I have an Azure cloud service and a Azure Kubernetes Service(AKS). AKS is within a NSG. I would like to create rules in network security group(NSG) to restrict inbound traffic from only the specific cloud service.
Since cloud service IP could change, I would not be able to base the NSG rules on IP. Also, I do not see cloud service in the azure service tags list in NSG.
How do I achieve this NSG rules configuration ?
It seems that you want to restrict inbound traffic from only the specific cloud service to AKS. Conversely, you can add inbound rules to allow the traffic that you want to access to AKS, Then the traffic you have not added the allowing rule will be denied since there is a DenyAllInBound inbound rule in each NSG. The traffic filters according to the priority. (High priority is small value) in the inbound rule.
If you only allow one specific cloud service in the inbound traffic, you just set the source to the specific IP address in the inbound rule of yours NSG. The assigned IP address for the cloud service doesn't change unless you stop and restart provision of the service. If you ensure to know the fixed IP address in your subscription even if you deprovision and reprovision, you can use a Reserved IP address for Cloud Services. Ref: Static IP for Cloud Service on Azure