You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/limit-egress-traffic.md
+6-3Lines changed: 6 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn what ports and addresses are required to control egress traff
4
4
services: container-service
5
5
ms.topic: article
6
6
ms.author: jpalma
7
-
ms.date: 06/27/2022
7
+
ms.date: 07/05/2022
8
8
author: palma21
9
9
10
10
#Customer intent: As an cluster operator, I want to restrict egress traffic for nodes to only access defined ports and addresses and improve cluster security.
@@ -477,7 +477,7 @@ az aks create -g $RG -n $AKSNAME -l $LOC \
477
477
> [!NOTE]
478
478
> For creating and using your own VNet and route table where the resources are outside of the worker node resource group, the CLI will add the role assignment automatically. If you are using an ARM template or other client, you need to use the Principal ID of the cluster managed identity to perform a [role assignment.][add role to identity]
479
479
>
480
-
> If you are not using the CLI but using your own VNet or route table which are outside of the worker node resource group, it's recommended to use [user-assigned control plane identity][Bring your own control plane managed identity]. For system-assigned control plane identity, we cannot get the identity ID before creating cluster, which causes delay for role assignment to take effect.
480
+
> If you are not using the CLI but using your own VNet or route table which are outside of the worker node resource group, it's recommended to use [user-assigned control plane identity][Create an AKS cluster with user-assigned identities]. For system-assigned control plane identity, we cannot get the identity ID before creating cluster, which causes delay for role assignment to take effect.
481
481
482
482
#### Create an AKS cluster with user-assigned identities
483
483
@@ -545,6 +545,9 @@ az aks create -g $RG -n $AKSNAME -l $LOC \
> For creating and using your own VNet and route table where the resources are outside of the worker node resource group, the CLI will add the role assignment automatically. If you are using an ARM template or other client, you need to use the Principal ID of the cluster managed identity to perform a [role assignment.][add role to identity]
550
+
548
551
### Enable developer access to the API server
549
552
550
553
If you used authorized IP ranges for the cluster on the previous step, you must add your developer tooling IP addresses to the AKS cluster list of approved IP ranges in order to access the API server from there. Another option is to configure a jumpbox with the needed tooling inside a separate subnet in the Firewall's virtual network.
@@ -868,5 +871,5 @@ If you want to restrict how pods communicate between themselves and East-West tr
868
871
[aks-faq]: faq.md
869
872
[aks-private-clusters]: private-clusters.md
870
873
[add role to identity]: use-managed-identity.md#add-role-assignment-for-control-plane-identity
871
-
[Bring your own control plane managed identity]: use-managed-identity.md#bring-your-own-control-plane-managed-identity
874
+
[Create an AKS cluster with user-assigned identities]: limit-egress-traffic.md#create-an-AKS-cluster-with-user-assigned-identities
872
875
[Use a pre-created kubelet managed identity]: use-managed-identity.md#use-a-pre-created-kubelet-managed-identity
0 commit comments