堆栈内存溢出
  简体   繁体   English

具有VPN网关的私有vnet中的Kubernetes集群(Azure)

[英]Kubernetes cluster in private vnet with VPN gateway (Azure)

 原文  2018-10-09 17:03:56       azure/ kubernetes/ azure-aks/ azure-kubernetes

问题描述

I've got an existing Azure VNET with a site-to-site VPN gateway to onpremise resources. 我有一个现有的Azure VNET,带有一个用于本地资源的站点到站点VPN网关。 This works fine and VM's in the VNET can access internal resources as well as be exposed to the internet. 这可以正常工作,并且VNET中的VM可以访问内部资源,也可以访问Internet。

I've created a Kubernetes cluster in said VNET and deployed some pods exposed via LoadBalancer. 我已经在上述VNET中创建了一个Kubernetes集群,并部署了一些通过LoadBalancer公开的Pod。

The pods can access internet and they can access both vnet resouces and on-prem resources (good). Pod可以访问Internet,并且可以访问vnet资源和本地资源(良好)。 The pods are reachable from the on-prem network (good). 可以从本地网络访问Pod(良好)。 But the LoadBalancer (even though it states a public IP) is not accessible from the internet. 但是无法从Internet访问LoadBalancer(即使它声明了公共IP)。 I can access it (the public IP of the LB) from within the vnet, just not from internet. 我可以从vnet内部访问它(LB的公共IP),而不能从Internet访问。

I've create an identical cluster, but let it create it's own VNET and there it works fine. 我已经创建了一个相同的群集,但是让它创建自己的VNET,并且可以正常运行。 It's just when I place it in my existing VNET with a VPN gateway I cannot reach them. 只是当我使用VPN网关将其放置在现有的VNET中时,我才无法访问它们。 

kubectl get service -o wide
NAME              TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)        AGE       SELECTOR
kubernetes        ClusterIP      10.0.0.1       <none>          443/TCP        1h        <none>
mail2servicebus   LoadBalancer   10.0.187.136   xx.xx.xx.xx   25:31459/TCP   1h        app=mail2servicebus

The VNET has peering to another VNET in addition to the VPN gateway if that somehow has anything to do. 如果某种原因,VNET除了VPN网关外,还可以对等到另一个VNET。

2 个解决方案

解决方案1
 0  2018-10-09 17:22:11

This makes no sense, gateway or not doesnt affect external comms (unless you are using express route gateway and advertising 0.0.0.0/0 through it). 这没有任何意义,无论网关是否生效都不会影响外部通信(除非您使用快速路由网关并通过它通告0.0.0.0/0)。 Only idea that comes to mind - network security group. 想到的唯一想法-网络安全组。 Also, you cannot put vms in the gatewaysubnet this is not supported 此外,您不能将虚拟机放入不支持的gatewaysubnet子网中

解决方案2
 0  2018-10-10 07:16:35

Apparently my home ISP is blocking access to the SMTP port (tcp 25) for all addresses except their own smtp server (spam prevention or something like that). 显然,我的家庭ISP阻止了除其自己的smtp服务器(防止垃圾邮件等)之外的所有地址访问SMTP端口(tcp 25)。 So the service is indeed exposed to the internet, it's just me that can't access it. 因此,该服务确实已暴露于Internet,只有我无法访问它。 Worked like a charm when I came to work. 我上班时像魅力一样工作。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure S2S VNet VPN网关 - Azure S2S VNet VPN Gateway 具有 azure vnet 对等互连的 Aws vpn 网关 - Aws vpn gateway with azure vnet peering 在不影响现有子网的情况下将 Azure VPN 网关部署到现有 vnet - Deploy Azure VPN gateway to existing vnet without affecting existing subnets Azure 应用服务集成到只能通过 vnet 网关 VPN 访问 - Azure App Service integrate to accessible only via vnet gateway VPN Azure VNET 到 VNET 到站点到站点 VPN 连接 - Azure VNET to VNET to site to site VPN connectivity 带有 azure vnet 的 Internet 网关 - Internet gateway with azure vnet 具有VNet网关和P2S VPN的Azure内部负载平衡网络 - Azure internal load-balanced network with VNet Gateway with P2S VPN 将流量从点到站点路由到vnet到vnet vpn网关 - Routing traffic from the point to site to vnet to vnet vpn gateway Azure Vnet 专用 IP 范围 - Azure Vnet Private IP Ranges 专用 VNet 前的 Azure LB - Azure LB in front of a Private VNet
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM