Skip to content

Commit e9b0ce2

Browse files
phealyphealy
authored
Add text on required NSG rules
Add text on required NSG rules for node to node, node to pod, pod to node, and pod to pod traffic.
1 parent 0f5e634 commit e9b0ce2

File tree

1 file changed

+13
-0
lines changed

1 file changed

+13
-0
lines changed

articles/aks/azure-cni-overlay.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,17 @@ The following are additional factors to consider when planning pods IP address s
6363

6464
* **Kubernetes DNS service IP address**: This is an IP address within the Kubernetes service address range that's used by cluster service discovery. Don't use the first IP address in your address range, as this address is used for the `kubernetes.default.svc.cluster.local` address.
6565

66+
## Network security groups
67+
68+
Pod to pod traffic with Azure CNI Overlay is not encapsulated and subnet NSG rules are applied. If the subnet NSG contains deny rules that would impact this traffic, make sure the following rules are in place to ensure proper cluster functionality (in addition to all [AKS egress requirements][aks-egress]):
69+
70+
* Traffic from the node CIDR to the node CIDR on all ports and protocols
71+
* Traffic from the node CIDR to the pod CIDR on all ports and protocols
72+
* Traffic from the pod CIDR to the node CIDR on all ports and protocols
73+
* Traffic from the pod CIDR to the pod CIDR on all ports and protocols
74+
75+
If you wish to restrict traffic between workloads in the cluster, [network policies][aks-network-policies] are the recommended solution.
76+
6677
## Maximum pods per node
6778

6879
You can configure the maximum number of pods per node at the time of cluster creation or when you add a new node pool. The default for Azure CNI Overlay is 30. The maximum value that you can specify in Azure CNI Overlay is 250, and the minimum value is 10. The maximum pods per node value configured during creation of a node pool applies to the nodes in that node pool only.
@@ -148,3 +159,5 @@ To learn how to utilize AKS with your own Container Network Interface (CNI) plug
148159
[az-provider-register]: /cli/azure/provider#az-provider-register
149160
[az-feature-register]: /cli/azure/feature#az-feature-register
150161
[az-feature-show]: /cli/azure/feature#az-feature-show
162+
[aks-egress]: limit-egress-traffic.md
163+
[aks-network-policies]: use-network-policies.md

0 commit comments

Comments
 (0)