andre
andre

Reputation: 1

Azure AKS inbound network security rules

I'm in the process of testing some old network security groups which are attached to the specific subnet where k8s (aks) cluster has been deployed. I'm confused how this is being translated properly base on the definition of Inbound rule

This is inbound rule to allow access from certain source IP (added only for testing purposes as without this I cannot reach backend k8s services). The destination is TCP/443 with specific IP which is used with external k8s loadbalancer (used by ingress controller). I'm confused here how or even why this is working? Also is it a correct approach considering that this is on vnet/subnet level and using public IP in destination is not giving us any gain (or maybe I'm missing something obvious)?

I'm adding a snippet from https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic.

Upvotes: 0

Views: 547

Answers (1)

Arko
Arko

Reputation: 3861

You are correct, as per the MS document

enter image description here

Network security groups are indeed processed after Azure translates a public IP address to a private IP address for inbound traffic.

Basically when inbound traffic arrives at an Azure resource that has a public IP (like your external load balancer), Azure first translates the public IP address to the private IP address of the resource within the vnet. The NSG rules are applied after this translation occurs. This means that your NSG rules should be based on the private IP addresses of the resources in your virtual network.

So as per the Rule You Provided:

  • Source IP: You’ve specified a public IP range as the source.
  • Destination: This is a private IP address within your VNet, corresponding to the AKS cluster.

Why is it Working?

When traffic hits your public IP associated with the load balancer, Azure translates this to the corresponding private IP. Even though your NSG rule is configured with a public IP as the destination, the rule is effectively allowing traffic to the translated private IP and since this NSG is at the VNet/subnet level, it's governing traffic for all resources within that subnet. If your AKS nodes are in the same subnet, they’ll be affected by this rule.

Any risk associated with such setup?

Using a public IP in the destination field in your NSG rule might give the impression of finer control but can actually open up broader access within your subnet, thereby leading to confusion and reduced security. It's better to explicitly use private IPs for clarity and to ensure that only the intended resources are accessible.

Upvotes: 0

Related Questions