You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/use-network-policies.md
+34-33Lines changed: 34 additions & 33 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ titleSuffix: Azure Kubernetes Service
4
4
description: Learn how to secure traffic that flows in and out of pods by using Kubernetes network policies in Azure Kubernetes Service (AKS).
5
5
ms.topic: article
6
6
ms.custom: devx-track-azurecli
7
-
ms.date: 02/12/2024
7
+
ms.date: 03/28/2024
8
8
---
9
9
10
10
# Secure traffic between pods by using network policies in AKS
@@ -13,32 +13,6 @@ When you run modern, microservices-based applications in Kubernetes, you often w
13
13
14
14
This article shows you how to install the network policy engine and create Kubernetes network policies to control the flow of traffic between pods in AKS. Network policies could be used for Linux-based or Windows-based nodes and pods in AKS.
15
15
16
-
## Before you begin
17
-
18
-
You need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
19
-
20
-
### Uninstall Azure Network Policy Manager or Calico (Preview)
21
-
Requirements:
22
-
- aks-preview Azure CLI extension version 0.5.166 or later. See [Install the aks-preview Azure CLI extension](#install-the-aks-preview-azure-cli-extension).
23
-
- Azure CLI version 2.54 or later
24
-
- AKS REST API version 2023-08-02-preview or later
25
-
26
-
Notes:
27
-
- The uninstall process does _not_ remove Custom Resource Definitions (CRDs) and Custom Resources (CRs) used by Calico. These CRDs and CRs all have names ending with either "projectcalico.org" or "tigera.io".
28
-
These CRDs and associated CRs can be manually deleted _after_ Calico is successfully uninstalled (deleting the CRDs before removing Calico breaks the cluster).
29
-
- The upgrade will not remove any NetworkPolicy resources in the cluster, but after the uninstall these policies are no longer enforced.
30
-
31
-
> [!WARNING]
32
-
> The upgrade process triggers each node pool to be re-imaged simultaneously. Upgrading each node pool separately isn't supported. Any disruptions to cluster networking are similar to a node image upgrade or [Kubernetes version upgrade](./upgrade-cluster.md) where each node in a node pool is re-imaged.
33
-
34
-
To remove Azure Network Policy Manager or Calico from a cluster, run the following command:
35
-
```azurecli
36
-
az aks update
37
-
--resource-group $RESOURCE_GROUP_NAME \
38
-
--name $CLUSTER_NAME \
39
-
--network-policy none
40
-
```
41
-
42
16
## Overview of network policy
43
17
44
18
All pods in an AKS cluster can send and receive traffic without limitations, by default. To improve security, you can define rules that control the flow of traffic. Back-end applications are often only exposed to required front-end services, for example. Or, database components are only accessible to the application tiers that connect to them.
@@ -51,12 +25,12 @@ The network policy rules are defined as YAML manifests. Network policies can be
51
25
52
26
Azure provides three Network Policy engines for enforcing network policies:
53
27
54
-
**Cilium* for AKS clusters that use [Azure CNI Powered by Cilium](./azure-cni-powered-by-cilium.md).
55
-
**Azure Network Policy Manager*.
56
-
**Calico*, an open-source network and network security solution founded by [Tigera][tigera].
28
+
*_Cilium_ for AKS clusters that use [Azure CNI Powered by Cilium](./azure-cni-powered-by-cilium.md).
29
+
*_Azure Network Policy Manager_.
30
+
*_Calico_, an open-source network and network security solution founded by [Tigera][tigera].
57
31
58
32
Cilium is our recommended Network Policy engine. Cilium enforces network policy on the traffic using Linux Berkeley Packet Filter (BPF), which is generally more efficient than "IPTables". See more details in [Azure CNI Powered by Cilium documentation](./azure-cni-powered-by-cilium.md).
59
-
To enforce the specified policies, Azure Network Policy Manager for Linux uses Linux *IPTables*. Azure Network Policy Manager for Windows uses *Host Network Service (HNS) ACLPolicies*. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as `IPTable` or `HNS ACLPolicy` filter rules.
33
+
To enforce the specified policies, Azure Network Policy Manager for Linux uses Linux _IPTables_. Azure Network Policy Manager for Windows uses _Host Network Service (HNS) ACLPolicies_. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as `IPTable` or `HNS ACLPolicy` filter rules.
60
34
61
35
62
36
## Differences between Network Policy engines: Cilium, Azure NPM, and Calico
With Azure Network Policy Manager for Linux, we don't allow scaling beyond 250 nodes and 20,000 pods. If you attempt to scale beyond these limits, you might encounter "Out of Memory" (OOM) errors. To increase your memory limit, create a support ticket.
90
64
65
+
## Before you begin
66
+
67
+
You need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
68
+
91
69
## Create an AKS cluster and enable network policy
92
70
93
71
To see network policies in action, you create an AKS cluster that supports network policy and then work on adding policies.
@@ -158,13 +136,13 @@ Register the `WindowsNetworkPolicyPreview` feature flag by using the [az feature
158
136
az feature register --namespace "Microsoft.ContainerService" --name "WindowsNetworkPolicyPreview"
159
137
```
160
138
161
-
It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature show][az-feature-show] command:
139
+
It takes a few minutes for the status to show _Registered_. Verify the registration status by using the [az feature show][az-feature-show] command:
162
140
163
141
```azurecli-interactive
164
142
az feature show --namespace "Microsoft.ContainerService" --name "WindowsNetworkPolicyPreview"
165
143
```
166
144
167
-
When the status reflects *Registered*, refresh the registration of the `Microsoft.ContainerService` resource provider by using the [az provider register][az-provider-register] command:
145
+
When the status reflects _Registered_, refresh the registration of the `Microsoft.ContainerService` resource provider by using the [az provider register][az-provider-register] command:
168
146
169
147
```azurecli-interactive
170
148
az provider register --namespace Microsoft.ContainerService
@@ -385,6 +363,29 @@ Run the following command to label the `client` and verify connectivity with the
385
363
kubectl label pod client -n demo app=client
386
364
```
387
365
366
+
## Uninstall Azure Network Policy Manager or Calico (Preview)
367
+
368
+
Requirements:
369
+
- aks-preview Azure CLI extension version 0.5.166 or later. See [Install the aks-preview Azure CLI extension](#install-the-aks-preview-azure-cli-extension).
370
+
- Azure CLI version 2.54 or later
371
+
- AKS REST API version 2023-08-02-preview or later
372
+
373
+
> [!NOTE]
374
+
> - The uninstall process does _**not**_ remove Custom Resource Definitions (CRDs) and Custom Resources (CRs) used by Calico. These CRDs and CRs all have names ending with either "projectcalico.org" or "tigera.io".
375
+
> These CRDs and associated CRs can be manually deleted _after_ Calico is successfully uninstalled (deleting the CRDs before removing Calico breaks the cluster).
376
+
> - The upgrade will not remove any NetworkPolicy resources in the cluster, but after the uninstall these policies are no longer enforced.
377
+
378
+
> [!WARNING]
379
+
> The upgrade process triggers each node pool to be re-imaged simultaneously. Upgrading each node pool separately isn't supported. Any disruptions to cluster networking are similar to a node image upgrade or [Kubernetes version upgrade](./upgrade-cluster.md) where each node in a node pool is re-imaged.
380
+
381
+
To remove Azure Network Policy Manager or Calico from a cluster, run the following command:
382
+
```azurecli
383
+
az aks update
384
+
--resource-group $RESOURCE_GROUP_NAME \
385
+
--name $CLUSTER_NAME \
386
+
--network-policy none
387
+
```
388
+
388
389
## Clean up resources
389
390
390
391
In this article, you created a namespace and two pods and applied a network policy. To clean up these resources, use the [kubectl delete][kubectl-delete] command and specify the resource name:
0 commit comments