how to set dns to azure aks? - azure

I am currently using Azure AKS.
I have a frontend application which is using LoadBalancer to have a public IP to access the service.
Should I just direct my domain name to the public IP address?
Because the IP is dynamic, if the port is destroy and recreate again, a new IP is generated.
Should I use Ingress/Nginx controller to manage the IP?

You can use A record points to the external IP address.
You can change the public IP address to static via Azure portal, in this way, restart the service will not change the IP.
But in Azure, if we delete the Azure AKS, the Public IP address will collected by Azure platform, and we will lose this IP address.

You can use kubernetes-incubator/external-dns to automatically update the A record in your Azure DNS zone with the (dynamic) IP of the Azure Loadbalancer or Ingress controller. Read here how to set up.
You're not limited to use Azure DNS, you could use other providers to, in v0.4: Google CloudDNS, AWS Route 53, AzureDNS, CloudFlare, DigitalOcean,
DNSimple, Infoblox

Should I just direct my domain name to the public IP address?
As Mohit said, we can set static public IP via Azure portal, and map your domian name to that Public IP address.
Because the IP is dynamic, if the port is destroy and recreate again,
a new IP is generated.
By default, AKS expose pods to internet will create a Kubernetes service, the Public IP address work for that service.
If one pod was not work(multiple pods), AKS will create another pod in your service and that will not get a new public IP. But if you only have one pod in that service and re-create that pod, we will get a new Public IP address.
For now, Azure does not support to keep the public IP address for AKS service.
Hope this helps.

Related

Azure Container Group behind application gateway with public IP

I have an application gateway with frontend public IP address, connected to a VNET via its subnet and using a single backend pool that points to a container group in the same VNET but different subnet.
The backend pool points to the IP address of the container group. That works!
But I don't want to rely on an IP address that could change anytime with the container restart. I already use a private DNS zone linked to the VNET. The container group is accessible as "mycontainer.my-azure.com" from the VNET thanks to the A record in my private DNS zone.
But putting "mycontainer.my-azure.com" as the FQDN of the backend pool does not work. It works with the IP address "172.22.44.5" but "mycontainer.my-azure.com" does not resolve, backend health shows "Unknown". I tried restarting the APP GW from AZ CLI to no avail.
Does anyone know how to make APP GW use the VNET's private DNS zone in its backend pool?
If the application gateway backend pool contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using its instance private IP addresses. Make sure the FQDN in the backend pool can be resolved internally.
You can verify the following configuration, it works on my side. I am using the Standard V2 SKU application gateway. The application gateway and container group were deployed into the same VNet but different subnets with no firewall rules. I use this example for deploying ACI.
Backend pool
HTTP setting
Listener
Health probe
Private DNS zone

FQDN for Azure VNG dynamic IP

I'm aware that Azure does not support static IP address on their VNG. Is it possible in anyway to configure FQDN for the VNG in such a way that when the IP address changes due to a restart, connection would still me maintained as long as DNS record is mapped to the new IP. I will appreciate 3rd party suggestion from Azure marketplace
Of course, yes. You can create an alias record set for the public IP with the type Azure resource in the DNS Zone. Then the DNS Zone will route your requests to that public IP, no matter if the IP address changes.
By the way, when you use the VPN, you install the client and connect the Azure VNet from your local network, in this step, you do not care about the public IP of the VPN. So I don't think you need to configure the FQDN for the public IP of the VPN. Of course, maybe you have a special reason. This just is advice.

Outgoing ip using ACI in a VNET

I'm using the ACI in a private VNET. My problem is, the outgoing ip from this container is not my public IP used in Azure Gateway, is some random ip.
There's some way to fix somehow this outgoing ip from some container using ACI?
OBS: I tested with a public container, I had a public ip to incoming, but for outgoing was different :|
Thanks!
For your issue, when you create the ACI in the VNET, you just can access the resources inside the VNET and the outgoing IP is a private IP of the VNET, so the IP is static if you do not delete the ACI.
When you create a public ACI, it can access the Internet. This time, as I think, the ACI has two public IP, one is the public IP or the FQDN of the ACI to access from the Internet. And another is the public IP of the host machine that the ACI deploy in. When you access the ACI from the Internet, you need to use the public IP or the FQDN which Azure provide you. But when you access the Internet inside the ACI, the outgoing IP is the host machine's public IP. You cannot decide which host machine you can use, so does public IP of the host machine.
If you need to decide the outgoing IP and must be a static one. You can install the docker server in the VM with a static public IP, then create containers in the VM. Then the outgoing IP is the public IP of the VM.
Or you can use the AKS, create the pod and associated with a service that uses the Load Balancer type. Then the outgoing IP is also static and it's the service public IP.

Limit access to public ip (whitelist)

I want to set up a kubernetes cluster with a loadbalancer. Kubernetes will create a load balancer in azure and connect a public ip address with it.
But I don't want to make the api public, it should be exclusive for my api management service.
I tried to direct the load balancer into a vnet with the api service but I found nothing.
So I thought I could just limit the access to the public ip (a whitelist with only the incluced ip of my service) but I found nothing on the internet.
Is it possible to set such rule on a public ip or do I need some extra service for this problem?
With Kubernetes, assuming you have a service defined
Use the following commands:
kubectl get service
kubectl edit svc/<YOUR SERVICE>
change the type from LoadBalancer to ClusterIP
Now you can consume internally the service.

Azure Virtual Network / VM's Setup to Share One Public IP

I've recently setup a point to site VPN on Azure. In doing so I have created:
Azure Virtual Network
Azure Virtual Network Gateway
Azure Virtual Network Gateway IP (static)
Azure VM
I was under the impression that any VM set to use the above said Virtual Network would all share the same public IP? However it appears that the Azure VM i setup is instead using its own dynamic public IP.
Is there a way to route any VM on the Custom Virtual Network I created through one public IP? IF so - how can I do this?
According to your description, you have create a point-to-side VPN. in this scenario, we can remove the public IP addresses from VMs, then you can access your VMs with private IP addresses via VPN.
You are correct - I have the VPN working correctly. My only concern is this, it'd be great that if any of those VM's in that private network shared the same static IP - that way I could grant access to that IP in my firewall to other systems i have in other hosting platforms (as they are all typically locked down by ip).
It sounds like your reference to availablity sets may be the phrase i was looking for to further google.. i will check it out and let me know
please let me know if anything I added above changes your answer/recommendations :)
I was under the impression that any VM set to use the above said
Virtual Network would all share the same public IP?
You are talking about Azure ASM module (classic). In ASM module, VMs can use the same public IP address(NAT).
However it appears that the Azure VM i setup is instead using its own
dynamic public IP.
In Azure resource module, we can create Azure VMs with different Public IP addresses.
Is there a way to route any VM on the Custom Virtual Network I created
through one public IP?
According to your description, you have create a point-to-side VPN. in this scenario, we can remove the public IP addresses from VMs, then you can access your VMs with private IP addresses via VPN.
If you want to access those VMs from Internet and use one public IP address, we can create VMs in the same availability set, and deploy a Internet facing load balancer, then add NAT rules to them, in this way, we can access those VMs use the same public IP address and different ports.

Resources