Daniel's Tech Blog

Cloud Computing, Cloud Native & Kubernetes

Tag: Networking

  • Implement rate limiting with Istio on Azure Kubernetes Service

    In my last blog post I walked you through the setup of the rate limiting reference implementation: The Envoy Proxy ratelimit service. -> https://www.danielstechblog.io/run-the-envoy-proxy-ratelimit-service-for-istio-on-aks-with-azure-cache-for-redis/ Our today’s topic is about connecting the Istio ingress gateway to the ratelimit service. The first step for us is the Istio documentation. -> https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/ Connect Istio with the ratelimit service…

  • Detecting SNAT port exhaustion on Azure Kubernetes Service

    Running applications on an Azure Kubernetes Service cluster which make a lot of outbound calls might led to a SNAT port exhaustion. In today’s blog article I walk you through how to detect and mitigate a SNAT port exhaustion on AKS. What is a SNAT port exhaustion? It is important to know what a SNAT…

  • Run the Envoy Proxy ratelimit service for Istio on AKS with Azure Cache for Redis

    The Istio sidecar proxy uses Envoy and therefore supports two different rate limiting modes. A local one targeting only a single service and a global one targeting the entire service mesh. The local rate limit implementation only requires Envoy itself without the need for a rate limit service. In contrast the global rate limit implementation…

  • Troubleshooting Azure Kubernetes Service tunnel component issues

    In Azure Kubernetes Service Microsoft manages the AKS control plane (Kubernetes API server, scheduler, etcd, etc.) for you. The AKS control plane interacts with the AKS nodes in your subscription via a secure connection that is established through the tunnelfront / aks-link component. -> https://docs.microsoft.com/en-us/azure/aks/concepts-clusters-workloads#kubernetes-cluster-architecture As you can run the AKS control plane within a…

  • Using distroless images in Istio on Azure Kubernetes Service

    Looking at Docker Hub Istio provides the option using distroless images since version 1.3.0. As it is always a good idea on a Kubernetes cluster to reduce the attack surface, especially when running a managed Kubernetes cluster like Azure Kubernetes Service, using distroless images is one option of it. Per default Istio does not use…

  • Switching to Istio CNI plugin on Azure Kubernetes Service

    You might question yourself, why the switch to the Istio CNI plugin might be useful? Istio uses, and other services meshes too, an init container to adjust the iptables rules for redirecting network traffic to/from the sidecar proxy container. The init container uses NET_ADMIN and NET_RAW capabilities to do the iptables changes and thus has…

WordPress Cookie Notice by Real Cookie Banner