More Related Content
Similar to Festive Tech Calendar: Festive time with AKS networking
Similar to Festive Tech Calendar: Festive time with AKS networking (20)
More from Nico Meisenzahl
More from Nico Meisenzahl (20)
Festive Tech Calendar: Festive time with AKS networking
- 2. Who we are
© white duck GmbH 2022
Nico Meisenzahl (Head of DevOps Consulting and Operations,
Cloud Solution Architect, Azure & Developer Technologies MVP, GitLab Hero)
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl/
Philip Welz (Senior Kubernetes & DevOps Engineer,
GitLab Hero, CKA, CKAD & CKS)
Twitter: @philip_welz
LinkedIn: https://www.linkedin.com/in/philip-welz
- 3. Agenda
• Intro to AKS networking
• Control plane networking options
• Cilium-powered data plane
• Private API server options
© white duck GmbH 2022
- 5. The layers of AKS networking
• pod-to-pod traffic
• pod-to-service networking
• in-cluster DNS
• cluster ingress/egress traffic
• traffic between K8s control and data plane
• API-server access
© white duck GmbH 2022
- 6. What we are focusing on today
• pod-to-pod traffic
• pod-to-service networking
• in-cluster DNS
• cluster ingress/egress traffic
• traffic between K8s control and data plane
• API-server access
© white duck GmbH 2022
- 8. Cluster-wide east-west traffic
• mandatory to get a functioning Kubernetes cluster
• pod-to-pod communication
• there are multiple implementations with AKS
• you have the choice J
© white duck GmbH 2022
- 9. Container Network Interface (CNI)
• Container Network Interface (CNI) is
• an abstraction layer
• a vendor-neutral specification
• used by Kubernetes and others (Mesos, CloudFoundry)
• vendor implementations are called plugins
• https://github.com/containernetworking/cni
© white duck GmbH 2022
- 10. Kubenet
• very basic & simple plugin implementation
• typically used with single-node or cloud provider that sets up
routing rules for communication between nodes
• itself does not implement advanced features such as
cross-node networking or network policies
• Linux only
• no Windows nodes/pods
© white duck GmbH 2022
- 11. Kubenet & Azure Kubernetes Service
• requires outbound internet connectivity
• one cluster per subnet
• max of 400 nodes (due to UDR limit)
• additional hop is required in the design of Kubenet
• no direct pod addressing/routing
• no support for
• Azure Network Policies
• Calico Network Policies support Kubenet
• Virtual node addon (ACI)
• https://learn.microsoft.com/azure/aks/configure-kubenet
© white duck GmbH 2022
- 13. When to use Kubenet with AKS
• you require dual-stack (IPv4/IPv6)
• most of the pod communication is within the cluster
• you don't need advanced AKS features
• (you have limited IP address space)
© white duck GmbH 2022
- 14. CNI & Azure Kubernetes Service
• you have further options …
• Azure CNI
• with dynamic allocation of IP addresses
• with advanced subnet support
• Azure CNI Overlay (preview)
• the better Kubenet
• Bring-your-own CNI
© white duck GmbH 2022
- 15. Azure CNI
• flexible
• supports all AKS features and use-cases
• got even more flexible with dynamic allocation and
advanced subnet support
• latter can fix issues with IP address planning
• https://learn.microsoft.com/azure/aks/configure-azure-cni
© white duck GmbH 2022
- 17. When to use Azure CNI
• most of the time: the preferred way
• pod communication is also with resources outside of the
cluster
• you need AKS advanced features
• (you have available IP address space)
© white duck GmbH 2022
- 18. Azure CNI Overlay
• still preview!
• currently only available in
• North Central US
• West Central US
• the better Kubenet (when GA)
• up to 1000 nodes
• no performance degrade
• full support for Network Policies
• still Linux only
• no support for some advanced features like virtual node
• https://learn.microsoft.com/azure/aks/azure-cni-overlay
© white duck GmbH 2022
- 20. When to use Azure CNI Overlay
• you would like to scale but have limited IP address spaces
• most of the pod communication is within the cluster
• you want to use Kubernetes Network Policies
• you don't need advanced AKS features
© white duck GmbH 2022
- 21. Bring-your-own CNI
• full flexibility
• deploy your CNI plugin of choice
• no support by Azure on CNI related issues
• limitations very based on the chosen plugin
• https://learn.microsoft.com/azure/aks/use-byo-cni
© white duck GmbH 2022
- 23. Azure CNI powered by Cilium
• still preview!
• managed Cilium offering
• offers Pod networking, basic Kubernetes Network
Policies, and high-performance service load balancing
• eBPF-based data plane
• socket-based load-balancing instead of iptables
• relies on Azure IPAM (IP Address Management on Azure)
control plane
• therefore, supported by Azure CNI and Azure CNI Overlay
© white duck GmbH 2022
- 26. Cilium benefits
• faster service routing
• more efficient network policy enforcement
• better observability of cluster traffic
• support for larger clusters
• Cilium ecosystem
© white duck GmbH 2022
- 27. Current limitations
• only supports Linux
• CiliumNetworkPolicy currently not supported
• Cilium L7 policy enforcement is disabled
• Hubble is disabled
• advanced Cilium configurations require BYO CNI
© white duck GmbH 2022
- 29. API server private endpoint connection
• based on Private Link Endpoints
• exposes the API server endpoint into a subnet
• you can still expose services externally
• things to think about
• DNS resolution
• DNS Resolver
• Public DNS entry
• private/self-hosted Build Agent (or GitOps)
• “az aks command invoke” can be helpful as well
• https://learn.microsoft.com/azure/aks/private-clusters
© white duck GmbH 2022
- 30. API server vNet integration
• still preview!
• API server is exposed into a delegated subnet
• enables network communication between the API server and the
cluster nodes
• without vNet integration this is done via a private tunnel between the
control plane and nodes (Konnectivity)
• supports private and public clusters
• no Private Link Endpoint required
• https://learn.microsoft.com/azure/aks/api-server-vnet-integration
© white duck GmbH 2022
- 31. Questions?
© white duck GmbH 2022
Nico Meisenzahl (Head of DevOps Consulting and Operations,
Cloud Solution Architect, Azure & Developer Technologies MVP, GitLab Hero)
Email: nico.meisenzahl@whiteduck.de
Twitter: @nmeisenzahl
LinkedIn: https://www.linkedin.com/in/nicomeisenzahl/
Philip Welz (Senior Kubernetes & DevOps Engineer,
GitLab Hero, CKA, CKAD & CKS)
Twitter: @philip_welz
LinkedIn: https://www.linkedin.com/in/philip-welz
Slides: https://www.slideshare.net/nmeisenzahl