AKS Networking Deep Dive
Understand and configure robust networking for your Azure Kubernetes Service clusters.
Introduction to AKS Networking
Networking in Azure Kubernetes Service (AKS) is a critical component for enabling communication between pods, services, and external clients. AKS leverages Azure's robust networking infrastructure to provide flexible and secure networking capabilities.
Key networking concepts in AKS include:
- Virtual Networks (VNet): AKS clusters are deployed within an Azure VNet, providing a private IP address space for your cluster resources.
- Subnets: Specific subnets within the VNet are allocated for AKS node pools and pods.
- Network Security Groups (NSGs): NSGs control inbound and outbound traffic to AKS resources, enhancing security.
- IP Address Management: AKS offers flexible options for assigning IP addresses to pods and services.
Container Network Interface (CNI)
AKS supports multiple Container Network Interface (CNI) plugins, each offering different features and benefits for pod networking.
Azure CNI
Provides each pod with its own IP address from the VNet subnet. Offers maximum flexibility and integration with Azure networking.
Kubenet
A simpler CNI option where pods receive IP addresses from a private network created by Kubernetes. Network traffic is routed through the node's host interface.
Choosing the right CNI depends on your specific requirements for IP address management, network policies, and integration with other Azure services.
Network Policies
Network Policies are Kubernetes resources that control the traffic flow between pods. They act as firewalls at the IP address or port level, enabling you to define granular ingress and egress rules.
- Default Deny: Implement a default deny policy to block all traffic unless explicitly allowed.
- Namespace-based Isolation: Isolate pods within different namespaces.
- Label Selectors: Use pod labels to define which pods can communicate with each other.
Example Network Policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
namespace: default
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 80
Ingress Controllers
Ingress controllers manage external access to services within your AKS cluster, typically HTTP and HTTPS. They provide features like load balancing, SSL termination, and name-based virtual hosting.
Common Ingress controllers for AKS include:
- Azure Application Gateway Ingress Controller (AGIC): Integrates directly with Azure Application Gateway for advanced L7 load balancing.
- Nginx Ingress Controller: A popular and widely used open-source ingress controller.
Load Balancers
AKS integrates with Azure Load Balancer to provide load balancing for your services. You can create internal or external load balancers to distribute traffic across your application instances.
- Type: LoadBalancer: Exposes a service externally using a cloud provider's load balancer.
- Service Annotations: Customize load balancer behavior using annotations.
Advanced Networking Features
- Service Type LoadBalancer: Automatically provisions an Azure Load Balancer for your service.
- ExternalIPs: Assign a public IP address directly to a service.
- Node Public IP Addresses: Assign public IP addresses to your cluster nodes for direct access.
- Private Clusters: Deploy AKS clusters with private endpoints, enhancing security by restricting API server access.