Merge pull request #209716 from Khushbu-Parekh/npm-windows

Stacyrch140 · web-flow · commit ff850005074b · 2022-09-14T18:32:55.000-04:00
Updated the docs with Windows NPM Public Preview details
diff --git a/articles/aks/use-network-policies.md b/articles/aks/use-network-policies.md
@@ -16,7 +16,7 @@ This article shows you how to install the Network Policy engine and create Kuber
 
 ## Before you begin
 
-You need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+You need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
 
 ## Overview of Network Policy
 
@@ -33,19 +33,31 @@ Azure provides two ways to implement Network Policy. You choose a Network Policy
 * Azure's own implementation, called *Azure Network Policy Manager (NPM)*.
 * *Calico Network Policies*, an open-source network and network security solution founded by [Tigera][tigera].
 
-Azure NPM for Linux uses Linux *IPTables* to enforce the specified policies. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as IPTable filter rules.
+Azure NPM for Linux uses Linux *IPTables* and Azure NPM for Windows uses *Host Network Service (HNS) ACLPolicies* to enforce the specified policies. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as IPTable/HNS ACLPolicy filter rules.
 
 ## Differences between Azure NPM and Calico Network Policy and their capabilities
 
 | Capability                               | Azure  NPM                    | Calico Network Policy                     |
 |------------------------------------------|----------------------------|-----------------------------|
-| Supported platforms                      | Linux                     | Linux, Windows Server 2019 and 2022  |
+| Supported platforms                      | Linux, Windows Server 2022                      | Linux, Windows Server 2019 and 2022  |
 | Supported networking options             | Azure CNI                  | Azure CNI (Linux, Windows Server 2019 and 2022) and kubenet (Linux)  |
 | Compliance with Kubernetes specification | All policy types supported |  All policy types supported |
 | Additional features                      | None                       | Extended policy model consisting of Global Network Policy, Global Network Set, and Host Endpoint. For more information on using the `calicoctl` CLI to manage these extended features, see [calicoctl user reference][calicoctl]. |
 | Support                                  | Supported by Azure support and Engineering team | Calico community support. For more information on additional paid support, see [Project Calico support options][calico-support]. |
 | Logging                                  | Logs available with **kubectl log -n kube-system <network-policy-pod>** command | For more information, see [Calico component logs][calico-logs] |
 
+## Limitations:
+
+Azure Network Policy Manager(NPM) doesn't support IPv6. Otherwise, Azure NPM fully supports the network policy spec in Linux.
+* In Windows, Azure NPM doesn't support the following:
+    * named ports
+    * SCTP protocol
+    * negative match label or namespace selectors (e.g. all labels except "debug=true")
+    * "except" CIDR blocks (a CIDR with exceptions)
+
+>[!NOTE]
+> * Azure NPM pod logs will record an error if an unsupported policy is created.
+
 ## Create an AKS cluster and enable Network Policy
 
 To see network policies in action, let's create an AKS cluster that supports network policy and then work on adding policies. 
@@ -63,9 +75,9 @@ The following example script:
 
 Instead of using a system-assigned identity, you can also use a user-assigned identity. For more information, see [Use managed identities](use-managed-identity.md).
 
-### Create an AKS cluster with Azure NPM enabled 
+### Create an AKS cluster with Azure NPM enabled - Linux only 
 
-In this section, we will work on creating a cluster with Linux node pools and Azure NPM enabled. 
+In this section, we'll work on creating a cluster with Linux node pools and Azure NPM enabled. 
 
 To begin, you should replace the values for *$RESOURCE_GROUP_NAME* and *$CLUSTER_NAME* variables. 
 
@@ -87,6 +99,64 @@ az aks create \
     --network-policy azure
 ```
 
+### Create an AKS cluster with Azure NPM enabled - Windows Server 2022 (Preview)
+
+In this section, we'll work on creating a cluster with Windows node pools and Azure NPM enabled.
+
+Please execute the following commands prior to creating a cluster:
+
+```azurecli
+ az extension add --name aks-preview
+ az extension update --name aks-preview
+ az feature register --namespace Microsoft.ContainerService --name AKSWindows2022Preview
+ az feature register --namespace Microsoft.ContainerService --name WindowsNetworkPolicyPreview
+ az provider register -n Microsoft.ContainerService
+```
+
+> [!NOTE]
+> At this time, Azure NPM with Windows nodes is available on Windows Server 2022 only
+>
+
+Now, you should replace the values for *$RESOURCE_GROUP_NAME*, *$CLUSTER_NAME* and *$WINDOWS_USERNAME* variables.
+
+```azurecli-interactive
+$RESOURCE_GROUP_NAME=myResourceGroup-NP
+$CLUSTER_NAME=myAKSCluster
+$WINDOWS_USERNAME=myWindowsUserName
+$LOCATION=canadaeast
+```
+
+Create a username to use as administrator credentials for your Windows Server containers on your cluster. The following command prompts you for a username. Set it to `$WINDOWS_USERNAME`(remember that the commands in this article are entered into a BASH shell).
+
+```azurecli-interactive
+echo "Please enter the username to use as administrator credentials for Windows Server containers on your cluster: " && read WINDOWS_USERNAME
+```
+
+Use the following command to create a cluster:
+
+```azurecli
+az aks create \
+    --resource-group $RESOURCE_GROUP_NAME \
+    --name $CLUSTER_NAME \
+    --node-count 1 \
+    --windows-admin-username $WINDOWS_USERNAME \
+    --network-plugin azure \
+    --network-policy azure
+```
+
+It takes a few minutes to create the cluster. By default, your cluster is created with only a Linux node pool. If you would like to use Windows node pools, you can add one. For example:
+
+```azurecli
+az aks nodepool add \
+    --resource-group $RESOURCE_GROUP_NAME \
+    --cluster-name $CLUSTER_NAME \
+    --os-type Windows \
+    --name npwin \
+    --node-count 1
+```
+
+[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
+
 ### Create an AKS cluster for Calico network policies
 
 Create the AKS cluster and specify *azure* for the network plugin, and *calico* for the Network Policy. Using *calico* as the Network Policy enables Calico networking on both Linux and Windows node pools.
@@ -132,15 +202,15 @@ When the cluster is ready, configure `kubectl` to connect to your Kubernetes clu
 ```azurecli-interactive
 az aks get-credentials --resource-group $RESOURCE_GROUP_NAME --name $CLUSTER_NAME
 ```
-To begin verification of Network Policy, we will create a sample application and set traffic rules.
+To begin verification of Network Policy, we'll create a sample application and set traffic rules.
 
 Firstly, let's create a namespace called *demo* to run the example pods:
 
 ```console
 kubectl create namespace demo
 ```
 
-We will now create two pods in the cluster named *client* and *server*.
+We'll now create two pods in the cluster named *client* and *server*.
 
 >[!NOTE]
 > If you want to schedule the *client* or *server* on a particular node, add the following bit before the *--command* argument in the pod creation [kubectl run][kubectl-run] command:
@@ -214,7 +284,7 @@ Now, in the client's shell, verify connectivity with the server by executing the
 /agnhost connect <server-ip>:80 --timeout=3s --protocol=tcp
 ```
 
-Connectivity with traffic will be blocked since the server is labeled with app=server, but the client is not labeled. The connect command above will yield this output: 
+Connectivity with traffic will be blocked since the server is labeled with app=server, but the client isn't labeled. The connect command above will yield this output: 
 
 ```output
 TIMEOUT
@@ -265,4 +335,4 @@ To learn more about policies, see [Kubernetes network policies][kubernetes-netwo
 [windows-server-password]: /windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference
 [az-extension-add]: /cli/azure/extension#az_extension_add
 [az-extension-update]: /cli/azure/extension#az_extension_update
-[dsr]: ../load-balancer/load-balancer-multivip-overview.md#rule-type-2-backend-port-reuse-by-using-floating-ip
+[dsr]: ../load-balancer/load-balancer-multivip-overview.md#rule-type-2-backend-port-reuse-by-using-floating-ip
diff --git a/articles/virtual-network/kubernetes-network-policies.md b/articles/virtual-network/kubernetes-network-policies.md
@@ -26,7 +26,7 @@ Network Policies provides micro-segmentation for pods just like Network Security
 
 ![Kubernetes network policies overview](./media/kubernetes-network-policies/kubernetes-network-policies-overview.png)
 
-Azure NPM implementation works in conjunction with the Azure CNI that provides VNet integration for containers. NPM is supported only on Linux today. The implementation enforces traffic filtering by configuring allow and deny IP rules in Linux IPTables based on the defined policies. These rules are grouped together using Linux IPSets.
+Azure NPM implementation works with the Azure CNI that provides VNet integration for containers. NPM is supported only on Linux today. The implementation enforces traffic filtering by configuring allow and deny IP rules in Linux IPTables based on the defined policies. These rules are grouped together using Linux IPSets.
 
 ## Planning security for your Kubernetes cluster
 When implementing security for your cluster, use network security groups (NSGs) to filter traffic entering and leaving your cluster subnet (North-South traffic). Use Azure NPM for traffic between pods in your cluster (East-West traffic).
@@ -75,8 +75,8 @@ See a [configuration for these alerts](#set-up-alerts-for-alertmanager) below.
 
 ##### Visualizations and Debugging via our Grafana Dashboard or Azure Monitor Workbook
 1. See how many IPTables rules your policies create (having a massive amount of IPTables rules may increase latency slightly).
-2. Correlate cluster counts (e.g. ACLs) to execution times.
-3. Get the human-friendly name of an ipset in a given IPTables rule (e.g. "azure-npm-487392" represents "podlabel-role:database").
+2. Correlate cluster counts (for example, ACLs) to execution times.
+3. Get the human-friendly name of an ipset in a given IPTables rule (for example, "azure-npm-487392" represents "podlabel-role:database").
  
 ### All supported metrics
 The following is the list of supported metrics. Any `quantile` label has possible values `0.5`, `0.9`, and `0.99`. Any `had_error` label has possible values `false` and `true`, representing whether the operation succeeded or failed.
@@ -137,7 +137,7 @@ The dashboard has visuals similar to the Azure Workbook. You can add panels to c
 ### Set up for Prometheus Server
 Some users may choose to collect metrics with a Prometheus Server instead of Azure Monitor for containers. You merely need to add two jobs to your scrape config to collect NPM metrics.
 
-To install a simple Prometheus Server, add this helm repo on your cluster
+To install a Prometheus Server, add this helm repo on your cluster
 ```
 helm repo add stable https://kubernetes-charts.storage.googleapis.com
 helm repo update
@@ -178,7 +178,6 @@ where `prometheus-server-scrape-config.yaml` consists of
     action: drop
 ```
 
-
 You can also replace the `azure-npm-node-metrics` job  with the content below or incorporate it into a pre-existing job for Kubernetes pods:
 ```
 - job_name: "azure-npm-node-metrics-from-pod-config"
@@ -199,7 +198,7 @@ You can also replace the `azure-npm-node-metrics` job  with the content below or
 ```
 
 #### Set up Alerts for AlertManager
-If you use a Prometheus Server, you can set up an AlertManager like so. Here is an example config for [the two alerting rules described above](#alerts-via-a-prometheus-alertmanager):
+If you use a Prometheus Server, you can set up an AlertManager like so. Here's an example config for [the two alerting rules described above](#alerts-via-a-prometheus-alertmanager):
 ```
 groups:
 - name: npm.rules
@@ -263,7 +262,6 @@ Following are some sample dashboard for NPM metrics in Container Insights (CI) a
 [![Grafana Dashboard runtime quantiles](media/kubernetes-network-policies/grafana-runtime-quantiles.png)](media/kubernetes-network-policies/grafana-runtime-quantiles.png#lightbox)
 
 
-
 ## Next steps
 - Learn about [Azure Kubernetes Service](../aks/intro-kubernetes.md).
 -  Learn about [container networking](container-networking-overview.md).
