1

we have our AKS running in a private VNET, behind a corporate proxy. The proxy is not a "transparent" proxy and needs to be configured manually an all nodes. Is this a supported behavior? Is it possible to configure worker nodes and all system containers to work via proxy?

Eosfor
  • 81
  • 9

1 Answers1

0

Actually, Azure Kubernetes managed by Azure and in a private Vnet create yourself or Azure. You can use the Load Balancer to transfer the traffic or use ingress. But you just can select one size and type for the nodes when you create the cluster and it seems not support multi size for the nodes currently. Maybe it will be supported in the future on Azure.

For more details about AKS, see Azure Kubernetes Service.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • Hello @Charles, let me rephrase, probably. We've spun up a cluster in a private VNET. Now we need to make sure, that all outgoing communications, including kubelet and others are happening via internal corporate proxy. I mean, that when kubelet reaches out to public API server endpoint of a cluster, it should do this over internal corporate proxy. However this proxy is not a "transparent proxy", and needs to be configured on the AKS worker directly. – Eosfor Sep 10 '18 at 13:45
  • So the qustions are: `1. how to configure kubelet/worker to go via such a proxy 2. how to troubleshoot these connections (as it is https and there is no simple way to capture them to see what is inside) 3. what needs to be put on proxy's side (what should be open on the proxy i.e. ports, domain apexes etc.)` – Eosfor Sep 10 '18 at 13:48
  • I do not understand you clearly with the proxy. Do you mean nginx-ingress in Kubernetes [here](https://kubernetes.io/docs/concepts/services-networking/ingress/)? – Charles Xu Sep 11 '18 at 08:49
  • No, i mean the regular [proxy server](https://en.wikipedia.org/wiki/Proxy_server). Centrally managed piece of an infrastructure, which is used to separate internally running components from the Internet. – Eosfor Sep 11 '18 at 12:13
  • Maybe you can create a VPN between your on-premise and the Azure Vnet. Create the proxy in your on-premise network. See this [link](https://learn.microsoft.com/en-us/azure/aks/internal-lb) that how to access the application in the same private network. – Charles Xu Sep 12 '18 at 03:04
  • The questions not about connecting to internal network. The question is about "how to configure AKS and its components to talk to the internet/API server via internal corporate proxy" – Eosfor Sep 12 '18 at 09:24