Merge pull request #232499 from schaffererin/AKScustomclusteregress

denrea · web-flow · commit 506f3a82856d · 2023-03-28T16:21:56.000-07:00
Editing pass for consistent formatting
diff --git a/articles/aks/egress-outboundtype.md b/articles/aks/egress-outboundtype.md
@@ -5,133 +5,129 @@ author: asudbring
 ms.subservice: aks-networking
 ms.author: allensu
 ms.topic: how-to
-ms.date: 06/29/2020
+ms.date: 03/28/2023
 
 #Customer intent: As a cluster operator, I want to define my own egress paths with user-defined routes. Since I define this up front I do not want AKS provided load balancer configurations.
 ---
 
 # Customize cluster egress with outbound types in Azure Kubernetes Service (AKS)
 
-Egress from an AKS cluster can be customized to fit specific scenarios. By default, AKS will provision a Standard SKU Load Balancer to be set up and used for egress. However, the default setup may not meet the requirements of all scenarios if public IPs are disallowed or additional hops are required for egress.
+You can customize egress for an AKS cluster to fit specific scenarios. By default, AKS will provision a standard SKU load balancer to be set up and used for egress. However, the default setup may not meet the requirements of all scenarios if public IPs are disallowed or additional hops are required for egress.
 
-This article covers the various types of outbound connectivity that are available in AKS Clusters.
+This article covers the various types of outbound connectivity that are available in AKS clusters.
+
+> [!NOTE]
+> You can now update the `outboundType` after cluster creation. This feature is in preview. See [Updating `outboundType after cluster creation (preview)](#updating-outboundtype-after-cluster-creation-preview).
 
 ## Limitations
-* Outbound type can only be defined at cluster create time and can't be updated afterwards.
-  * Reconfiguring outbound type is now supported in preview; see below.
-* Setting `outboundType` requires AKS clusters with a `vm-set-type` of `VirtualMachineScaleSets` and `load-balancer-sku` of `Standard`.
 
-## Overview of outbound types in AKS
+* Setting `outboundType` requires AKS clusters with a `vm-set-type` of `VirtualMachineScaleSets` and `load-balancer-sku` of `Standard`.
 
-An AKS cluster can be configured with three different categories of outbound type: load balancer, NAT gateway, or user-defined routing.
+## Outbound types in AKS
 
-> [!IMPORTANT]
-> Outbound type impacts only the egress traffic of your cluster. For more information, see [setting up ingress controllers](ingress-basic.md).
+You can configure an AKS cluster using the following outbound types: load balancer, NAT gateway, or user-defined routing. The outbound type impacts only the egress traffic of your cluster. For more information, see [setting up ingress controllers](ingress-basic.md).
 
 > [!NOTE]
-> You can use your own [route table][byo-route-table] with UDR and kubenet networking. Make sure your cluster identity (service principal or managed identity) has Contributor permissions to the custom route table.
+> You can use your own [route table][byo-route-table] with UDR and [kubenet networking](../aks/configure-kubenet.md). Make sure your cluster identity (service principal or managed identity) has Contributor permissions to the custom route table.
 
-### Outbound type of loadBalancer
+### Outbound type of `loadBalancer`
 
-If `loadBalancer` is set, AKS completes the following configuration automatically. The load balancer is used for egress through an AKS assigned public IP. An outbound type of `loadBalancer` supports Kubernetes services of type `loadBalancer`, which expect egress out of the load balancer created by the AKS resource provider.
+The load balancer is used for egress through an AKS-assigned public IP. An outbound type of `loadBalancer` supports Kubernetes services of type `loadBalancer`, which expect egress out of the load balancer created by the AKS resource provider.
 
-The following configuration is done by AKS.
-   * A public IP address is provisioned for cluster egress.
-   * The public IP address is assigned to the load balancer resource.
-   * Backend pools for the load balancer are set up for agent nodes in the cluster.
+If `loadBalancer` is set, AKS automatically completes the following configuration:
 
-Below is a network topology deployed in AKS clusters by default, which use an `outboundType` of `loadBalancer`.
+* A public IP address is provisioned for cluster egress.
+* The public IP address is assigned to the load balancer resource.
+* Backend pools for the load balancer are set up for agent nodes in the cluster.
 
 ![Diagram shows ingress I P and egress I P, where the ingress I P directs traffic to a load balancer, which directs traffic to and from an internal cluster and other traffic to the egress I P, which directs traffic to the Internet, M C R, Azure required services, and the A K S Control Plane.](media/egress-outboundtype/outboundtype-lb.png)
 
-For more information, see [using a standard load balancer in AKS](load-balancer-standard.md) for more information.
+For more information, see [using a standard load balancer in AKS](load-balancer-standard.md).
 
 ### Outbound type of `managedNatGateway` or `userAssignedNatGateway`
 
-If `managedNatGateway` or `userAssignedNatGateway` are selected for `outboundType`, AKS relies on [Azure Networking NAT gateway](../virtual-network/nat-gateway/manage-nat-gateway.md) for cluster egress. 
-
-- `managedNatGateway` is used when using managed virtual networks, and tells AKS to provision a NAT gateway and attach it to the cluster subnet.
-- `userAssignedNatGateway` is used when using bring-your-own virtual networking, and requires that a NAT gateway has been provisioned before cluster creation.
+If `managedNatGateway` or `userAssignedNatGateway` are selected for `outboundType`, AKS relies on [Azure Networking NAT gateway](../virtual-network/nat-gateway/manage-nat-gateway.md) for cluster egress.
 
-NAT gateway has significantly improved handling of SNAT ports when compared to Standard Load Balancer.
+* Select `managedNatGateway` when using managed virtual networks. AKS will provision a NAT gateway and attach it to the cluster subnet.
+* Select `userAssignedNatGateway` when using bring-your-own virtual networking. This option requires that you have provisioned a NAT gateway before cluster creation.
 
-For more information, see [using NAT Gateway with AKS](nat-gateway.md) for more information.
+For more information, see [using NAT gateway with AKS](nat-gateway.md).
 
-### Outbound type of userDefinedRouting
+### Outbound type of `userDefinedRouting`
 
 > [!NOTE]
-> Using outbound type is an advanced networking scenario and requires proper network configuration.
+> The `userDefinedRouting` outbound type is an advanced networking scenario and requires proper network configuration.
 
 If `userDefinedRouting` is set, AKS won't automatically configure egress paths. The egress setup must be done by you.
 
-The AKS cluster must be deployed into an existing virtual network with a subnet that has been previously configured because when not using standard load balancer (SLB) architecture, you must establish explicit egress. As such, this architecture requires explicitly sending egress traffic to an appliance like a firewall, gateway, proxy or to allow the Network Address Translation (NAT) to be done by a public IP assigned to the standard load balancer or appliance.
+You must deploy the AKS cluster into an existing virtual network with a subnet that has been previously configured. Since you're not using a standard load balancer (SLB) architecture, you must establish explicit egress. This architecture requires explicitly sending egress traffic to an appliance like a firewall, gateway, proxy or to allow NAT to be done by a public IP assigned to the standard load balancer or appliance.
 
-For more information, see [configuring cluster egress via user-defined routing](egress-udr.md) for more information.
+For more information, see [configuring cluster egress via user-defined routing](egress-udr.md).
 
-## Updating `outboundType` after cluster creation (PREVIEW)
+## Updating `outboundType` after cluster creation (preview)
 
 Changing the outbound type after cluster creation will deploy or remove resources as required to put the cluster into the new egress configuration.
 
 Migration is only supported between `loadBalancer`, `managedNATGateway` (if using a managed virtual network), and `userDefinedNATGateway` (if using a custom virtual network).
 
 > [!WARNING]
-> Changing the outbound type on a cluster is disruptive to network connectivity and will result in a change of the cluster's egress IP address. If any firewall rules have been configured to restrict traffic from the cluster, they will need to be updated to match the new egress IP address.
+> Changing the outbound type on a cluster is disruptive to network connectivity and will result in a change of the cluster's egress IP address. If any firewall rules have been configured to restrict traffic from the cluster, you need to update them to match the new egress IP address.
 
 [!INCLUDE [preview features callout](includes/preview/preview-callout.md)]
 
-### Install the aks-preview Azure CLI extension
+### Install the `aks-preview` Azure CLI extension
 
 `aks-preview` version 0.5.113 is required.
 
-To install the `aks-preview` extension, run the following command:
-
-```azurecli
-az extension add --name aks-preview
-```
+* Install and update the `aks-preview` extension.
 
-Run the following command to update to the latest version of the extension released:
+    ```azurecli
+    # Install aks-preview extension
+    az extension add --name aks-preview
 
-```azurecli
-az extension update --name aks-preview
-```
+    # Update aks-preview extension
+    az extension update --name aks-preview
+    ```
 
-### Register the 'AKS-OutBoundTypeMigrationPreview' feature flag
+### Register the `AKS-OutBoundTypeMigrationPreview` feature flag
 
-Register the `AKS-OutBoundTypeMigrationPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
+1. Register the `AKS-OutBoundTypeMigrationPreview` feature flag using the [`az feature register`][az-feature-register] command. It takes a few minutes for the status to show *Registered*.
 
-```azurecli-interactive
-az feature register --namespace "Microsoft.ContainerService" --name "AKS-OutBoundTypeMigrationPreview"
-```
+    ```azurecli-interactive
+    az feature register --namespace "Microsoft.ContainerService" --name "AKS-OutBoundTypeMigrationPreview"
+    ```
 
-It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature show][az-feature-show] command:
+2. Verify the registration status using the [`az feature show`][az-feature-show] command.
 
-```azurecli-interactive
-az feature show --namespace "Microsoft.ContainerService" --name "AKS-OutBoundTypeMigrationPreview"
-```
+    ```azurecli-interactive
+    az feature show --namespace "Microsoft.ContainerService" --name "AKS-OutBoundTypeMigrationPreview"
+    ```
 
-When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
+3. When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider using the [`az provider register`][az-provider-register] command.
 
-```azurecli-interactive
-az provider register --namespace Microsoft.ContainerService
-```
+    ```azurecli-interactive
+    az provider register --namespace Microsoft.ContainerService
+    ```
 
-### Update a cluster to use a new outbound type
+### Update cluster to use a new outbound type
 
-Run the following command to change a cluster's outbound configuration:
+* Update the outbound configuration of your cluster using the [`az aks update`][az-aks-update] command.
 
-```azurecli-interactive
-az aks update -g <resourceGroup> -n <clusterName> --outbound-type <loadBalancer|managedNATGateway|userAssignedNATGateway>
-```
+    ```azurecli-interactive
+    az aks update -g <resourceGroup> -n <clusterName> --outbound-type <loadBalancer|managedNATGateway|userAssignedNATGateway>
+    ```
 
 ## Next steps
 
-- [Configure standard load balancing in an AKS cluster](load-balancer-standard.md)
-- [Configure NAT gateway in an AKS cluster](nat-gateway.md)
-- [Configure user-defined routing in an AKS cluster](egress-udr.md)
-- [NAT gateway documentation](./nat-gateway.md)
-- [Azure networking UDR overview](../virtual-network/virtual-networks-udr-overview.md).
-- [Manage route tables](../virtual-network/manage-route-table.md).
+* [Configure standard load balancing in an AKS cluster](load-balancer-standard.md)
+* [Configure NAT gateway in an AKS cluster](nat-gateway.md)
+* [Configure user-defined routing in an AKS cluster](egress-udr.md)
+* [NAT gateway documentation](./nat-gateway.md)
+* [Azure networking UDR overview](../virtual-network/virtual-networks-udr-overview.md)
+* [Manage route tables](../virtual-network/manage-route-table.md)
 
 <!-- LINKS - internal -->
-[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
-[byo-route-table]: configure-kubenet.md#bring-your-own-subnet-and-route-table-with-kubenet
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[az-feature-show]: /cli/azure/feature#az_feature_show
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[az-aks-update]: /cli/azure/aks#az_aks_update
