Mar 10, 2024
Configuring network connections for AKS – Creating and Configuring Containers

Configuring network connections for AKS

We have covered AKS cluster deployment in one of the previous exercises. In this section, we will elaborate on some networking configurations to give you a better understanding of the options available to you.

Network configuration

The first component in your network configuration is the different types of networks that are available for you to deploy.

kubenet

This is the most basicnetworking service for AKS. With kubenet, an IP address is allocated from an Azure VNet to the nodes for a Pod. The Pods receive an IP address from an internal network that is deployed in a logically different address space from the VNet. Connections to these Pods are then performed through NAT connections that allow Pods to communicate to resources on the Azure VNet. This approach reduces the number of IP addresses required for your solution but disables the ability to directly connect to your containers.

Azure CNI

This is a moreadvanced implementation networking service for AKS. Azure CNI enables Pods to be directly connected to an Azure VNet, and therefore every Pod is allocated an IP address on the VNet. Without careful planning, you may exhaust your IP allocation on the subnet you are connecting to.

Regardless of the solution you choose, external traffic is still conducted over a NAT connection to nodes within AKS from a public IP interface.

Traffic routing

Traffic routing comprisesthe load balancing and application routing configurations available to your AKS cluster.

Load balancer

The AKS cluster can be deployed using both a standard SKU and a basic SKU. A standard SKU enforces traffic securely, restrictstraffic by default, andrequires explicit allow rules to enable traffic flow. The default option Standardis and is the recommended choice unless there is a specific reason for Basic, such as your organization only allowing private IP access. Basic can only be deployed using the Azure command-line interface (CLI), PowerShell, or an ARM template.

Enabling HTTP application routing

Please note before enabling this feature that it is currently not designed or ready for production environments and is something I would advise being cautious about enabling until Microsoft’s documentation reflects that this is ready for production use.

The solution deploys two components, one being an External-DNS controller component, which creates DNS host A records for the cluster DNS zone, and the second resource being an ingress controller component, which is responsible for routing ingress traffic to application endpoints.

More Details