Custom VNet for AKS cluster #27
Comments
|
+1, |
|
+1, We need this functionality too. |
|
We need this functionality to start using AKS in our company! |
|
We are tracking custom VNET support as part of our GA goals. |
|
HI Slack |
|
Shooting for existing VNET support Q12018 |
|
With custom vnet, will a WAF resource be able to be implemented for app filtering? |
|
@jmalobicky you should be able to deploy a WAF today, using the Kubernetes IP or FQDN as the downstream target. With custom VNET support for AKS, you could provision Application Gateway WAF into a dedicated subnet within the VNET and WAF to AKS node routing should work. |
|
Is there any issues with deploying an AKS cluster and then adding other VMs to the AKS VNET that was created? |
|
@ejsmith you can as long as the VMs are in a separate subnet and availability set. Do note that this is not a supported configuration and no guarantees that scale/upgrade operations won't impact those VMs provisioned out of band. |
|
This is also gating our use of AKS. We use 10.x.x.x space internally and the inability to customize the range (to another private space/address range) or reduce the network footprint (use of /16's) prevents us at the moment. |
|
any news on this ? we need this features asap please |
|
No updates yet. Still a top priority for the team, but we are currently focused on availability and stability fixes behind the scenes. |
Excellent point. We have the same issue which is blocking us from doing a full POC on this. Having it switched to a /16 would be immensely helpful. Would reducing the size of the vNet affect performance that much? |
|
+1 |
|
Appreciate the feedback (and your patience). The work required for custom VNET will also allow customers to specify subnets/ranges for use in the cluster. Will allow for much smaller address ranges, etc. |
|
Same here, need apps on kubernetes to communicate through site-to-site to on-prem servers and also with PAAS solution which is inside vnet, so until this functionality is enabled can't use it. |
|
Spotted the VnetSubnetID parameter appear in the ARM reference last week. The API endpoint is still public however. |
|
This is starting to be a major blocker for us as well. Any timeline for this feature to be delivered for AKS? |
|
For us it is also blocker and we can not use AKS without this feature. So is there any ETA? |
|
Would the API server address be private when running in a custom Vnet? or would we still have to connect to it externally? |
|
@hibri the API server address will continue to be public, with a follow-on feature moving the API server into the VNET. |
|
@slack Thanks. do you have an ETA for the follow on? |
|
@hibri We tried sending over the vnetSubnetId to give this a try and it still insists on creating the VNET and 10.0.0.0/8 subnet (maybe 'masterProfile' is not exposed like it is in ACS?). Do you have an example of your Microsoft.ContainerService/managedClusters resource section of your ARM template you would be willing to share or have any tips? |
|
@mttocs AKS still creates the Vnet, but no nodes are attached to it. The nodes are attached to the Vnet/subnet I've specified. Not sure why AKS still needs to create an empty VNet. {
"$schema":
"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"name": "aardvark-3",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2017-08-31",
"location": "westeurope",
"tags": {},
"properties": {
"dnsPrefix": "aardvark",
"kubernetesVersion": "1.8.7",
"agentPoolProfiles": [
{
"name": "agentpool01",
"count": 2,
"vmSize" : "Standard_D2_v2",
"vnetSubnetID":
"/subscriptions/<>/providers/Microsoft.Network/virtualNetworks/aardvark-net/subnets/default"
}
],
"linuxProfile": {
"adminUserName" : "<>",
"ssh": {
"publicKeys": [
{
"keyData":
"<>"
}
]
}
},
"servicePrincipalProfile": {
"clientId": "<>",
"secret": "<>"
}
}
}
],
"outputs": {}
} |
|
I've spent some time and finally managed to reach pod as well as kubernetes services from on-premise through Site-2-Site. Here is description with example of some IP's you can use different one of course. Components: on-premise network: 192.168.0.18/24 Azure vnet: 172.16.1.0/25 Azure vnet default-subnet: 172.16.1.0/26 Azure vnet gateway subnet: 172.16.1.96/27 aks-vnet: 10.0.0.0/8 - created automatically when you deploy AKS aks-subnet: 10.240.0.0/16 - created automatically when you deploy AKS, this is where internal load balancers are created pods network inside kubernetes: 10.244.0.0/24 created automatically when you deploy AKS aks node (aks-pool): 172.16.1.20 - created automatically, this is Linux VM where kubernetes cluster is running Steps: Create Site-to-site connection from on-premise to Azure vnet 192.168.0.18/24 <-> 172.16.1.0/25 To enable traffic from on-premise: So if you will now deploy app to kubernetes which is using internal load balancer (https://docs.microsoft.com/en-us/azure/aks/internal-lb) Now it might not be correct as I'm still new to AKS but If you will try to reach this app from on-premise this probably will be the flow: on-prem network: 192.168.0.18/24 -> Azure vnet gateway subnet ->Azure vnet -> Azure vnet default-subnet -> aks node -> aks-vnet -> aks-subnet -> Internal Load balancer 10.240.0.5 -> aks node -> pod 10.244.0.56 |
|
@idelix How did you get the internal load balancer working? I modified the deployment.yaml adding the following But the subnet annotation appears to be ignored and I get the error Any help appreciated |
|
@benbuckland We haven’t had any luck with internal load balancer annotations in Kubernetes so have resorted to exposing an internal ingress controller with a node port (32443) service in Kubernetes. In azure We are then manually creating an azure basic internal load balancer and setting up a load balancing rule from 443 to the nodeport on 32443. There is some manual administration to adjust the load balancer config when the cluster is scaled but we are able to minimize the efforts by exposing an ingress controller which can route all the http traffic to internal Kubernetes services Once @slack and the rest of the aks team offer official internal lb support, switching to Kubernetes service annotations should be fairly seamless. |
|
Hi @benbuckland, In my case internal load balancer was created automatically no manual work needed so this functionality already works. I just created AKS cluster using template provided by @jasonchester and within that ARM template provided reference to Azure vnet default-subnet: 172.16.1.0/26 (from my previous post) this way aks node had IP within my vnet. In this ARM template I also used kubernetes version 1.9.2 and I created my cluster in West Europe. If you check my yaml file I do not reference subnet in there at all, AKS will use its own subnet for internal load balancer 10.240.0.0/16. Then I used following yaml file to perform deployment with kubectl: This automatically creates Azure Load Balancer with name "kubernetes-internal" inside "MC_<...>-<..>_westeurope" resource group with frontend ip configuration that is really external ip in the kubernetes service. |
|
Hey @idelix, thanks for the detailed write-up. I'm currently in the process of trying to set it up using classic deployment without the custom ARM template and rather peer the created network to our VPN-connected network. If that doesn't work and/or turns out to be too complicated, I will definitely try your steps. Have you noticed anything that is not supported with this setup? Is it possible to |
|
Hi @valorl, Glad it was helpful, so far I'm just starting to explore options with AKS really I just tested it with Helm and it was fine you can deploy, upgrade and rollback. |
|
@idelix Helm is agnostic to the cloud provider, so it should work as usual.
All this time invested by @idelix and other users here, are a clear signal this is a very necessary feature and we still have no words from AKS team about it's progress or roadmap. A bit of transparency will be great. |
|
@idelix Regarding your write-up, I'm assuming you have set your cluster's node count to 1. Is that correct ? If that's the case then (as you described) you only have Therefore, it's probably better to configure your on-premise device for the whole |
|
@jasonchester Hi Jason, was there anything special you had to do when setting up the ILB manually? I can't manage to access a service that is exposed as |
|
I can now see the option to specify subnet id using the terraform resource BUT AKS is apparently only available in certain regions, the environment I am working with is on uksouth and this is not supported. The joys of Azure! |
|
@valorl 80 is not a valid node port.
Here's an example of a service we are exposing over an internally configured LB. |
|
This was enabled today in preview it seems. However a couple of caveats I've noticed thus far. There are no fields for adminusername or adminpassword/sshrsakey even when I pulled the deployment json files and added those in it returned "Property change not allowed". Also if you I've been struggling with once a route table is applied to the custom subnet, the proxy session you kick off from az cli to connect to the dashboard fails to connect. |
|
I tried deploying a new cluster twice to test the custom vnet but the deployment failed twice.
|
|
I tried this through the exposed deployment variable over the weekend. It appears the internal Load Balancer is created on the MC VNET (instead of the custom VNET provided during cluster deployment) when deploying an internal service. Because of this, the orchestration can't provision an internal service because the agents and internal LB are on different VNETs. Error: Any chance anyone found a workaround? The best I can come up with now is to use an ingress controller instead. |
|
After seeing custom VNET support in Azure Portal, I created a new AKS cluster with these parameters (I am only listing those relevant to this message):
The cluster was created successfully. In resource group RG_AKS_CUSTOMVNET_TEST, I see two items:
And I see a new resource group MC_RG_AKS_CUSTOMVNET_TEST_SSS-AKS-CUSTOMVNET-TEST_eastus. Within the MC_* RG, there are the worker node VMs, disks, NIC's, NSG's, and a virtual network aks-vnet-#####. This aks-vnet-### confuses me. It has address space of 10.0.0.0/8, no connected services, and a subnet "aks-subnet" with address range 10.240.0.0/16. The aks-subnet has the NSG attached. What is it for? |
|
Another problem arises. I attempted to run the azure-vote example from https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough. It was able to do everything except ensuring load balancer. The error message indicates a permission issue: Error creating load balancer (will retry): failed to ensure load balancer for service default/azure-vote-front: ensure(default/azure-vote-front): lb(kubernetes) - failed to ensure host in pool: "network.InterfacesClient#CreateOrUpdate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="LinkedAuthorizationFailed" Message="The client '(masked)-7f67-4deb-af78-266823639750' with object id '(masked)-7f67-4deb-af78-266823639750' has permission to perform action 'Microsoft.Network/networkInterfaces/write' on scope '/subscriptions/(masked)-6fcc-447d-9952-acd4aeebf764/resourceGroups/MC_RG_AKS_CUSTOMVNET_TEST_SSS-AKS-CUSTOMVNET-TEST_eastus/providers/Microsoft.Network/networkInterfaces/aks-agentpool-(masked)-nic-0'; however, it does not have permission to perform action 'Microsoft.Network/virtualNetworks/subnets/join/action' on the linked scope(s) '/subscriptions/(masked)-6fcc-447d-9952-acd4aeebf764/resourceGroups/RG_AKS_CUSTOMVNET_TEST/providers/Microsoft.Network/virtualNetworks/AKS_CUSTOMVNET_TEST-vnet/subnets/default'."" |
|
@msdotnetclr |
|
@msdotnetclr I think the feature is still not entirely finished. The |
|
Yes, adding the SPN to the vNet helps, but it still get's stuck for me with the |
|
@nphmuller thanks, the workaround indeed did the trick, the sample now works as expected, It'd be great not having to do this manually - hopefully this will be fixed before GA. A new issue though, when I run $ az aks scale --node-count 3 --resource-group RG_AKS_CUSTOMVNET_TEST --name SSS-AKS-CUSTOMVNET-TESTIt returns error
I updated Azure CLI to the latest version (2.0.32-1~wheezy) and tried again, still the same. Interestingly enough, the Scale function in Azure Portal worked fine, I was able to scale up/down without any issue. |
|
@valorl thanks but I don't understand why a VNET subnet is needed for the 10.240.0.0/16 pod network. |
|
@valorl There is a "vestigial" VNet due to a bug that will no longer show up in the We do have a documentation gap regarding the required SP permissions to update the VNet, that will come along shortly (and documented at #353) @msdotnetclr Today, you can only create AKS + existing VNET using ARM template deployments or Portal, CLI support hasn't been added yet (#353) @msdotnetclr |
|
Hi @slack , I deployed an aks cluster with custom vnet with your example arm template. I use a vnet that has backend connectivity to a on premise datacenter. And I thought that I had to configure a configmap to set the stubDomain (see |
|
@bramvdklinkenberg I'm having the same error message. I tried to create a cluster with custom vnet multiple times, but it never worked. Always getting the "ControlPlaneAddOnsNotReady" after a long time. Did you get it to work? |
|
@mbrand , yes I did :). My issue was that I used a /25 subnet but it has to be at least /24. |
|
Hi All! Today I came across an issue when one of the nodes in the cluster died. I have three nodes in the cluster so you think that everything would be okay but it wasn't. It took me a while to figure it out. Remember I have a VPN back to an on premises DB. In the GatewaySubnet I have created a route for traffic destined for the Kuber Services network in my case 10.244.1.0/24 to 10.150.1.4 which is one of VM's in the Agent Pool so the traffic from the on premises network can make it back to the Kuber Services network. 10.150.1.4 NIC had IP forwarding enabled so traffic to other VM's in the pool work as expected, except for when that node died. I presume the LoadBalancer directed traffic to the operational nodes but traffic was no longer routable from the on premises network to the still working nodes in the cluster. Any suggestion as to how to create some resilience in this route? |
|
I'm going to close this issue as the original feature has been delivered. Please open new issues for specific problems you're hitting with the custom vnet support. |
ghost
locked as resolved and limited conversation to collaborators
and others
Is there a way to specify a custom VNet for a cluster created via AKS? When this cluster is created, it is in a VNet where the address space is 10.0.0.0/8. This basically means that if I have any other VNets in the 10. space, they cannot be peered with this cluster. With the ACS service, we were able to create custom VNet ranges with acs-engine if necessary.
The text was updated successfully, but these errors were encountered: