I have trouble integrating an ACS Engine Cluster with my existing VNET in Azure.
Below are the steps to reproduce my issue:
Create an ACS Engine Cluster with default configuration. It creates its own VNET(let's say ACS_VNET)
Create a new VNET(VNET2) with a VM and do a VNET Peering to ACS_VNET.
Create a sample service with Azure Private Load Balancer and try to access its private IP from the above VM in VNET2. It does not work. Also tried with Private IP of the pod and with a NodePort with no luck.
Followed this article to create the cluster: https://dzone.com/articles/create-custom-azure-kubernetes-clusters-with-acs-e
Above steps works for an AKS Cluster in Azure.
Related
The overall goal of this question is to find out the proper way to connect a pre-existing azure kubernetes cluster to an azure virtual private network (or redeploy it in the virtual private network) so that it can now access the timescale postgres database (timescale.com) that has been placed in the VPC connected to the virtual network.
What I would like to do is take an existing production Kubernetes cluster and configure it to be able to see the timescaledb in the Virtual Private Cloud.
Is it possible to do this with another peering rule?
What I have done
Created a VPN in azure
Created a timescaledb database at timescaledb.com
Created the appropriate service principals, peering rules, and connected timescaledb to the vnet
Created a NEW kuberneted cluster in the virtual network
Tested the connection to the database (failed via internet, succeeded within vnet)
I have AZ VM window which installed MSSQL
I created cluster in AZ K8S, then create the pod with image - application run with embedded tomcat using MSSQL connect to private IP of the above VM. The container in the pod start with error: can not connect to that private IP of MSSQL
I can access to that private IP from my local machine (using VPN), so is there any way/config to make pod can connect to that VM using private IP ? since it's same infrastructure, I dont why it cannot connect
(I am newbie with Azure)
Thanks alot
For your requirement, I don't know how do you deploy the VM and the AKS cluster. So I give the solutions for the two situations:
AKS cluster with the network type kubelet:
VM in VNet A and AKS in VNet B
create a service with the internal load balancer for the pod, and then peer the VNet A and B
VM and AKS in the same VNet
create a service with the internal load balancer for the pod
AKS cluster with the network type CNI
VM in VNet A and AKS in VNet B
peer the VNet A and B
VM and the AKS in the same VNet
you don't do anything, it should work
All of the above solutions need you to check the NSG rules between the VM and the AKS cluster pod. You need to allow the inbound traffic to the VM with the MSSQL port.
I have hosted my SQL on Azure SQL.
From my AKS, each of the pods, I found out it is not able to connect to Azure SQL.
DB Connection:
Data Source=tcp:dbname.database.windows.net,1433;Initial Catalog=dbname;User Id={account};Password={password}
In Azure Portal > I have enable this below
I double checked the connection string and is able to connect from my local machine, but inside the kubenetes pod, I try to perform telnet to the server it responds
Connection closed by foreign host.
May I know what going wrong on this.
Azure provides two options for pods running on an AKS worker nodes to access a MySQL or PostgreSQL DB instance:
Create a firewall rule on the Azure DB Server with a range of IP addresses that encompasses all IPs of the AKS Cluster nodes (this can be a very large range if using node auto-scaling).
Create a VNet Rule on the Azure DB Server that allows access from the subnet the AKS nodes are in. This is used in conjunction with the Microsoft.Sql VNet Service Endpoint enabled on the cluster subnet.
VNet Rules are recommended and preferable in this situation for several reasons. Nodes are often configured with dynamic IP addresses that can change when a node is restarted resulting in broken firewall rules that reference specific IPs. Nodes can be added to a cluster which would require updating the firewall rule to add additional IPs. VNet Rules avoid these issues by granting access to an entire subnet of AKS nodes.
Manual steps
Configuring a secure networking environment for AKS and Azure DB requires the following:
AKS cluster setup
ResourceGroup: a logical grouping a resources required for all resources.
VNet: creates a virtual network for the AKS cluster nodes.
Subnet has a range of private IPs for AKS cluster nodes
Create an AKS cluster using the above resources.
Configure managed service access
VNet Service Endpoint: update the cluster subnet above with a service endpoint for Microsoft.Sql to enable connectivity for new Azure DB service resource.
Provision managed services with private IPs on the cluster’s network
Provision managed Azure DB service instances: PostgreSQL, MySQL.
VNet Rule for each managed service instance to allow traffic from all nodes in the cluster subnet to a given Azure DB service instance (PostgreSQL, MySQL).
I have found the issue, basically the Issue is on the AKS getting the wrong configuration, For the Identity, It doesn't read the proper appsettings.json, which it should be point to /secrets/*.json
AddEntityFrameworkStores()
I change the code to retrieve the information from the correct secret, the apps is work now.
Sadhus answer is correct and secure. But first you can quickly check by enabling the traffic as follows.
First select your server from your resource group.
Now in your sql server enable "Allow Azure services and resources to access this serve"
Originally I tried to restrict access from an app service to blob storage using IP addresses, however it turned out that you can only do this using a Virtual Network: Firewall access from Azure app service to blob storage
I want to be able to achieve this without setting up a point-to-site VPN. The steps I have taken to set up a virtual network in Azure are as follows:
Created Network security group "securitygroup-frontend", add custom
inbound rule called Web with Source: Service Tag, Source service tag:
Internet, Source port ranges: *, Destination : Any, Destination port
ranges: 80, 443, Protocol: Any, Action: Allow, Priority: 100
Created Virtual Network with address space 192.168.0.0/23 and subnet called frontend address range 192.168.0.0/26 with network security group: securitygroup-frontend and subnet delegation to Microsoft.Web/serverFarms and service endpoints Microsoft.Storage
Went to app service -> Networking -> Configure VNet integration ->
Add VNet preview and select the subnet you created
Went to Storage -> Firewalls and virtual Networking -> Configure VNet integration -> Select 'Selected networks' and add in the virtual network and subnet just created.
I have had to move Azure diagnostics and logs such as for key vault, service bus and sql azure to its own blob storage as these require blob storage outside of a virtual network and can't be made to work inside. The app service is in the Standard plan. The app service, blob storage and virtual network are all in the same region.
This question and answer does not provide any insights: https://social.msdn.microsoft.com/Forums/azure/en-US/9f4d8aeb-68a6-4ec1-9e11-bee2d1301792/allow-access-to-azure-storage-account-only-from-an-app-service?forum=windowsazurewebsitespreview
The above steps though block off access from the app service to blob storage and any assets within return an error: (403) Forbidden. If I remove the Virtual network from blob storage it works fine. What am I doing wrong?
Yes, you can do this using a VNet but you need to deploy the web app in a VNet with App Service Environments. You can not do this with VNet integration. Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network. However, web app service in a regular app service plan is multi-tenant. With ASE, you could deploy it into your VNet.
You could get more details and explanation from this similar thread. According to a comment from silent, you could also consider deploying your web app inside a container which could be deployed in a VNet with some restriction.
Update
Sometimes, the deployment order for networking is important. In your case, you enable service endpoint before VNet integration. I suggest removing NSG restriction in integrated app subnet VNet for a test. Then you could check the following steps.
Firstly, you could deploy new VNet integration with an unused subnet. After the VNet Integration is completed and the web app is restarted, you could enable service endpoint and subnet delegation for this subnet. In the end, you could add the subnet in the firewall of the storage account.
The new version is in Preview and not GA currently. It might be not all functions available. you could also check the following characteristics.
No gateway is required to use the new VNet Integration feature。
You can access resources across ExpressRoute connections without any additional configuration beyond integrating with the ExpressRoute connected VNet.
The app and the VNet must be in the same region.
The new feature requires an unused subnet in your Resource Manager VNet.
Your app must be in an Azure App Service deployment that is capable of scaling up to Premium v2.
Your App Service plan must be a Standard, Premium, or PremiumV2 plan Production workloads are not supported on the new feature while
it is in Preview
The new VNet Integration feature doesn't work for apps in an App Service Environment.
You cannot delete a VNet with an integrated app.
Route tables and global peering are not yet available with the new VNet Integration.
One address is used for each App Service plan instance. Since subnet size cannot be changed after assignment, use a subnet that can
more than cover your maximum scale size. A /27 with 32 addresses is
the recommended size as that would accommodate an App Service plan
that is scaled to 20 instances.
You can consume Service Endpoint secured resources using the new VNet Integration capability. To do so, enable service endpoints on the
subnet used for VNet Integration.
I have a Azure Container Instance, and I want to connect to a kafka that is also in the azure.
If in kafka configure the advertised.listeners with dns I can connect, however with hostname I can not.
In ACI I also can not ping/wget/telnet to other internal resources, just for other ACIs.
vnet kafka = vnetA
subnet kafka = subnetA
vnet ACI = vnetA
subnet ACI = subnetB
I created the ACI with private ip.
This article explains how to configure your listeners in this situation: https://rmoff.net/2018/08/02/kafka-listeners-explained/
For your issue that the Azure Container Instances connect with other Azure resources. Now the Azure Container Instance just supports a private IP and no DNS labels, and the instances can connect with other resources in the same Vnet or in different Vnet with peering.
Container groups deployed to a virtual network do not currently
support public IP addresses or DNS name labels.
So you can just connect the ACI with the private IP the Vnet. And it just is a preview version. For more details, see Deploy container instances into an Azure virtual network