Skip to content

Commit ee2c57c

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #270935 from asudbring/aks-github
Removed NTP information for github issue 115228
2 parents f35340c + a73d516 commit ee2c57c

File tree

1 file changed

+2
-5
lines changed

1 file changed

+2
-5
lines changed

articles/aks/limit-egress-traffic.md

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ ms.subservice: aks-networking
55
ms.custom: devx-track-azurecli
66
ms.topic: how-to
77
ms.author: allensu
8-
ms.date: 12/05/2023
8+
ms.date: 04/02/2024
99
author: asudbring
1010
#Customer intent: As a cluster operator, I want to restrict egress traffic for nodes to only access defined ports and addresses and improve cluster security.
1111
---
@@ -178,8 +178,7 @@ For information on how to override Azure's default system routes or add addition
178178
This section covers three network rules and an application rule you can use to configure on your firewall. You may need to adapt these rules based on your deployment.
179179
180180
* The first network rule allows access to port 9000 via TCP.
181-
* The second network rule allows access to port 1194 and 123 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated-by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US.
182-
* The third network rule opens port 123 to `ntp.ubuntu.com` FQDN via UDP. Adding an FQDN as a network rule is one of the specific features of Azure Firewall, so you'll need to adapt it when using your own options.
181+
* The second network rule allows access to port 1194 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated-by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US.
183182
* The fourth and fifth network rules allow access to pull containers from GitHub Container Registry (ghcr.io) and Docker Hub (docker.io).
184183
185184
1. Create the network rules using the [`az network firewall network-rule create`][az-network-firewall-network-rule-create] command.
@@ -189,8 +188,6 @@ This section covers three network rules and an application rule you can use to c
189188
190189
az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'apitcp' --protocols 'TCP' --source-addresses '*' --destination-addresses "AzureCloud.$LOC" --destination-ports 9000
191190
192-
az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'time' --protocols 'UDP' --source-addresses '*' --destination-fqdns 'ntp.ubuntu.com' --destination-ports 123
193-
194191
az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'ghcr' --protocols 'TCP' --source-addresses '*' --destination-fqdns ghcr.io pkg-containers.githubusercontent.com --destination-ports '443'
195192
196193
az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'docker' --protocols 'TCP' --source-addresses '*' --destination-fqdns docker.io registry-1.docker.io production.cloudflare.docker.com --destination-ports '443'

0 commit comments

Comments
 (0)