DEFINING NETWORK MODELS IN AKS
Azure Kubernetes Services (AKS) supports four types of networking models:
- Kubenet Networking
- Azure Container Networking Interface (CNI)
- Azure CNI with Network Policies
- Custom VNet
KUBENET Networking
With the Kubenet networking model, every pod in an AKS cluster receives an IP address from the node’s subnet. Nodes must have sufficient IP address space for every pod. This brings simplicity and ease of use, but may be less flexible for complex networking requirements.
Azure Container Networking Interface (CNI)
Azure CNI assigns an IP address for every pod in the cluster and places all pods in a subnet within the Azure Virtual Network. This model provides significant benefits with respect to network performance, allowing direct communication between pods across nodes and subnets. Network Policies can also be applied to restrict communication between pods in a cluster.
Azure CNI with Network Policies
Utilizing Azure CNI with network policies gives administrators granular control over traffic flow within their AKS environment. Implementing network policy enables the enforcement of rules governing which pods can communicate with each other, providing an additional layer of security.
Custom VNet
With the Custom VNet model, you can use your existing Virtual network and specify an IP range for your pods and services separately.
CONFIGURING NETWORK CONNECTIONS FOR AKS
To configure the network connections for AKS, ensure that you are logged in to the Azure portal and use the following PowerShell code to create a new AKS cluster with Azure CNI enabled:
$resourceGroup = "myResourceGroup"
$clusterName = "myAKSCluster"
$location = "East US"
$networkPlugin = "azure"
$networkPolicy = "azure"
New-AzAks -ResourceGroupName $resourceGroup -Name $clusterName -Location $location -NetworkPlugin $networkPlugin -NetworkPolicy $networkPolicy
Once the AKS cluster with Azure CNI is created, pods within it can communicate with each other and other nodes.
APPLYING NETWORK POLICIES
Once your AKS cluster is running with Azure CNI, you can apply network policies to regulate access to/from pods, as per your business requirements.
To apply a network policy, use the following YAML file:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: my-network-policy
spec:
podSelector:
matchLabels:
app: MyApp
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
ports:
- protocol: TCP
port: 80
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/16
ports:
- protocol: TCP
port: 80
Run the following command to apply the policy:
kubectl apply -f my-network-policy.yaml
CONCLUSION
In conclusion, understanding the configuration of network connections for Azure Kubernetes Service (AKS) is critical for the Azure Administrator. It not only factors into the deployment and management of applications but also the management of network performance, security, and resources. Following a thorough grasp of this concept, candidates for the AZ-104 Microsoft Azure Administrator exam should be better equipped to manage and optimize their Azure environment.
Practice Test
True/False: AKS stands for Azure Kubernetes Service.
- True
- False
Answer: True
Explanation: The acronym AKS stands for Azure Kubernetes Service, a fully managed service provided by Azure for deploying, scaling, and managing containerized applications.
Which of the following can be used to configure network connections for AKS?
- A. Azure portal
- B. Azure CLI
- C. Kubernetes CLI
- D. All of the above
Answer: D. All of the above
Explanation: Azure portal, Azure CLI, and Kubernetes CLI can all be used to configure network connections for AKS.
True/False: The service principle for AKS needs RBAC permissions to manage Azure Active Directory resources.
- True
- False
Answer: False
Explanation: The service principle for AKS manages Azure resources, not Azure Active Directory resources.
Which network model does AKS use by default?
- A. Azure VNet
- B. Kubenet
- C. Docker Network
Answer: B. Kubenet
Explanation: By default, AKS uses Kubenet. Kubenet is a very basic, simple network plugin, on Linux only. It does not, of itself, implement more advanced features like cross-node networking or network policy.
True/False: You can change the network configuration after the AKS cluster has been created.
- True
- False
Answer: False
Explanation: After you create an AKS cluster, you can’t change its network configuration.
Which command can be used to create an AKS cluster with Azure CLI?
- A. az aks create
- B. az aks configure
- C. az network create
Answer: A. az aks create
Explanation: The command ‘az aks create’ is used to create a new AKS cluster.
What is Azure CNI?
- A. A tool for managing Azure resources.
- B. An Azure networking solution.
- C. A tool for managing Kubernetes clusters.
Answer: B. An Azure networking solution.
Explanation: Azure CNI (Container Network Interface) is an Azure networking solution for Kubernetes which allows nodes to have direct connectivity to network resources.
True/False: Azure CNI enables containers to have same IP address as nodes.
- True
- False
Answer: False
Explanation: Azure CNI assigns an IP address from the subnet and it makes it possible for containers to reach other network-connected resources, but they do not share same IP address as nodes.
True/False: AKS supports network policies for finer-grained control over inbound and outbound traffic.
- True
- False
Answer: True
Explanation: In AKS, you can use Kubernetes native network policies or use network policies with Azure’s own implementation of network policies to control the flow of traffic.
Which of the following is used to manage versioning in AKS?
- A. Azure CLI
- B. Azure portal
- C. Azure Resource Manager
- D. Kubernetes Master
Answer: D. Kubernetes Master
Explanation: The version of Kubernetes is managed by the master and maintained through regular updates that are managed by AKS.
Interview Questions
What is Azure Kubernetes Service (AKS) network connection?
Azure Kubernetes Service (AKS) network connection provides networking capabilities for the AKS cluster. It makes it possible for the cluster to communicate both with other resources within your Azure environment and with the outside world.
What are the two models used in AKS network configuration?
The two models used in AKS network configuration are Kubenet (network plugin in Kubernetes) and Azure Container Networking Interface (CNI).
What is the Kubenet networking model in AKS?
In the Kubenet networking model, every Pod gets an IP in a virtual network subnet and the AKS cluster does not need to integrate with the virtual network.
What is Azure Container Networking Interface (CNI) in AKS?
In Azure CNI, every Pod gets an IP from the subnet and can be accessed directly. These IP addresses must be unique across your network space, and must be planned in advance.
What is the role of Azure CNI?
Azure CNI allows every Pod in the AKS cluster to have an IP in the Virtual Network. It gives Pods full network connectivity across virtual networks and on-premises networks, and connectivity to Azure services.
How to secure the AKS cluster at the networking level?
Network policies can be used to secure the AKS cluster at the networking level. These policies define rules about which Pods can communicate with each other and other network endpoints.
What is Azure Network Policy?
Azure Network Policy is a container network policy provider in Azure. With Azure Network Policy, you can govern the communication between Pods within the same AKS cluster.
How do service endpoints help in protecting your AKS network?
Azure service endpoints allow you to secure access to Azure resources from your AKS cluster. They extend your virtual network private address space to Azure services.
What are network policies in AKS networking?
Network policies are Kubernetes resources that use labels to select pods and define rules that specify what traffic is allowed to the selected pods.
How can you enable Azure Network Policy in an AKS cluster?
Azure Network Policy can be enabled while creating an AKS cluster, or it can be updated in existing clusters. This can be achieved using Azure portal, Azure CLI or Azure Resource Manager templates.
What is ingress controller in AKS?
Ingress controller in AKS is a function that routes incoming network traffic and distributes it to various services within the cluster. This provides AKS with HTTP, HTTPS, or other types of routing capabilities.
How to choose between Kubenet and Azure CNI plugins for AKS network configuration?
The choice between Kubenet and Azure CNI plugins depends on the requirements. If you need higher performance, large CIDR ranges, or integration with on-prem networks, Azure CNI is the best choice. For simpler, self-contained networks where performance is not a high priority, Kubenet would be a better option.
Can I change the networking plugin after creating the AKS cluster?
No, the choice of network plugin is made when the AKS cluster is created and cannot be changed afterwards.
How can we restrict egress traffic from an AKS cluster?
Egress traffic from an AKS cluster can be restricted by creating outbound type rules in the Network Security Group (NSG).
How can we work with Azure Private Link for AKS?
Azure Private Link for AKS enables users to access AKS over a private network connection. It allows users to interact with the Kubernetes API server over a secure, authorized network connection.