Skip to content

Commit f2fa75c

Browse files
committed
Adding additional network rules for containers
1 parent 48bc3d3 commit f2fa75c

File tree

1 file changed

+6
-2
lines changed

1 file changed

+6
-2
lines changed

articles/aks/limit-egress-traffic.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -180,7 +180,7 @@ This section covers three network rules and an application rule you can use to c
180180
* The first network rule allows access to port 9000 via TCP.
181181
* The second network rule allows access to port 1194 and 123 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated-by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US.
182182
* The third network rule opens port 123 to `ntp.ubuntu.com` FQDN via UDP. Adding an FQDN as a network rule is one of the specific features of Azure Firewall, so you'll need to adapt it when using your own options.
183-
* The application rule covers all needed FQDNs accessible through TCP port 443 and port 80.
183+
* The fourth and fifth network rules allows access to pull containers from GitHub Container Registry (ghcr.io) and Docker Hub (docker.io).
184184
185185
1. Create the network rules using the [`az network firewall network-rule create`][az-network-firewall-network-rule-create] command.
186186
@@ -190,6 +190,10 @@ This section covers three network rules and an application rule you can use to c
190190
az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'apitcp' --protocols 'TCP' --source-addresses '*' --destination-addresses "AzureCloud.$LOC" --destination-ports 9000
191191
192192
az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'time' --protocols 'UDP' --source-addresses '*' --destination-fqdns 'ntp.ubuntu.com' --destination-ports 123
193+
194+
az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'ghcr' --protocols 'TCP' --source-addresses '*' --destination-fqdns ghcr.io pkg-containers.githubusercontent.com --destination-ports '443'
195+
196+
az network firewall network-rule create -g $RG -f $FWNAME --collection-name 'aksfwnr' -n 'docker' --protocols 'TCP' --source-addresses '*' --destination-fqdns docker.io registry-1.docker.io production.cloudflare.docker.com --destination-ports '443'
193197
```
194198
195199
2. Create the application rule using the [`az network firewall application-rule create`][az-network-firewall-application-rule-create] command.
@@ -384,7 +388,7 @@ To configure inbound connectivity, you need to write a DNAT rule to the Azure Fi
384388
2. Get the service IP using the `kubectl get svc voting-app` command.
385389

386390
```azurecli-interactive
387-
SERVICE_IP=$(kubectl get svc voting-app -o jsonpath='{.status.loadBalancer.ingress[*].ip}')
391+
SERVICE_IP=$(kubectl get svc store-front -o jsonpath='{.status.loadBalancer.ingress[*].ip}')
388392
```
389393

390394
3. Add the NAT rule using the [`az network firewall nat-rule create`][az-network-firewall-nat-rule-create] command.

0 commit comments

Comments
 (0)