Unexpected Public IP used for egress from AKS

Question

I have 2 Kubernetes Services of type LoadBalancer running in AKS 1.15.9

$ kubectl get svc --all-namespaces | grep Load
istio-system   istio-egressgateway       LoadBalancer   10.0.177.123   51.A.XXXXX
istio-system   istio-ingressgateway      LoadBalancer   10.0.198.456   20.B.XXXXX

However, when I run a Pod to check egress IP it is using 51.C.XXXX

curl -s checkip.dyndns.org
the AKS egress IP address is shown in the response is 51.C.XXXX

I would of expected AKS to use one of the LoadBalancer IPs from the K8s Services.

Answer 1

There's different between the ingress IP and egress IP.

Egress , from the docs :

Outbound traffic from an AKS cluster follows Azure Load Balancer conventions. Before the first Kubernetes service of type LoadBalancer is created, the agent nodes in an AKS cluster are not part of any Azure Load Balancer pool. In this configuration, the nodes have no instance level Public IP address. Azure translates the outbound flow to a public source IP address that is not configurable or deterministic.

With that been said, The IP returns from curl -s checkip.dyndns.org is the egress IP. This is the outbound public IP of the aks cluster.

Ingress , from the docs :

An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes services. Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services. Using an ingress controller and ingress rules, a single IP address can be used to route traffic to multiple services in a Kubernetes cluster.

The ingress IP - in your case, the Load Balancer is the public\internal IP which responsible for reverse proxy and configurable traffic routing.

Diagram: