Is using NSG on AKS advanced networking subnet supported and what are the ports needed to be open between nodes and master?

1
votes

What port for TCP/UDP communication needs to be open between the nodes and the master of azure kubernetes services, when the nodes are in a subnet that uses advanced networking?

For security reasons we have to use a Network Security Group on every subnet that is connected to the onpremises network via VPN in azure. This NSG has to deny every implicit traffic between machines even in the same subnet to hinder attackes from traversing between systems. So it is the same for the azure kubernetes services with advanced networking, that uses a subnet which is connected via vnet peering.

We couldn't find an answer if it is a supported scenario to have a NSG on the subnet of the aks advanced network and what ports are needed to make it work.

We tried our default NSG which denies inter traffic between host, but this hinders us from connecting to the services and from nodes to come up without errors.

1
azure-aksazure-nsg
I'm fairly certain you have NSG on the vnet, as long as you allow workers to talk to master4c74356b41

1 Answers

0
votes

AKS is a managed cluster. And the managed cluster master means that you don't need to configure components like a highly available etcd store, but it also means that you can't access the cluster master directly.

When you create an AKS cluster, a cluster master is automatically created and configured. And the Azure platform configures the secure communication between the cluster master and nodes. Interaction with the cluster master occurs through Kubernetes APIs, such as kubectl or the Kubernetes dashboard.

For more details, see Kubernetes core concepts for Azure Kubernetes Service (AKS). If you need to configure the cluster master and other things all by yourself, you can deploy your own Kubernetes cluster using aks-engine.

For the security of your pods, you can use the network policy to improve it. Although it's just a preview version.

Also, it's not recommended to expose the remote connectivity to the AKS cluster nodes if you want to connect to the AKS nodes. The suggestion is that create a bastion host, or jump box, in a management virtual network. Use the bastion host to securely route traffic into your AKS cluster to remote management tasks. For more details, see Securely connect to nodes through a bastion host.

If you have more questions, please let me know. I'm glad to provide more help.