0

When I create an AKS cluster using Azure Portal, it creates a VNET with a single subnet in it. The subnet does not have any NSG associated to it as shown below:

enter image description here

To my understanding, having a subnet without any NSG is a bit unusual. I wanted to add a plain empty NSG to the subnet. As soon as I add any NSG to the above subnet, the AKS is not functional anymore until I remove the NSG.

I was expecting that adding a plain minimal NSG to above subnet should not block anything.

What is the differences between a subnet without any NSG and with a default empty nsg?

Allan Xu
  • 7,998
  • 11
  • 51
  • 122
  • NSG comes with its own set of default rules. Please check if those rules are blocking connection to/from AKS cluster. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#default-security-rules – Vineet Desai Sep 07 '21 at 04:21

1 Answers1

0

While you create an NSG, Azure creates some default rules. Please refer the docs here https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

A network security group filters traffic for VMs like the AKS nodes. As you create Services, such as a LoadBalancer, the Azure platform automatically configures any necessary network security group rules.

You don't need to manually configure network security group rules to filter traffic for pods in an AKS cluster. Simply define any required ports and forwarding as part of your Kubernetes Service manifests. Let the Azure platform create or update the appropriate rules.

You can also use network policies to automatically apply traffic filter rules to pods.

Srishti Gawande
  • 81
  • 3