Azure Ingress TCP Forward Network Security Group

3/18/2019

I have created an Ingress service that forwards TCP port 22 to a service in my cluster. As is, every inbound traffic is allowed.

What I would like to know is if it is possible to define NSG rules to prevent access to a certain subnet only. I was able to define that rule using the Azure interface. However, every time that Ingress service is edited, those Network Security Group rules get reverted.

Thanks!

-- X. Math
azure-aks
kubernetes

2 Answers

3/18/2019

Yes! this is most definitely possible. The Azure NSG is for subnets and NIC's. You can define the CIDR on the NSG rule to allow/deny traffic on the desired port and apply it to the NIC and subnet. A word of caution would be to make sure to have matching rules at Subnet and NIC level if the cluster is within the same subnet. Else the traffic would be blocked internally and won't go out. This doc best describes them https://blogs.msdn.microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices-and-lessons-learned/.

-- Capt. Cherry ex- MSFT
Source: StackOverflow

3/24/2019

I think there would be some misunderstanding about the NSG in AKS. So first let us take a look at the network of the AKS, Kubernetes uses Services to logically group a set of pods together and provide network connectivity. See the AKS Service for more details. And when you create services, the Azure platform automatically configures any network security group rules that are needed.

Don't manually configure network security group rules to filter traffic for pods in an AKS cluster.

See NSG in AKS for more details. So in this situation, you do not need to manage the rule in the NSG manually.

But don't worry, you can also manage the rules for your pods manually as you want. See Secure traffic between pods using network policies in Azure Kubernetes Service. You can install the Calico network policy engine and create Kubernetes network policies to control the flow of traffic between pods in AKS. Although it just is the preview version, it also can help you with what you want. But remember, the Network policy can only be enabled when the cluster is created.

-- Charles Xu
Source: StackOverflow