Azure Kubernetes Service (AKS) 中的網路概念Network concepts for applications in Azure Kubernetes Service (AKS)

在應用程式開發的容器型微服務方法中,應用程式元件必須搭配運作以處理其工作。In a container-based microservices approach to application development, application components must work together to process their tasks. Kubernetes 提供多種可支援此類應用程式通訊的資源。Kubernetes provides various resources that enable this application communication. 您可以在內部或外部連接和公開應用程式。You can connect to and expose applications internally or externally. 若要建置具有高可用性的應用程式,您可以對應用程式進行負載平衡。To build highly available applications, you can load balance your applications. 較複雜的應用程式可能需要設定終止 SSL/TLS 的輸入流量或多個元件的路由。More complex applications may require configuration of ingress traffic for SSL/TLS termination or routing of multiple components. 基於安全考量,您可能也需要限制進入 Pod 和節點或其間的網路流量。For security reasons, you may also need to restrict the flow of network traffic into or between pods and nodes.

本文將介紹為 AKS 中的應用程式提供網路功能的核心概念:This article introduces the core concepts that provide networking to your applications in AKS:

Kubernetes 基本概念Kubernetes basics

為了提供對您應用程式的存取能力,或讓應用程式元件能夠彼此通訊,Kubernetes 提供了虛擬網路的抽象層。To allow access to your applications, or for application components to communicate with each other, Kubernetes provides an abstraction layer to virtual networking. Kubernetes 節點會連線至虛擬網路,並且可提供 Pod 的輸入和輸出連線能力。Kubernetes nodes are connected to a virtual network, and can provide inbound and outbound connectivity for pods. Kube-proxy 元件會在每個節點上執行以提供這些網路功能。The kube-proxy component runs on each node to provide these network features.

在 Kubernetes 中,「服務」會按邏輯將 Pod 分組,以允許透過 IP 位址或 DNS 名稱和特定連接埠上的直接存取。In Kubernetes, Services logically group pods to allow for direct access via an IP address or DNS name and on a specific port. 您也可以使用負載平衡器來分散流量。You can also distribute traffic using a load balancer. 您也可以透過輸入控制器執行更複雜的應用程式流量路由。More complex routing of application traffic can also be achieved with Ingress Controllers. Pod 的網路流量的安全性和篩選可以透過 Kubernetes網路原則(在 AKS 中為預覽狀態) 來進行。Security and filtering of the network traffic for pods is possible with Kubernetes network policies (in preview in AKS).

Azure 平台也有助於簡化 AKS 叢集的虛擬網路。The Azure platform also helps to simplify virtual networking for AKS clusters. 當您建立 Kubernetes 負載平衡器時,將會建立並設定基礎的 Azure Load Balancer資源。When you create a Kubernetes load balancer, the underlying Azure load balancer resource is created and configured. 當您對 Pod 開啟網路連接埠時,即會設定對應的 Azure 網路安全性群組規則。As you open network ports to pods, the corresponding Azure network security group rules are configured. 對於 HTTP 應用程式路由,Azure 也會將外部 DNS 設定為新的輸入路由。For HTTP application routing, Azure can also configure external DNS as new ingress routes are configured.

服務Services

為了簡化應用程式工作負載的網路設定,Kubernetes 會使用「服務」按邏輯將一組 Pod 分組在一起,並提供網路連線。To simplify the network configuration for application workloads, Kubernetes uses Services to logically group a set of pods together and provide network connectivity. 以下是可用的服務類型:The following Service types are available:

  • 叢集 IP - 建立在 AKS 叢集內使用的內部 IP 位址。Cluster IP - Creates an internal IP address for use within the AKS cluster. 這非常適用於支援叢集內其他工作負載的內部專用應用程式。Good for internal-only applications that support other workloads within the cluster.

    此圖顯示 AKS 叢集中的叢集 IP 流量

  • NodePort - 在基礎節點上建立連接埠對應,以便直接透過節點 IP 位址和連接埠存取應用程式。NodePort - Creates a port mapping on the underlying node that allows the application to be accessed directly with the node IP address and port.

    此圖顯示 AKS 叢集中的 NodePort 流量

  • LoadBalancer - 建立 Azure Load Balancer 資源、設定外部 IP 位址,並將要求的 Pod 連線至負載平衡器後端集區。LoadBalancer - Creates an Azure load balancer resource, configures an external IP address, and connects the requested pods to the load balancer backend pool. 若要允許客戶流量傳至應用程式,可對所需的連接埠建立負載平衡規則。To allow customers traffic to reach the application, load balancing rules are created on the desired ports.

    此圖顯示 AKS 叢集中的負載平衡器流量

    若要進行輸入流量的其他控制和路由,您可以改用輸入控制器For additional control and routing of the inbound traffic, you may instead use an Ingress controller.

  • ExternalName - 建立特定的 DNS 項目以方便存取應用程式。ExternalName - Creates a specific DNS entry for easier application access.

您可以動態指派負載平衡器和服務的 IP 位址,或指定要使用的現有靜態 IP 位址。The IP address for load balancers and services can be dynamically assigned, or you can specify an existing static IP address to use. 內部和外部的靜態 IP 位址都可指派。Both internal and external static IP addresses can be assigned. 這個現有的靜態 IP 位址通常會繫結至 DNS 項目。This existing static IP address is often tied to a DNS entry.

您可以指派內部和外部負載平衡器。Both internal and external load balancers can be created. 對內部負載平衡器只會指派私人 IP 位址,因此無法從網際網路加以存取。Internal load balancers are only assigned a private IP address, so can't be accessed from the Internet.

Azure 虛擬網路Azure virtual networks

在 AKS 中,您可以部署使用下列兩種網路模型之一的叢集:In AKS, you can deploy a cluster that uses one of the following two network models:

  • Kubenet 網路 - 在部署 AKS 叢集時通常會建立並設定網路資源。Kubenet networking - The network resources are typically created and configured as the AKS cluster is deployed.
  • Azure 容器網路介面 (CNI) 網路 - AKS 叢集會連線至現有的虛擬網路資源和組態。Azure Container Networking Interface (CNI) networking - The AKS cluster is connected to existing virtual network resources and configurations.

Kubenet (基本) 網路Kubenet (basic) networking

Kubenet 網路選項是建立 AKS 叢集時的預設組態。The kubenet networking option is the default configuration for AKS cluster creation. 使用 kubenet,節點會從 Azure 虛擬網路子網路取得 IP 位址。With kubenet, nodes get an IP address from the Azure virtual network subnet. Pod 會從邏輯上不同的位址空間接收至節點的 Azure 虛擬網路子網路的 IP 位址。Pods receive an IP address from a logically different address space to the Azure virtual network subnet of the nodes. 然後設定網路位址轉譯 (NAT),以便 Pod 可以連線到 Azure 虛擬網路上的資源。Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network. 流量的來源 IP 位址會被轉譯為節點的主要 IP 位址。The source IP address of the traffic is NAT'd to the node's primary IP address.

節點會使用kubenet Kubernetes 外掛程式。Nodes use the kubenet Kubernetes plugin. 您可以讓 Azure 平台為您建立及設定虛擬網路,或選擇部署 AKS 叢集到現有的虛擬網路子網路。You can let the Azure platform create and configure the virtual networks for you, or choose to deploy your AKS cluster into an existing virtual network subnet. 同樣地, 只有節點會收到可路由傳送的 IP 位址, 而 pod 會使用 NAT 與 AKS 叢集外的其他資源進行通訊。Again, only the nodes receive a routable IP address, and the pods use NAT to communicate with other resources outside the AKS cluster. 這種方法可大幅減少您需要在網路空間中保留,以供 Pod 使用的 IP 位址數目。This approach greatly reduces the number of IP addresses that you need to reserve in your network space for pods to use.

如需詳細資訊, 請參閱Configure kubenet 網路 for a AKS clusterFor more information, see Configure kubenet networking for an AKS cluster.

Azure CNI (進階) 網路Azure CNI (advanced) networking

使用 Azure CNI,每個 Pod 都從子網路取得 IP 位址,並且可以直接存取。With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. 這些 IP 位址在您的網路空間中必須是唯一的,且必須事先規劃。These IP addresses must be unique across your network space, and must be planned in advance. 每個節點都有一個組態參數,用於所支援的最大 Pod 數目。Each node has a configuration parameter for the maximum number of pods that it supports. 然後,為該節點預先保留每個節點的相同 IP 位址數目。The equivalent number of IP addresses per node are then reserved up front for that node. 這種方法需要更多的規劃, 因為可能會導致 IP 位址耗盡, 或需要在較大的子網中重建叢集, 因為您的應用程式需求成長。This approach requires more planning, as can otherwise lead to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow.

節點會使用Azure Container 網路介面 (CNI) Kubernetes 外掛程式。Nodes use the Azure Container Networking Interface (CNI) Kubernetes plugin.

此圖表顯示兩個節點,且各有橋接器將其連線至單一 Azure VNet

如需詳細資訊, 請參閱Configure AZURE CNI for a AKS clusterFor more information, see Configure Azure CNI for an AKS cluster.

比較網路模型Compare network models

Kubenet 和 Azure CNI 都可為您的 AKS 叢集提供網路連線能力。Both kubenet and Azure CNI provide network connectivity for your AKS clusters. 不過, 每個都有其優點和缺點。However, there are advantages and disadvantages to each. 概括而言, 適用下列考慮事項:At a high level, the following considerations apply:

  • kubenetkubenet
    • 節省 IP 位址空間。Conserves IP address space.
    • 會使用 Kubernetes 內部或外部負載平衡器, 從叢集外部到達 pod。Uses Kubernetes internal or external load balancer to reach pods from outside of the cluster.
    • 您必須手動管理和維護使用者定義的路由 (Udr)。You must manually manage and maintain user-defined routes (UDRs).
    • 每個叢集最多400個節點。Maximum of 400 nodes per cluster.
  • Azure CNIAzure CNI
    • Pod 會取得完整的虛擬網路連線能力, 並可直接從叢集外部連線。Pods get full virtual network connectivity and can be directly reached from outside of the cluster.
    • 需要更多的 IP 位址空間。Requires more IP address space.

Kubenet 與 Azure CNI 之間存在下列行為差異:The following behavior differences exist between kubenet and Azure CNI:

功能Capability KubenetKubenet Azure CNIAzure CNI
在現有或新的虛擬網路中部署叢集Deploy cluster in existing or new virtual network 支援的 Udr 手動套用Supported - UDRs manually applied 支援Supported
Pod-pod 連線能力Pod-pod connectivity 支援Supported 支援Supported
Pod-VM 連線能力;相同虛擬網路中的 VMPod-VM connectivity; VM in the same virtual network 適用于 pod 起始時Works when initiated by pod 適用于這兩種方式Works both ways
Pod-VM 連線能力;對等互連虛擬網路中的 VMPod-VM connectivity; VM in peered virtual network 適用于 pod 起始時Works when initiated by pod 適用于這兩種方式Works both ways
使用 VPN 或 Express Route 的內部部署存取On-premises access using VPN or Express Route 適用于 pod 起始時Works when initiated by pod 適用于這兩種方式Works both ways
存取受服務端點保護的資源Access to resources secured by service endpoints 支援Supported 支援Supported
使用負載平衡器服務、應用程式閘道或輸入控制器來公開 Kubernetes 服務Expose Kubernetes services using a load balancer service, App Gateway, or ingress controller 支援Supported 支援Supported
預設 Azure DNS 和私人區域Default Azure DNS and Private Zones 支援Supported 支援Supported

網路模型之間的支援範圍Support scope between network models

無論您使用哪一種網路模型, 都可以用下列其中一種方式部署 kubenet 和 Azure CNI:Regardless of the network model you use, both kubenet and Azure CNI can be deployed in one of the following ways:

  • 當您建立 AKS 叢集時, Azure 平臺可以自動建立和設定虛擬網路資源。The Azure platform can automatically create and configure the virtual network resources when you create an AKS cluster.
  • 當您建立 AKS 叢集時, 可以手動建立和設定虛擬網路資源, 並連結至這些資源。You can manually create and configure the virtual network resources and attach to those resources when you create your AKS cluster.

雖然 kubenet 和 Azure CNI 都支援服務端點或 Udr 之類的功能, 但AKS 的支援原則會定義您可以進行的變更。Although capabilities like service endpoints or UDRs are supported with both kubenet and Azure CNI, the support policies for AKS define what changes you can make. 例如:For example:

  • 如果您手動建立 AKS 叢集的虛擬網路資源, 當您設定自己的 Udr 或服務端點時, 就會支援。If you manually create the virtual network resources for an AKS cluster, you are supported when configuring your own UDRs or service endpoints.
  • 如果 Azure 平臺自動為您的 AKS 叢集建立虛擬網路資源, 則不支援手動變更這些 AKS 管理的資源, 以設定您自己的 Udr 或服務端點。If the Azure platform automatically creates the virtual network resources for your AKS cluster, it is not supported to manually change those AKS-managed resources to configure your own UDRs or service endpoints.

輸入控制器Ingress controllers

當您建立 LoadBalancer 類型服務時,將會建立基礎的 Azure Load Balancer 資源。When you create a LoadBalancer type Service, an underlying Azure load balancer resource is created. 在您的服務中,負載平衡器會設定為透過指定的連接埠將流量分散到 Pod。The load balancer is configured to distribute traffic to the pods in your Service on a given port. LoadBalancer 僅適用於第 4 層 - 服務無法辨識實際的應用程式,且無法考量任何其他路由方式。The LoadBalancer only works at layer 4 - the Service is unaware of the actual applications, and can't make any additional routing considerations.

輸入控制器會在第 7 層運作,並且可使用更具智慧的規則來分散應用程式流量。Ingress controllers work at layer 7, and can use more intelligent rules to distribute application traffic. 輸入控制器的常見用途是根據輸入 URL 將 HTTP 流量路由到不同的應用程式。A common use of an Ingress controller is to route HTTP traffic to different applications based on the inbound URL.

此圖顯示 AKS 叢集中的輸入流量

在 AKS 中,您可以使用 NGINX 之類的功能建立輸入資源,或是使用 AKS HTTP 應用程式路由功能。In AKS, you can create an Ingress resource using something like NGINX, or use the AKS HTTP application routing feature. 當您為 AKS 叢集啟用 HTTP 應用程式路由時,Azure 平台會建立輸入控制器和 External-DNS 控制器。When you enable HTTP application routing for an AKS cluster, the Azure platform creates the Ingress controller and an External-DNS controller. 在 Kubernetes 中建立新的輸入資源時,會在叢集特定的 DNS 區域中建立所需的 DNS A 記錄。As new Ingress resources are created in Kubernetes, the required DNS A records are created in a cluster-specific DNS zone. 如需詳細資訊, 請參閱部署 HTTP 應用程式路由For more information, see deploy HTTP application routing.

輸入的另一個常見功能是終止 SSL/TLS。Another common feature of Ingress is SSL/TLS termination. 在透過 HTTPS 存取的大型 Web 應用程式上,可由輸入資源來處理 TLS 終止,而無須由應用程式本身處理。On large web applications accessed via HTTPS, the TLS termination can be handled by the Ingress resource rather than within the application itself. 若要提供自動 TLS 憑證產生和設定的功能,您可以將輸入資源設定為使用 Let's Encrypt 之類的資源提供者。To provide automatic TLS certification generation and configuration, you can configure the Ingress resource to use providers such as Let's Encrypt. 如需使用 Let's Encrypt 設定 NGINX 輸入控制器的詳細資訊, 請參閱輸入和 TLSFor more information on configuring an NGINX Ingress controller with Let's Encrypt, see Ingress and TLS.

您也可以設定輸入控制器, 在 AKS 叢集中的容器要求上保留用戶端來源 IP。You can also configure your ingress controller to preserve the client source IP on requests to containers in your AKS cluster. 當用戶端的要求透過輸入控制器路由至 AKS 叢集中的容器時, 該要求的原始來源 ip 將無法供目標容器使用。When a client's request is routed to a container in your AKS cluster via your ingress controller, the original source ip of that request will not be available to the target container. 當您啟用用戶端來源 ip 保留時, 用戶端的來源 ip 會在要求標頭中的 [ X-轉送-針對] 下提供。When you enable client source IP preservation, the source IP for the client is available in the request header under X-Forwarded-For. 如果您在輸入控制器上使用用戶端來源 IP 保留, 則無法使用 SSL 傳遞。If you are using client source IP preservation on your ingress controller, you cannot use SSL pass-through. 用戶端來源 IP 保留和 SSL 傳遞可以與其他服務搭配使用, 例如LoadBalancer類型。Client source IP preservation and SSL pass-through can be used with other services, such as the LoadBalancer type.

網路安全性群組Network security groups

網路安全性群組可篩選 VM 的流量,例如 AKS 節點。A network security group filters traffic for VMs, such as the AKS nodes. 當您建立服務 (例如 LoadBalancer) 時,Azure 平台會自動設定任何所需的網路安全性群組規則。As you create Services, such as a LoadBalancer, the Azure platform automatically configures any network security group rules that are needed. 請勿以手動方式設定對 AKS 叢集中的 Pod 進行流量篩選的網路安全性群組規則。Don't manually configure network security group rules to filter traffic for pods in an AKS cluster. 請將任何必要的連接埠和轉送定義為 Kubernetes 服務資訊清單的一部分,然後由 Azure 平台建立或更新適當的規則。Define any required ports and forwarding as part of your Kubernetes Service manifests, and let the Azure platform create or update the appropriate rules. 您也可以使用下一節中所述的網路原則, 自動將流量篩選規則套用至 pod。You can also use network policies, as discussed in the next section, to automatically apply traffic filter rules to pods.

網路原則Network policies

根據預設,AKS 叢集內的所有 Pod 都可無限制地傳送及接收流量。By default, all pods in an AKS cluster can send and receive traffic without limitations. 為了提升安全性,您可以定義控制流量的規則。For improved security, you may want to define rules that control the flow of traffic. 後端應用程式通常只會對必要的前端服務公開,或是資料庫元件僅供與其連線的應用程式層存取。Backend applications are often only exposed to required frontend services, or database components are only accessible to the application tiers that connect to them.

網路原則是 AKS 中提供的 Kubernetes 功能, 可讓您控制 pod 之間的流量。Network policy is a Kubernetes feature available in AKS that lets you control the traffic flow between pods. 您可以根據指派的標籤、命名空間或流量連接埠等設定,選擇允許或拒絕流量。You can choose to allow or deny traffic based on settings such as assigned labels, namespace, or traffic port. 網路安全性群組較適用於 AKS 節點而非 Pod。Network security groups are more for the AKS nodes, not pods. 使用網路原則是一種控制流量的較合適且雲端原生的方式。The use of network policies is a more suitable, cloud-native way to control the flow of traffic. 由於 Pod 是在 AKS 叢集內以動態方式建立的,因此可以自動套用所需的網路原則。As pods are dynamically created in an AKS cluster, the required network policies can be automatically applied.

如需詳細資訊, 請參閱在 Azure Kubernetes Service (AKS) 中使用網路原則來保護 pod 之間的流量For more information, see Secure traffic between pods using network policies in Azure Kubernetes Service (AKS).

後續步驟Next steps

若要開始使用 AKS 網路功能, 請使用kubenetAzure CNI來建立及設定具有您自己 IP 位址範圍的 AKS 叢集。To get started with AKS networking, create and configure an AKS cluster with your own IP address ranges using kubenet or Azure CNI.

如需相關的最佳作法, 請參閱AKS 中網路連線和安全性的最佳作法For associated best practices, see Best practices for network connectivity and security in AKS.

如需關於 Kubernetes 及 AKS 核心概念的詳細資訊,請參閱下列文章:For additional information on core Kubernetes and AKS concepts, see the following articles: