Can be set to UDR. Please check this document). Traffic to Private IP addresse(s) within the Virtual Network or peered virtual networks travel over the Azure global backbone network. So your pod on one cluster can directly talk to the Private IP address of a Pod on another Cluster deployed in a peered Virtual Network (CNI network plugin on both clusters) over the Azure global backbone network without having to travel over the Internet, thereby not being routed over the public Load Balancer.

0 Votes 0 ·