[英]Configuring Inbound security rules of Azure Load Balancer
I have created a AKS and deployed a simple web server on it with following yaml.我创建了一个 AKS 并使用以下 yaml 在其上部署了一个简单的 Web 服务器。
Azure LoadBalancer gives a public IP address to it automatically and works fine. Azure LoadBalancer 会自动为其提供公共 IP 地址并且工作正常。
Now I would like to limit the source IP address so I can access it from a specify IP address only.现在我想限制源 IP 地址,以便我只能从指定的 IP 地址访问它。
I've tried adding a Azure Firewall to the virtual network of AKS (aks-vnet-XXXXXXX) with some network rule but doesn't work.我尝试使用一些网络规则将 Azure 防火墙添加到 AKS (aks-vnet-XXXXXXX) 的虚拟网络,但不起作用。
Creating a NAT rule in Firewall and redirects packets to the LoadBalancer works在防火墙中创建 NAT 规则并将数据包重定向到 LoadBalancer 工作
but I can still access the pod with the Public IP address of the LoadBalancer.但我仍然可以使用 LoadBalancer 的公共 IP 地址访问 pod。
Any suggestions?有什么建议?
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
type: LoadBalancer
selector:
app: nginx
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
(skipped something not important)
spec:
containers:
- name: nginx
image: nginx:1.17.6
ports:
- containerPort: 80
What you're trying to achieve can be done with NSG (Network Security Group) applied to the subnet where your AKS cluster resides: https://docs.microsoft.com/en-us/azure/aks/concepts-security#network-security您可以通过将 NSG(网络安全组)应用于 AKS 群集所在的子网来实现您想要实现的目标: https : //docs.microsoft.com/en-us/azure/aks/concepts-security#network -安全
More generic approach with a fine-grained control will require creation of Ingress Controller , creation of an Ingress
object for your service and applying ingress.kubernetes.io/whitelist-source-range
annotation to it.更通用的细粒度控制方法将需要创建Ingress Controller ,为您的服务创建一个
Ingress
对象,并对其应用ingress.kubernetes.io/whitelist-source-range
注释。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.