Skip to content

Commit fcd52ba

Browse files
craddmcraddm
committed
Add some additional required nsgs for AKS functioning
1 parent bf846a2 commit fcd52ba

1 file changed

Lines changed: 72 additions & 0 deletions

File tree

infra/aks-post-deployment/components/network_security_rules.py

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,18 @@ def __init__(
169169
destination_address_prefix=isolated_cluster_k8s_api_ip,
170170
description="Allow k8s API access from access cluster API Proxy",
171171
),
172+
network.SecurityRuleArgs(
173+
name="AllowAzureLoadBalancerInbound",
174+
priority=400,
175+
direction=network.SecurityRuleDirection.INBOUND,
176+
access=network.SecurityRuleAccess.ALLOW,
177+
protocol=network.SecurityRuleProtocol.ASTERISK,
178+
source_port_range="*",
179+
destination_port_range="*",
180+
source_address_prefix="AzureLoadBalancer",
181+
destination_address_prefix="*",
182+
description="Allow Azure Load Balancer health probes",
183+
),
172184
network.SecurityRuleArgs(
173185
name="DenyAccessVNetInBound",
174186
priority=2000,
@@ -197,6 +209,66 @@ def __init__(
197209
source_address_prefix=isolated_nodes_subnet_cidr,
198210
destination_address_prefix=args.stack_outputs.harbor_ip_address,
199211
),
212+
network.SecurityRuleArgs(
213+
name="AllowAzureFrontDoorOutBound",
214+
priority=110,
215+
direction=network.SecurityRuleDirection.OUTBOUND,
216+
access=network.SecurityRuleAccess.ALLOW,
217+
protocol=network.SecurityRuleProtocol.TCP,
218+
source_port_range="*",
219+
destination_port_range="443",
220+
source_address_prefix=isolated_nodes_subnet_cidr,
221+
destination_address_prefix="AzureFrontDoor.FirstParty",
222+
description="Allow access to Azure Front Door, needed for node bootstrapping",
223+
),
224+
# network.SecurityRuleArgs(
225+
# name="AllowNodesOutboundToSLB",
226+
# priority=140,
227+
# direction=network.SecurityRuleDirection.OUTBOUND,
228+
# access=network.SecurityRuleAccess.ALLOW,
229+
# protocol=network.SecurityRuleProtocol.TCP,
230+
# source_address_prefix=isolated_nodes_subnet_cidr,
231+
# destination_address_prefix="AzureLoadBalancer",
232+
# source_port_range="*",
233+
# destination_port_range="*",
234+
# description="Allow nodes to reach Azure Load Balancer",
235+
# ),
236+
network.SecurityRuleArgs(
237+
name="AllowAccessToAzureFrontDoorOutbound",
238+
priority=150,
239+
direction=network.SecurityRuleDirection.OUTBOUND,
240+
access=network.SecurityRuleAccess.ALLOW,
241+
protocol=network.SecurityRuleProtocol.TCP,
242+
source_address_prefix=isolated_nodes_subnet_cidr,
243+
destination_address_prefix="AzureFrontDoor.Frontend",
244+
source_port_range="*",
245+
destination_port_range="443",
246+
description="Allow nodes to reach required Microsoft Endpoints",
247+
),
248+
network.SecurityRuleArgs(
249+
name="AllowAccessToAzureCloudOutbound",
250+
priority=160,
251+
direction=network.SecurityRuleDirection.OUTBOUND,
252+
access=network.SecurityRuleAccess.ALLOW,
253+
protocol=network.SecurityRuleProtocol.TCP,
254+
source_address_prefix=isolated_nodes_subnet_cidr,
255+
destination_address_prefix="AzureCloud",
256+
source_port_range="*",
257+
destination_port_range="443",
258+
description="Allow nodes to reach required Microsoft Endpoints",
259+
),
260+
# network.SecurityRuleArgs(
261+
# name="AllowAccessToAzureContainerRegistryOutbound",
262+
# priority=160,
263+
# direction=network.SecurityRuleDirection.OUTBOUND,
264+
# access=network.SecurityRuleAccess.ALLOW,
265+
# protocol=network.SecurityRuleProtocol.TCP,
266+
# source_address_prefix=isolated_nodes_subnet_cidr,
267+
# destination_address_prefix="MicrosoftContainerRegistry",
268+
# source_port_range="*",
269+
# destination_port_range="443",
270+
# description="Allow nodes to reach required Microsoft Container Registry, necessary for system images",
271+
# ),
200272
network.SecurityRuleArgs(
201273
name="AllowAccessToStorageOutbound",
202274
priority=200,

0 commit comments

Comments
 (0)