How to find AKS pod's outbound IP for external DB?

Question

Pulumi · Accepted Answer

To find the outbound IP address for AKS pods, the preferred method would be to use a NAT Gateway or an Azure Firewall. These two are high-level components that abstract the management of public IPs for outbound connections.

Here's a program to create an AKS cluster and an Azure Firewall. The pods in the AKS cluster would use the public IP of Azure Firewall as the outbound IP.

```typescript
import * as azure from "@pulumi/azure";
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

// Create an Azure Resource Group
const resourceGroup = new azure.core.ResourceGroup("example-rg", {
    location: azure.Locations.WestEurope,
});

// Create an Azure Active Directory Service Principal
const adApp = new azuread.Application("example-adapp");
const adSp = new azuread.ServicePrincipal("example-sp", { applicationId: adApp.applicationId });
const adSpPassword = new azuread.ServicePrincipalPassword("example-sp-password", {
    servicePrincipalId: adSp.id,
    value: "abc123PASSWORD",
    endDate: "2023-01-01T00:00:00Z",
});

// Set up networking
const virtualNetwork = new azure.network.VirtualNetwork("example-vnet", {
    resourceGroupName: resourceGroup.name,
    addressSpaces: ["10.0.0.0/16"],
});

// Create Subnet for AKS
const subnetAKS = new azure.network.Subnet("example-subnetaks", {
    resourceGroupName: resourceGroup.name,
    virtualNetworkName: virtualNetwork.name,
    addressPrefix: "10.0.1.0/24",
    serviceEndpoints: ["Microsoft.Sql"],
});

// Create Subnet for Azure Firewall
const subnetFirewall = new azure.network.Subnet("example-subnetfw", {
    resourceGroupName: resourceGroup.name,
    virtualNetworkName: virtualNetwork.name,
    addressPrefix: "10.0.2.0/24",
    serviceEndpoints: ["Microsoft.Sql"],
});

// Pulumi will automatically manage Azure Firewall public IP for us
const publicIPForFirewall = new azure.network.PublicIp("firewall-public-ip", {
    resourceGroupName: resourceGroup.name,
    allocationMethod: "Static",
    sku: "Standard",
});

// Azure Firewall to abstract outbound IP
const azureFirewall = new azure.network.AzureFirewall("example-azfw", {
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location,
    ipConfiguration: {
        name: "example-fwconfig",
        subnetId: subnetFirewall.id,
        publicIpAddressId: publicIPForFirewall.id,
    },
});

// Azure Kubernetes Service (AKS) cluster
const cluster = new azure.containerservice.KubernetesCluster("example-aks", {
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location,
    dnsPrefix: `${pulumi.getStack()}-kube`,
    defaultNodePool: {
        name: "default",
        nodeCount: 1,
        vmSize: "Standard_D2_v2",
    },
    servicePrincipal: {
        clientId: adApp.applicationId,
        clientSecret: adSpPassword.value,
    },
    networkProfile: {
        networkPlugin: "azure",
        outboundType: "userDefinedRouting",
        serviceCidr: "10.10.0.0/16",
        dnsServiceIp: "10.10.0.10",
        dockerBridgeCidr: "172.17.0.1/16",
    },
});

// Export the AKS cluster kubeconfig & the public IP of the Firewall to access the AKS cluster
export const kubeconfig = cluster.kubeConfigRaw;
export const firewallPublicIp = publicIPForFirewall.ipAddress;
```

Note that the outbound connections from the AKS cluster now use the IP Address of the Azure Firewall, which can be accessed using `firewallPublicIp`.

You can find more about Azure Firewall [here](https://www.pulumi.com/registry/packages/azure-native/api-docs/network/azurefirewall/).