How to split AKS cluster subnet from pod subnet when using Azure CNI and a site-to-site VPN VNet

6/21/2019

My goal is to run an AKS cluster which can be accessed by my on-premise network and of which the pods can access my on-premise network.

I have an on-premise network connected to Azure via a site-to-site VPN. The subnet of this site-to-site VPN is 10.10.6.0/24 in Azure to 10.9.6.0/24 on-premise. The DNS servers of this VNet are configured to my on-premise domain controllers.

I have set up an AKS cluster with this VNet, but to my surprise this means that every pod within this cluster gets an IP address of my VNet. According to the documentation this is intended behavior, but I didn't really expected this and it's not really what I wanted. A single site with two replica's and a cluster IP or internal load balancer eats away 3 of my precious IP addresses. I would like to have only the cluster IP get a subnet one.

I understand the reasons behind it, because obviously my pod's need to be able to access my on-premise network through the DNS configuration, but I was wondering if there's a way to split the cluster subnet and the pod subnet so that I don't exhaust the number of assignable IP addresses within my VNet? Just like it does when using kubenet instead of Azure CNI.

In theory I could extend my site-to-site VNet subnet to a /16 range, but I would prefer to look for an AKS solution first before changing my entire firewall configuration again.

Is there a way around this?

-- Jensen
azure
azure-aks
azure-kubernetes
kubernetes

1 Answer

6/21/2019

only way around this is to use kubenet. as far as I know AKS Engine doesn't allow splitting pods and worker nodes ip addresses.

-- 4c74356b41
Source: StackOverflow