You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/hdinsight-aks/control-egress-traffic-from-hdinsight-on-aks-clusters.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,7 +44,7 @@ The load balancer is used for egress through an HDInsight on AKS assigned public
44
44
45
45
You can configure the outbound with load balancer configuration using the Azure portal.
46
46
47
-
:::image type="content" source="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/cluster-pool-network-setting.png" alt-text="Screenshot showing cluster pool network setting." lightbox="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/cluster-pool-network-setting.png":::
47
+
:::image type="content" source="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/cluster-pool-network-setting.png" alt-text="Screenshot showing cluster pool network setting." lightbox="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/cluster-pool-network-setting.png":::
48
48
49
49
Once you opt for this configuration, HDInsight on AKS automatically completes creating a public IP address provisioned for cluster egress & assigns to the load balancer resource.
50
50
@@ -62,7 +62,7 @@ To allow requests to be sent to the cluster, you need to [allowlist the traffic]
62
62
63
63
If userDefinedRouting is set, HDInsight on AKS won't automatically configure egress paths. The egress setup must be done by the user.
64
64
65
-
:::image type="content" source="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/user-defined-routing.png" alt-text="Screenshot showing user defined routing." lightbox="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/user-defined-routing.png":::
65
+
:::image type="content" source="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/user-defined-routing.png" alt-text="Screenshot showing user defined routing." lightbox="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/user-defined-routing.png":::
66
66
67
67
You must deploy the HDInsight on AKS cluster into an existing virtual network with a subnet that has been previously configured, and you must establish explicit egress.
68
68
@@ -80,7 +80,7 @@ When you use HDInsight on AKS cluster pools and choose userDefinedRouting (UDR)
80
80
> [!IMPORTANT]
81
81
> UDR egress path needs a route for 0.0.0.0/0 and a next hop destination of your Firewall or NVA in the route table. The route table already has a default 0.0.0.0/0 to the Internet. You can't get outbound Internet connectivity by just adding this route, because Azure needs a public IP address for SNAT. AKS checks that you don't create a 0.0.0.0/0 route pointing to the Internet, but to a gateway, NVA, etc. When you use UDR, a load balancer public IP address for inbound requests is only created if you configure a service of type loadbalancer. HDInsight on AKS never creates a public IP address for outbound requests when you use a UDR egress path.
With the following steps you will understand how to lock down the outbound traffic from your HDInsight on AKS service to back-end Azure resources or other network resources with Azure Firewall. This configuration helps prevent data exfiltration or the risk of malicious program implantation.
86
86
@@ -125,7 +125,7 @@ Here is an example of how to configure firewall rules, and check your outbound c
125
125
|Virtual network |Select the integrated virtual network. |
126
126
|Public IP address |Select an existing address or create one by selecting Add new. |
@@ -135,7 +135,7 @@ Here is an example of how to configure firewall rules, and check your outbound c
135
135
136
136
1. In the firewall's **Overview** page, copy private IP address. **The private IP address will be used as next hop address in the routing rule for the virtual network**.
137
137
138
-
:::image type="content" source="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/setup-firewall.png" alt-text="Screenshot showing how to set up firewall." lightbox="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/setup-firewall.png":::
138
+
:::image type="content" source="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/set-up-firewall.png" alt-text="Screenshot showing how to set up firewall." lightbox="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/set-up-firewall.png":::
139
139
140
140
1. Route all traffic to the firewall
141
141
@@ -149,7 +149,7 @@ Here is an example of how to configure firewall rules, and check your outbound c
149
149
150
150
1. Configure the route table like the following example:
151
151
152
-
:::image type="content" source="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/create-route-table.png" alt-text="Screenshot showing how to create route table." lightbox="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/create-route-table.png":::
152
+
:::image type="content" source="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/create-route-table.png" alt-text="Screenshot showing how to create route table." lightbox="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/create-route-table.png":::
153
153
154
154
Make sure you select the same region as the firewall you created.
155
155
@@ -174,7 +174,7 @@ Here is an example of how to configure firewall rules, and check your outbound c
174
174
1. In **Virtual network**, select your integrated virtual network.
175
175
1. In **Subnet**, select the HDInsight on AKS subnet you wish to use.
176
176
177
-
:::image type="content" source="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/associate-subnet.png" alt-text="Screenshot showing how to associate subnet." lightbox="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/associate-subnet.png":::
177
+
:::image type="content" source="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/associate-subnet.png" alt-text="Screenshot showing how to associate subnet." lightbox="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/associate-subnet.png":::
178
178
179
179
1. Select **OK**.
180
180
@@ -197,11 +197,11 @@ Here is an example of how to configure firewall rules, and check your outbound c
197
197
198
198
With the firewall rules set, you can select the subnet during the cluster pool creation.
199
199
200
-
:::image type="content" source="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/verify-ip-address.png" alt-text="Screenshot showing how to verify IP address." lightbox="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/verify-ip-address.png":::
200
+
:::image type="content" source="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/verify-ip-address.png" alt-text="Screenshot showing how to verify IP address." lightbox="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/verify-ip-address.png":::
201
201
202
202
Once the cluster pool is created, you can observe in the MC Group that there's no public IP created.
> Before you create the cluster in the cluster pool setup with `Outbound with userDefinedRouting` egress path, you need to give the AKS cluster - that matches the cluster pool - the `Network Contributor` role on your network resources that are used for defining the routing, such as Virtual Network, Route table, and NSG (if used). Learn more about how to assign the role [here](/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition#step-1-identify-the-needed-scope)
@@ -214,7 +214,7 @@ Once the cluster pool is created, you can observe in the MC Group that there's n
214
214
215
215
With private AKS, the control plane or API server has internal IP addresses that are defined in the [RFC1918 - Address Allocation for Private Internet document](https://datatracker.ietf.org/doc/html/rfc1918). By using this option of private AKS, you can ensure network traffic between your API server and your HDInsight on AKS workload clusters remains on the private network only.
216
216
217
-
:::image type="content" source="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/enable-private-aks.png" alt-text="Screenshot showing the enabled private AKS." lightbox="./media/control-egresstraffic-from-hdinsight-on-aks-clusters/enable-private-aks.png":::
217
+
:::image type="content" source="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/enable-private-aks.png" alt-text="Screenshot showing the enabled private AKS." lightbox="./media/control-egress-traffic-from-hdinsight-on-aks-clusters/enable-private-aks.png":::
218
218
219
219
When you provision a private AKS cluster, AKS by default creates a private FQDN with a private DNS zone and an additional public FQDN with a corresponding A record in Azure public DNS. The agent nodes continue to use the record in the private DNS zone to resolve the private IP address of the private endpoint for communication to the API server.
220
220
@@ -224,7 +224,7 @@ As HDInsight on AKS will automatically insert the record to the private DNS zone
224
224
225
225
When you create a cluster with HDInsight on AKS, it has a public FQDN and IP address that anyone can access. With the private ingress feature, you can make sure that only your private network can send and receive data between the client and the HDInsight on AKS cluster.
0 commit comments