Tag: Networking
-
Restrict access to the IMDS endpoint on Azure Kubernetes Service with Cilium
In today’s blog post, we take a look at restricting access to the Azure IMDS endpoint on an Azure Kubernetes Service (AKS) cluster with Cilium using the BYOCNI approach. The Instance Metadata Service (IMDS) endpoint, also known as short IMDS, can be called directly from every Azure VM or VMSS instance via the following command.…
-
Provide additional metadata information to Cilium for IP addresses outside of the Kubernetes cluster scope
In Cilium, IP addresses that do not belong to the Pod CIDR or Kubernetes Service CIDR range, and some special ranges like the Kubernetes API server, are recognized as the reserved:world identity. So, to say they do not belong to the Kubernetes cluster scope, known to Cilium itself. -> https://docs.cilium.io/en/stable/gettingstarted/terminology/#special-identities When you start using DNS-based…
-
Azure Load Balancer Health Event Logs
In February, Microsoft announced the general availability of the Azure Load Balancer health event logs. -> https://azure.microsoft.com/en-us/updates?WT.mc_id=AZ-MVP-5000119&id=481818 Those health event logs are part of the diagnostic logs of an Azure Load Balancer As seen in the screenshot above, I have configured them on the Azure Load Balancer, part of my Azure Kubernetes Service cluster, and…
-
Using Hubble CLI’s automatic port forwarding
This will be a rather short blog post today, but it will highlight a new feature in the Hubble CLI in version 1.17 and later. Since version 1.17, the option -P has been added to the Hubble CLI. -P enables the automatic port forwarding to the Hubble relay in the Kubernetes cluster. As seen in…
-
Using Cilium Hubble Exporter to log blocked egress traffic on Azure Kubernetes Service
In one of my previous blog posts, I covered how to do egress traffic blocking with Cilium bring-your-own CNI on Azure Kubernetes Service -> https://www.danielstechblog.io/egress-traffic-blocking-with-cilium-cluster-wide-network-policies-on-azure-kubernetes-service/ Today we look into Cilium Hubble Exporter which lets us write Hubble flows to the Cilium agent log output. Thus, Hubble flows can be collected by the logging solution running…
-
Egress traffic blocking with Calico global network policies on Azure Kubernetes Service
In my last blog post, I covered how to do egress traffic blocking with Cilium bring-your-own CNI on Azure Kubernetes Service as Azure CNI powered by Cilium does not officially support Cilium cluster-wide network policies and Cilium CIDR groups. -> https://www.danielstechblog.io/egress-traffic-blocking-with-cilium-cluster-wide-network-policies-on-azure-kubernetes-service/ In addition to the Cilium option on Azure Kubernetes Service, there has been and…