Azure Kubernetes Service (AKS) Networking
This document provides a comprehensive guide to understanding and configuring networking in Azure Kubernetes Service (AKS). Effective networking is crucial for the performance, security, and scalability of your containerized applications.
AKS offers a variety of networking options to meet different application requirements. We'll explore the core concepts, available features, and best practices.
Core Networking Concepts in AKS
Before diving into specific features, let's review some fundamental networking concepts as they apply to AKS:
- Pods: The smallest deployable units in Kubernetes, each with its own IP address.
- Services: An abstraction that defines a logical set of Pods and a policy by which to access them.
- Ingress: Manages external access to services in a cluster, typically HTTP/S.
- Network Policies: Control the flow of traffic between pods.
- Azure Virtual Network (VNet): The foundational network for your AKS cluster.
- CNI (Container Network Interface): A set of interfaces and libraries for network configuration of network interfaces in Linux containers.
AKS Networking Models
AKS supports two primary network models:
1. Kubenet Network Plugin
Kubenet is the default network plugin for AKS. It creates a virtual network on the node, allowing pods to get an IP address from the same VNet subnet as the node. Traffic between pods on different nodes is routed through the node's VNet. This model is simpler to set up but has limitations on the number of pods per node and network policy support.
2. Azure CNI Network Plugin
Azure CNI provides a more robust and scalable networking solution. With Azure CNI, each pod gets an IP address directly from the Azure Virtual Network (VNet) subnet. This offers several advantages:
- Increased pod density per node.
- Native integration with Azure networking features.
- Full support for Network Policies.
- Direct connectivity from pods to other Azure services.
Key Networking Features in AKS
a) Services
Kubernetes Services are essential for exposing your applications. AKS supports several Service types:
- ClusterIP: Exposes a service on a cluster-internal IP. This is the default.
- NodePort: Exposes a service on each Node's IP at a static port.
- LoadBalancer: Exposes a service externally using an Azure load balancer. AKS automatically provisions an Azure Load Balancer.
- ExternalName: Maps the Service to the contents of the
externalNamefield (e.g.my.database.example.com), returning a CNAME record.
b) Ingress Controllers
Ingress controllers provide advanced routing capabilities for HTTP/S traffic to your services. AKS offers:
- Nginx Ingress Controller: A popular and highly configurable Ingress controller. AKS can provision and manage this for you.
- Application Gateway Ingress Controller (AGIC): Integrates AKS with Azure Application Gateway, enabling advanced Layer 7 load balancing, WAF, and SSL termination.
Here's an example of a simple Ingress resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-service
port:
number: 80
c) Network Policies
Network Policies allow you to control traffic flow at the IP address or port level (OSI layer 3 or 4) between network endpoints within your cluster. This is critical for micro-segmentation and enhancing security.
To use Network Policies, you must be using the Azure CNI network plugin and install a network policy provider, such as Azure Network Policy or Calico.
A basic Network Policy to allow ingress traffic from specific pods:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
d) Private Clusters
For enhanced security, you can create AKS clusters with private control planes. This restricts API server access to a private IP address within your VNet, preventing public internet exposure.
Best Practices for AKS Networking
- Choose the right CNI: For most production workloads, Azure CNI is recommended for scalability and features.
- Implement Network Policies: Enforce micro-segmentation to limit the blast radius of security incidents.
- Use Ingress Controllers wisely: Leverage Ingress for smart traffic routing, SSL termination, and load balancing. AGIC is powerful for integrating with Azure Application Gateway.
- Plan your IP address space: Ensure your VNet and subnet have sufficient IP addresses for nodes and pods, especially when using Azure CNI.
- Secure your API server: Consider using private clusters for sensitive environments.
- Monitor network performance: Use Azure Monitor and Kubernetes tools to identify bottlenecks and troubleshoot issues.
Further Reading
For more in-depth information, please refer to the official Azure Kubernetes Service documentation:
- Azure CNI networking in Azure Kubernetes Service (AKS)
- Network policies in Azure Kubernetes Service (AKS)
- Basic Ingress Controller setup in AKS