Azure Kubernetes Service (AKS) Networking Basics

Welcome to the fundamental concepts of networking within Azure Kubernetes Service (AKS). Understanding how network traffic flows to and from your applications is crucial for building robust and secure containerized solutions on Azure.

AKS provides a rich set of networking features that integrate deeply with Azure's networking capabilities. This article covers the core concepts you need to know to get started.

Kubernetes Networking Model

At its heart, Kubernetes defines a simple yet powerful networking model:

Every Pod gets its own IP address.
Pods can communicate with each other across all nodes without NAT.
Nodes can communicate with all Pods (and vice versa) without NAT.
Information about network services is available to Pods via the environment variables or DNS.

This model ensures that Pods have direct network connectivity, simplifying application development and deployment.

Key Networking Components in AKS

1. Virtual Networks (VNet) and Subnets

An AKS cluster is deployed within an Azure Virtual Network (VNet). This VNet provides a private network space for your cluster's resources. You can either let AKS create a new VNet for you or specify an existing VNet where you want to deploy your cluster.

Within the VNet, a specific subnet is allocated for the cluster's node IP addresses and another, often for Pod IPs (depending on the network model used).

Note: It's highly recommended to use an existing VNet for production AKS deployments to integrate seamlessly with other Azure services and manage network policies effectively.

2. Pod IP Addressing

Each Pod in AKS is assigned an IP address from a defined IP address space. This IP space is typically configured when you create the AKS cluster. AKS supports two primary network models:

Kubernetes Network Plugins: AKS supports various Kubernetes network plugins, with Azure CNI being the default and recommended option for advanced networking features.
Azure CNI: With Azure CNI, each Pod gets an IP address directly from the VNet's subnet. This provides direct Pod-to-Pod communication within the VNet and is essential for scenarios requiring IP address management and network security policies.

3. Services

Kubernetes Services provide a stable IP address and DNS name for a set of Pods. Services abstract away the dynamic nature of Pod lifecycles (creation, deletion, scaling). Key Service types include:

ClusterIP: Exposes the Service on a cluster-internal IP. This is the default Service type.
NodePort: Exposes the Service on each Node's IP at a static port.
LoadBalancer: Exposes the Service externally using an Azure load balancer. This is a common way to make your applications accessible from the internet.

4. Ingress Controllers

While Services can expose your applications, Ingress controllers offer more advanced HTTP and HTTPS routing capabilities. An Ingress controller acts as a reverse proxy, allowing you to manage external access to services within your cluster, often providing features like SSL termination, name-based virtual hosting, and more.

AKS provides an integrated NGINX Ingress controller that you can deploy and configure to manage traffic routing.

Tip: For public-facing web applications, using an Ingress controller is generally preferred over directly exposing Services of type LoadBalancer for better control and cost-efficiency.

5. Network Policies

Network Policies are Kubernetes resources that control the flow of traffic between Pods. They are essential for implementing network segmentation and enhancing the security posture of your cluster. You can define rules to allow or deny traffic between specific sets of Pods based on labels or IP addresses.

AKS supports Network Policies through network plugins like Azure CNI.

Core Networking Concepts Summary

Pod-to-Pod Communication: Pods can communicate directly using their IP addresses.
Service Discovery: Kubernetes Services and DNS enable applications to find and communicate with each other.
External Access: Services of type LoadBalancer or Ingress controllers are used to expose applications to external traffic.
Network Security: Network Policies provide fine-grained control over network traffic within the cluster.

Next Steps

As you delve deeper into AKS networking, consider exploring:

Configuring advanced Azure CNI features.
Setting up Ingress controllers for sophisticated routing.
Implementing Network Policies for robust security.
Integrating with Azure Load Balancers and Application Gateways.

Understanding these foundational elements will empower you to design, deploy, and manage your containerized applications effectively on Azure Kubernetes Service.