1. How to find AKS pod's outbound IP for external DB?


    To find the outbound IP address for AKS pods, the preferred method would be to use a NAT Gateway or an Azure Firewall. These two are high-level components that abstract the management of public IPs for outbound connections.

    Here's a program to create an AKS cluster and an Azure Firewall. The pods in the AKS cluster would use the public IP of Azure Firewall as the outbound IP.

    import * as azure from "@pulumi/azure"; import * as pulumi from "@pulumi/pulumi"; import * as azuread from "@pulumi/azuread"; // Create an Azure Resource Group const resourceGroup = new azure.core.ResourceGroup("example-rg", { location: azure.Locations.WestEurope, }); // Create an Azure Active Directory Service Principal const adApp = new azuread.Application("example-adapp"); const adSp = new azuread.ServicePrincipal("example-sp", { applicationId: adApp.applicationId }); const adSpPassword = new azuread.ServicePrincipalPassword("example-sp-password", { servicePrincipalId: adSp.id, value: "abc123PASSWORD", endDate: "2023-01-01T00:00:00Z", }); // Set up networking const virtualNetwork = new azure.network.VirtualNetwork("example-vnet", { resourceGroupName: resourceGroup.name, addressSpaces: [""], }); // Create Subnet for AKS const subnetAKS = new azure.network.Subnet("example-subnetaks", { resourceGroupName: resourceGroup.name, virtualNetworkName: virtualNetwork.name, addressPrefix: "", serviceEndpoints: ["Microsoft.Sql"], }); // Create Subnet for Azure Firewall const subnetFirewall = new azure.network.Subnet("example-subnetfw", { resourceGroupName: resourceGroup.name, virtualNetworkName: virtualNetwork.name, addressPrefix: "", serviceEndpoints: ["Microsoft.Sql"], }); // Pulumi will automatically manage Azure Firewall public IP for us const publicIPForFirewall = new azure.network.PublicIp("firewall-public-ip", { resourceGroupName: resourceGroup.name, allocationMethod: "Static", sku: "Standard", }); // Azure Firewall to abstract outbound IP const azureFirewall = new azure.network.AzureFirewall("example-azfw", { resourceGroupName: resourceGroup.name, location: resourceGroup.location, ipConfiguration: { name: "example-fwconfig", subnetId: subnetFirewall.id, publicIpAddressId: publicIPForFirewall.id, }, }); // Azure Kubernetes Service (AKS) cluster const cluster = new azure.containerservice.KubernetesCluster("example-aks", { resourceGroupName: resourceGroup.name, location: resourceGroup.location, dnsPrefix: `${pulumi.getStack()}-kube`, defaultNodePool: { name: "default", nodeCount: 1, vmSize: "Standard_D2_v2", }, servicePrincipal: { clientId: adApp.applicationId, clientSecret: adSpPassword.value, }, networkProfile: { networkPlugin: "azure", outboundType: "userDefinedRouting", serviceCidr: "", dnsServiceIp: "", dockerBridgeCidr: "", }, }); // Export the AKS cluster kubeconfig & the public IP of the Firewall to access the AKS cluster export const kubeconfig = cluster.kubeConfigRaw; export const firewallPublicIp = publicIPForFirewall.ipAddress;

    Note that the outbound connections from the AKS cluster now use the IP Address of the Azure Firewall, which can be accessed using firewallPublicIp.

    You can find more about Azure Firewall here.