Reputation: 1
Azure AKS inbound network security rules
I'm in the process of testing some old network security groups which are attached to the specific subnet where k8s (aks) cluster has been deployed. I'm confused how this is being translated properly base on the definition of Inbound rule
This is inbound rule to allow access from certain source IP (added only for testing purposes as without this I cannot reach backend k8s services). The destination is TCP/443 with specific IP which is used with external k8s loadbalancer (used by ingress controller). I'm confused here how or even why this is working? Also is it a correct approach considering that this is on vnet/subnet level and using public IP in destination is not giving us any gain (or maybe I'm missing something obvious)?
I'm adding a snippet from https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic.
Upvotes: 0
Views: 547
Answers (1)
Reputation: 3861
You are correct, as per the MS document
Network security groups are indeed processed after Azure translates a public IP address to a private IP address for inbound traffic.
Basically when inbound traffic arrives at an Azure resource that has a public IP (like your external load balancer), Azure first translates the public IP address to the private IP address of the resource within the vnet. The NSG rules are applied after this translation occurs. This means that your NSG rules should be based on the private IP addresses of the resources in your virtual network.
So as per the Rule You Provided:
- Source IP: You’ve specified a public IP range as the source.
- Destination: This is a private IP address within your VNet, corresponding to the AKS cluster.
Why is it Working?
When traffic hits your public IP associated with the load balancer, Azure translates this to the corresponding private IP. Even though your NSG rule is configured with a public IP as the destination, the rule is effectively allowing traffic to the translated private IP and since this NSG is at the VNet/subnet level, it's governing traffic for all resources within that subnet. If your AKS nodes are in the same subnet, they’ll be affected by this rule.
Any risk associated with such setup?
Using a public IP in the destination field in your NSG rule might give the impression of finer control but can actually open up broader access within your subnet, thereby leading to confusion and reduced security. It's better to explicitly use private IPs for clarity and to ensure that only the intended resources are accessible.
Upvotes: 0
Related Questions
- Security rules to enhance a public facing Azure Kubernetes Service (AKS) default network security group
- AKS application gateway ingress hosts and error 502
- Azure PostgreSQL Flexible Server Network Security Group Outbound Rules
- DenyVnetInbound in Azure NSG
- Enable the Application Gateway Ingress Controller (AGIC) add-on for an AKS cluster using custom subnet
- AKS: connect to external service on a different aks cluster on private network
- APIM and AKS integration
- AKS inbound rules are reset periodically
- Configuring Inbound security rules of Azure Load Balancer