Merge pull request #270894 from sreekzz/patch-22

prmerger-automator[bot] · web-flow · commit fda30b4b8db3 · 2024-04-02T15:50:40.000Z
Corrected the image path
diff --git a/articles/hdinsight-aks/control-egress-traffic-from-hdinsight-on-aks-clusters.md b/articles/hdinsight-aks/control-egress-traffic-from-hdinsight-on-aks-clusters.md
@@ -3,7 +3,7 @@ title: Control network traffic from HDInsight on AKS Cluster pools and cluster
 description: A guide to configure and manage inbound and outbound network connections from HDInsight on AKS.
 ms.service: hdinsight-aks
 ms.topic: how-to
-ms.date: 03/26/2024
+ms.date: 04/02/2024
 ---
 
 # Control network traffic from HDInsight on AKS Cluster pools and clusters
@@ -26,7 +26,6 @@ For example, you may want to:
 
 ## Methods and tools to control egress traffic
 
- 
 You have different options and tools for managing how the egress traffic flows from HDInsight on AKS clusters. You can set up some of these at the cluster pool level and others at the cluster level.   
 
 * **Outbound with load balancer.** When you deploy a cluster pool with this Egress path, a public IP address is provisioned and assigned to the load balancer resource. A custom virtual network (VNET) is not required; however, it is highly recommended. You can use Azure Firewall or Network Security Groups (NSGs) on the custom VNET to manage the traffic that leaves the network.
@@ -41,7 +40,7 @@ In the following sections, we describe each method in detail.
 
 ### Outbound with load balancer
 
-The load balancer is used for egress through an HDInsight on AKS assigned public IP. When you configure the outbound type of loadBalancer on your cluster pool, you can expect egress out of the load balancer created by the HDInsight on AKS.  
+The load balancer is used for egress through an HDInsight on AKS assigned public IP. When you configure the outbound type of load balancer on your cluster pool, you can expect egress out of the load balancer created by the HDInsight on AKS.  
 
 You can configure the outbound with load balancer configuration using the Azure portal.
 
@@ -59,17 +58,20 @@ To allow requests to be sent to the cluster, you need to [allowlist the traffic]
 
 > [!NOTE]
 >  The `userDefinedRouting` outbound type is an advanced networking scenario and requires proper network configuration, before you begin.  
-> Changing the outbound type after cluster pool creation is not supported.  
+> Changing the outbound type after cluster pool creation is not supported.
+
+If userDefinedRouting is set, HDInsight on AKS won't automatically configure egress paths. The egress setup must be done by the user. 
 
-When `userDefinedRouting` is enabled, HDInsight on AKS doesn't have the ability to set up egress paths automatically. The user has to do the egress configuration.
+:::image type="content" source="./media/control-egress traffic-from-hdinsight-on-aks-clusters/user-defined-routing.png" alt-text="Screenshot showing user defined routing." lightbox="./media/control-egress traffic-from-hdinsight-on-aks-clusters/user-defined-routing.png":::
 
-You need to set up the HDInsight on AKS cluster within an existing virtual network that has a pre-set subnet, and you need to create clear egress.  
+You must deploy the HDInsight on AKS cluster into an existing virtual network with a subnet that has been previously configured, and you must establish explicit egress.
 
-This design needs to send egress traffic to a network appliance such as a firewall, gateway, or proxy. Then, the public IP attached to the appliance can take care of the Network Address Translation (NAT). 
+This architecture requires explicitly sending egress traffic to an appliance like a firewall, gateway, or proxy, so a public IP assigned to the standard load balancer or appliance can handle the Network Address Translation (NAT). 
 
-Unlike Outbound with load balancer cluster pools, HDInsight on AKS does not set up outbound public IP address or outbound rules. Your custom route table (UDR) is the only path for outgoing traffic. 
+HDInsight on AKS doesn't configure outbound public IP address or outbound rules, unlike the Outbound with load balancer type clusters as described in the above section. Your UDR is the only source for egress traffic. 
+
+For inbound traffic, you are required to choose based on the requirements to choose a private cluster (for securing traffic on AKS control plane / API server) and select the private ingress option available on each of the cluster shape to use public or internal load balancer based traffic. 
 
-The path for the inbound traffic is determined by whether you choose to Enable Private AKS on your cluster pool. Then, you can select the private ingress option available on each of the cluster to use public or internal load balancer based traffic.
 
 ### Cluster pool creation for outbound with `userDefinedRouting `
 
@@ -78,11 +80,13 @@ When you use HDInsight on AKS cluster pools and choose userDefinedRouting (UDR)
 > [!IMPORTANT]
 > UDR egress path needs a route for 0.0.0.0/0 and a next hop destination of your Firewall or NVA in the route table. The route table already has a default 0.0.0.0/0 to the Internet. You can't get outbound Internet connectivity by just adding this route, because Azure needs a public IP address for SNAT. AKS checks that you don't create a 0.0.0.0/0 route pointing to the Internet, but to a gateway, NVA, etc. When you use UDR, a load balancer public IP address for inbound requests is only created if you configure a service of type loadbalancer. HDInsight on AKS never creates a public IP address for outbound requests when you use a UDR egress path.
 
-:::image type="content" source="./media/control-egress traffic-from-hdinsight-on-aks-clusters/user-defined-routing.png" alt-text="Screenshot showing user defined routing." lightbox="./media/control-egress traffic-from-hdinsight-on-aks-clusters/user-defined-routing.png":::
+:::image type="content" source="./media/control-egress traffic-from-hdinsight-on-aks-clusters/enable-private-aks.png" alt-text="Screenshot showing enabled private AKS." lightbox="./media/control-egress traffic-from-hdinsight-on-aks-clusters/enable-private-aks.png":::
+
+With the following steps you will understand how to lock down the outbound traffic from your HDInsight on AKS service to back-end Azure resources or other network resources with Azure Firewall. This configuration helps prevent data exfiltration or the risk of malicious program implantation. 
 
-This guide shows you how to secure the outbound traffic from your HDInsight on AKS service to back-end Azure resources or other network resources with Azure Firewall. This configuration helps protect against data leakage or the threat of malicious program installation.
+Azure Firewall lets you control outbound traffic at a much more granular level and filter traffic based on real-time threat intelligence from Microsoft Cyber Security. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
 
-Azure Firewall gives you more fine-grained control over outbound traffic and filters it based on up-to-date threat data from Microsoft Cyber Security. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks [see Azure Firewall features](/azure/firewall/features).
+Following is an example of setting up firewall rules, and testing your outbound connections 
 
 Here is an example of how to configure firewall rules, and check your outbound connections.
 
@@ -145,7 +149,7 @@ Here is an example of how to configure firewall rules, and check your outbound c
     
     1. Configure the route table like the following example: 
     
-       :::image type="content" source="./media/control-egress traffic-from-hdinsight-on-aks-clusters/create-cluster-basic-tab.png" alt-text="Screenshot showing create cluster basic tab." lightbox="./media/control-egress traffic-from-hdinsight-on-aks-clusters/create-cluster-basic-tab.png"::: 
+       :::image type="content" source="./media/control-egress traffic-from-hdinsight-on-aks-clusters/create-route-table.png" alt-text="Screenshot showing how to create route table." lightbox="./media/control-egress traffic-from-hdinsight-on-aks-clusters/create-route-table.png"::: 
     
         Make sure you select the same region as the firewall you created. 
 
@@ -168,8 +172,7 @@ Here is an example of how to configure firewall rules, and check your outbound c
     1. From the left navigation, select **Subnets > Associate**.
     1. In **Virtual network**, select your integrated virtual network.
     1. In **Subnet**, select the HDInsight on AKS subnet you wish to use.
-   
-        
+      
         :::image type="content" source="./media/control-egress traffic-from-hdinsight-on-aks-clusters/associate-subnet.png" alt-text="Screenshot showing how to associate subnet." lightbox="./media/control-egress traffic-from-hdinsight-on-aks-clusters/associate-subnet.png":::
 
     1. Select **OK**. 
@@ -212,10 +215,11 @@ Once the cluster pool is created, you can observe in the MC Group that there's n
 
 With private AKS, the control plane or API server has internal IP addresses that are defined in the [RFC1918 - Address Allocation for Private Internet document](https://datatracker.ietf.org/doc/html/rfc1918). By using this option of private AKS, you can ensure network traffic between your API server and your HDInsight on AKS workload clusters remains on the private network only. 
 
-:::image type="content" source="./media/control-egress traffic-from-hdinsight-on-aks-clusters/enable-private-aks.png" alt-text="Screenshot showing enabled private AKS." lightbox="./media/control-egress traffic-from-hdinsight-on-aks-clusters/enable-private-aks.png":::
+:::image type="content" source="./media/control-egress traffic-from-hdinsight-on-aks-clusters/enable-private-aks.png" alt-text="Screenshot showing the enabled private AKS." lightbox="./media/control-egress traffic-from-hdinsight-on-aks-clusters/enable-private-aks.png":::
 
-> [!IMPORTANT]
-> By default, a private DNS zone with a private FQDN and a public DNS zone with a public FQDN are created when you enable private AKS. The agent nodes use the A record in the private DNS zone to find the private IP address of the private endpoint to communicate with the API server. The HDInsight on AKS Resource provider adds the A record to the private DNS zone automatically for private ingress.
+When you provision a private AKS cluster, AKS by default creates a private FQDN with a private DNS zone and an additional public FQDN with a corresponding A record in Azure public DNS. The agent nodes continue to use the record in the private DNS zone to resolve the private IP address of the private endpoint for communication to the API server. 
+
+As HDInsight on AKS will automatically insert the record to the private DNS zone in the HDInsight on AKS created managed group, for private ingress. 
 
 ### Clusters with private ingress 
 
