What happened:
When deploying a service / LoadBalancer for an Ingress controller, the Managed Cluster (MC) resource group NSG is modified to allow traffic to the LoadBalancer's external IP. However, with Advanced Networking and a private subnet, any upstream NSGs must also be modified. This gets complicated to automate.
What you expected to happen:
AKS should assist modifying upstream NSGs, if possible. Or, Azure should support a generic rule to permit traffic to all LoadBalancers.
By default, the NSG has some static rules shown below...
Via the API, I can create a rule from the Internet and to AzureLoadBalancer like the following, but it has no affect, and does not work.
Currently, I have to permit traffic from the Internet to Any on 443 to allow the traffic to pass.
How to reproduce it (as minimally and precisely as possible):
Deploy an AKS external LoadBalancer in an Azure CNI cluster with an NSG on the custom subnet.
Anything else we need to know?:
Environment:
- Kubernetes version (use
kubectl version): 1.9.9
- Size of cluster (how many worker nodes are in the cluster?) 3
- General description of workloads in the cluster: hosting a small python webapp and REST service
What happened:
When deploying a service / LoadBalancer for an Ingress controller, the Managed Cluster (MC) resource group NSG is modified to allow traffic to the LoadBalancer's external IP. However, with Advanced Networking and a private subnet, any upstream NSGs must also be modified. This gets complicated to automate.
What you expected to happen:
AKS should assist modifying upstream NSGs, if possible. Or, Azure should support a generic rule to permit traffic to all LoadBalancers.
By default, the NSG has some static rules shown below...
Via the API, I can create a rule from the Internet and to AzureLoadBalancer like the following, but it has no affect, and does not work.
Currently, I have to permit traffic from the Internet to Any on 443 to allow the traffic to pass.
How to reproduce it (as minimally and precisely as possible):
Deploy an AKS external LoadBalancer in an Azure CNI cluster with an NSG on the custom subnet.
Anything else we need to know?:
Environment:
kubectl version): 1.9.9