You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/limit-egress-traffic.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,7 +34,7 @@ To increase the security of your AKS cluster, you may wish to restrict egress tr
34
34
You can use [Azure Firewall][azure-firewall] or a 3rd-party firewall appliance to secure your egress traffic and define these required ports and addresses. AKS does not automatically create these rules for you. The following ports and addresses are for reference as you create the appropriate rules in your network firewall.
35
35
36
36
> [!IMPORTANT]
37
-
> When you use Azure Firewall to restrict egress traffic and create a user-defined route (UDR) to force all egress traffic, make sure you create an appropriate DNAT rule in Firewall to correctly allow ingress traffic. Using Azure Firewall with a UDR breaks the ingress setup due to asymmetric routing. (The issue occurs if the AKS subnet has a default route that goes to the firewall's private IP address, but you're using a public load balancer - ingress or Kubernetes service of type: LoadBalancer). In this case, the incoming load balancer traffic is received via its public IP address, but the return path goes through the firewall's private IP address. Because the firewall is stateful, it drops the returning packet because the firewall isn't aware of an established session. To learn how to integrate Azure Firewall with your ingress or service load balancer, see [Integrate Azure Firewall with Azure Standard Load Balancer](https://docs.microsoft.com/en-us/azure/firewall/integrate-lb).
37
+
> When you use Azure Firewall to restrict egress traffic and create a user-defined route (UDR) to force all egress traffic, make sure you create an appropriate DNAT rule in Firewall to correctly allow ingress traffic. Using Azure Firewall with a UDR breaks the ingress setup due to asymmetric routing. (The issue occurs if the AKS subnet has a default route that goes to the firewall's private IP address, but you're using a public load balancer - ingress or Kubernetes service of type: LoadBalancer). In this case, the incoming load balancer traffic is received via its public IP address, but the return path goes through the firewall's private IP address. Because the firewall is stateful, it drops the returning packet because the firewall isn't aware of an established session. To learn how to integrate Azure Firewall with your ingress or service load balancer, see [Integrate Azure Firewall with Azure Standard Load Balancer](https://docs.microsoft.com/azure/firewall/integrate-lb).
38
38
> You can lock down the traffic for TCP port 9000 and TCP port 22 using a network rule between the egress worker node IP(s) and the IP for the API server.
39
39
40
40
In AKS, there are two sets of ports and addresses:
@@ -50,7 +50,7 @@ In AKS, there are two sets of ports and addresses:
50
50
The following outbound ports / network rules are required for an AKS cluster:
51
51
52
52
* TCP port *443*
53
-
* TCP [IPAddrOfYourAPIServer]:443 is required if you have an app that needs to talk to the API server. This change can be set after the cluster is created.<!--TODO need to wordsmith this-->
53
+
* TCP [IPAddrOfYourAPIServer]:443 is required if you have an app that needs to talk to the API server. This change can be set after the cluster is created.
54
54
* TCP port *9000* and TCP port *22* for the tunnel front pod to communicate with the tunnel end on the API server.
55
55
* To get more specific, see the **.hcp.\<location\>.azmk8s.io* and **.tun.\<location\>.azmk8s.io* addresses in the following table.
56
56
* UDP port *53* for DNS is also required if you have pods directly accessing the API server.
@@ -91,7 +91,7 @@ The following FQDN / application rules are required for AKS clusters that have G
91
91
| us.download.nvidia.com | HTTPS:443 | This address is used for correct driver installation and operation on GPU-based nodes. |
92
92
| apt.dockerproject.org | HTTPS:443 | This address is used for correct driver installation and operation on GPU-based nodes. |
93
93
94
-
## Required addresses and ports for AKS clusters with Azure Monitor for containers enabled
94
+
## Required addresses and ports with Azure Monitor for containers enabled
95
95
96
96
The following FQDN / application rules are required for AKS clusters that have the Azure Monitor for containers enabled:
97
97
@@ -103,7 +103,7 @@ The following FQDN / application rules are required for AKS clusters that have t
103
103
|*.microsoftonline.com | HTTPS:443 | This is used for authenticating and sending metrics to Azure Monitor. |
104
104
|*.monitoring.azure.com | HTTPS:443 | This is used to send metrics data to Azure Monitor. |
105
105
106
-
## Required addresses and ports for AKS clusters with Azure Policy (in private preview) enabled
106
+
## Required addresses and ports for AKS clusters with Azure Policy (in public preview) enabled
107
107
108
108
> [!CAUTION]
109
109
> Some of the features below are in preview. The suggestions in this article are subject to change as the feature moves to public preview and future release stages.
0 commit comments