Skip to content

Commit 1754ed0

Browse files
phealyphealy
authored
Update azure-cni-overlay.md
Elaborate further and add links to NSG documentation
1 parent 6fe4817 commit 1754ed0

File tree

1 file changed

+6
-4
lines changed

1 file changed

+6
-4
lines changed

articles/aks/azure-cni-overlay.md

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -65,12 +65,13 @@ The following are additional factors to consider when planning pods IP address s
6565

6666
## Network security groups
6767

68-
Pod to pod traffic with Azure CNI Overlay is not encapsulated and subnet NSG rules are applied. If the subnet NSG contains deny rules that would impact this traffic, make sure the following rules are in place to ensure proper cluster functionality (in addition to all [AKS egress requirements][aks-egress]):
68+
Pod to pod traffic with Azure CNI Overlay is not encapsulated and subnet [network security group][nsgs] rules are applied. If the subnet NSG contains deny rules that would impact the pod CIDR traffic, make sure the following rules are in place to ensure proper cluster functionality (in addition to all [AKS egress requirements][aks-egress]):
6969

7070
* Traffic from the node CIDR to the node CIDR on all ports and protocols
71-
* Traffic from the node CIDR to the pod CIDR on all ports and protocols
72-
* Traffic from the pod CIDR to the node CIDR on all ports and protocols
73-
* Traffic from the pod CIDR to the pod CIDR on all ports and protocols
71+
* Traffic from the node CIDR to the pod CIDR on all ports and protocols (required for service traffic routing)
72+
* Traffic from the pod CIDR to the pod CIDR on all ports and protocols (required for pod to pod and pod to service traffic, including DNS)
73+
74+
Traffic from a pod to any destination outside of the pod CIDR block will utilize SNAT to set the source IP to the IP of the node where the pod is running.
7475

7576
If you wish to restrict traffic between workloads in the cluster, [network policies][aks-network-policies] are the recommended solution.
7677

@@ -161,3 +162,4 @@ To learn how to utilize AKS with your own Container Network Interface (CNI) plug
161162
[az-feature-show]: /cli/azure/feature#az-feature-show
162163
[aks-egress]: limit-egress-traffic.md
163164
[aks-network-policies]: use-network-policies.md
165+
[nsg]: /azure/virtual-network/network-security-groups-overview

0 commit comments

Comments
 (0)