azure-hub-spoke-aks-egress-gateways
所属分类:代理服务器
开发工具:HCL
文件大小:0KB
下载次数:0
上传日期:2023-11-04 17:17:58
上 传 者:
sh-1993
说明: [Azure AKS蓝图]了解如何使用AKS和Calico出口网关部署Azure中心轮辐VNET
([Azure AKS Blueprint] Learn how to deploy Azure Hub-Spoke VNETs with AKS and Calico Egress Gateways)
文件列表:
LICENSE (35149, 2023-12-11)
azure/ (0, 2023-12-11)
azure/helm_values/ (0, 2023-12-11)
azure/helm_values/values-calico.yaml (203, 2023-12-11)
azure/main.tf (7064, 2023-12-11)
azure/outputs.tf (918, 2023-12-11)
azure/variables.tf (2137, 2023-12-11)
images/ (0, 2023-12-11)
images/azure-fw.gif (7382672, 2023-12-11)
images/cc-join.gif (2441499, 2023-12-11)
images/egw-routing.png (470139, 2023-12-11)
images/hubspoke.png (99096, 2023-12-11)
manifests/ (0, 2023-12-11)
manifests/bgp-filter.yaml (253, 2023-12-11)
manifests/bgp-route-reflector.yaml (787, 2023-12-11)
manifests/egw-policy.yaml (385, 2023-12-11)
manifests/egw-tenants.yaml (1622, 2023-12-11)
manifests/netshoot.yaml (254, 2023-12-11)
modules/ (0, 2023-12-11)
modules/egress_gateway/ (0, 2023-12-11)
modules/egress_gateway/main.tf (1973, 2023-12-11)
modules/egress_gateway/variables.tf (550, 2023-12-11)
modules/firewall/ (0, 2023-12-11)
modules/firewall/main.tf (4290, 2023-12-11)
modules/firewall/outputs.tf (96, 2023-12-11)
modules/firewall/variables.tf (474, 2023-12-11)
modules/route_server/ (0, 2023-12-11)
modules/route_server/main.tf (1011, 2023-12-11)
modules/route_server/outputs.tf (0, 2023-12-11)
modules/route_server/variables.tf (626, 2023-12-11)
modules/route_table/ (0, 2023-12-11)
modules/route_table/main.tf (511, 2023-12-11)
modules/route_table/variables.tf (567, 2023-12-11)
modules/vnet/ (0, 2023-12-11)
modules/vnet/main.tf (514, 2023-12-11)
modules/vnet/outputs.tf (255, 2023-12-11)
modules/vnet/variables.tf (534, 2023-12-11)
modules/vnet_peering/ (0, 2023-12-11)
... ...
# Enabling Workload-Level Security for AKS with Azure Firewall and Calico Egress Gateway
## Solution Overview
In this repo, we'll develop a foundational reference architecture that aligns with the Azure Well-Architected Framework's [best practices](https://learn.microsoft.com/en-us/azure/architecture/guide/aks/aks-firewall) for network design, with a special emphasis on the [hub-spoke network topology](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology). Our goal is to address challenges in pinpointing the source of traffic as it exits the cluster and traverses an external firewall, using [Egress Gateways for Calico](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure).
This diagram illustrates our hub-spoke network design and the specific Azure resources used in our reference architecture. Each Spoke VNET shares its Egress Gateway address prefixes with the Azure Route Server located in the Hub VNET, ensuring seamless integration with the Azure network.
Egress traffic from Kubernetes workloads can be directed through specific Egress Gateways (or none at all), guided by advanced [Egress Gateway Policy](https://docs.tigera.io/calico-enterprise/latest/networking/egress/egress-gateway-azure#configure-a-namespace-or-pod-to-use-an-egress-gateway-egress-gateway-policy-method) settings. This configuration creates a distinct network identity suitable for Azure firewall rule settings.
## Walk Through
We'll use Terraform, an infrastructure-as-code tool, to deploy this reference architecture automatically. We'll walk you through the deployment process and then demonstrate how to utilize Egress Gateways with Calico.
### Prerequisites
First, ensure that you have installed the following tools locally.
1. [azure cli](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)
2. [kubectl](https://Kubernetes.io/docs/tasks/tools/)
3. [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli)
### Step 1: Checkout and deploy the Terraform blueprint
Make sure that you completed the prerequisites above and cloned the Terraform blueprint by running the following command in a local directory:
```sh
git clone git@github.com:tigera-solutions/azure-hub-spoke-aks-egress-gateways.git
```
Navigate to the `azure` subdirectory and then deploy the infrastructure.
If the names `demo-hub-network` and `demo-spoke-networks` are already taken, you will want to edit the [variables.tf](azure/variables.tf) file in Terraform to use custom names for your Hub and Spoke Azure Resource Groups.
```sh
cd azure
terraform init
terraform apply
```
Update your kubeconfig with the AKS cluster credentials
```sh
az aks get-credentials --name spoke1-aks --resource-group demo-spoke-networks --context spoke1-aks
```
Verify that Calico is up and running in your AKS cluster
```sh
kubectl get tigerastatus
```
```sh
NAME AVAILABLE PROGRESSING DEGRADED SINCE
apiserver True False False 9m30s
calico True False False 9m45s
```
### Step 2: Link your AKS Cluster to Calico Cloud
Join your AKS cluster to [Calico Cloud](https://www.calicocloud.io/home) as illustrated:
Verify your AKS cluster is linked to Calico Cloud
```sh
kubectl get tigerastatus
```
```sh
NAME AVAILABLE PROGRESSING DEGRADED SINCE
apiserver True False False 50m
calico True False False 49m
cloud-core True False False 50m
compliance True False False 49m
image-assurance True False False 49m
intrusion-detection True False False 49m
log-collector True False False 50m
management-cluster-connection True False False 49m
monitor True False False 49m
```
### Step 3: Enterprise-grade Egress Gateways for the Azure Kubernetes Service
Connect your AKS cluster to the Azure Route Server. Use the first two nodes in the AKS cluster as BGP route reflectors to manage and limit the number of peer connections effectively.
```sh
kubectl apply -f - < GET / HTTP/1.1
> Host: www.tigera.io
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 470 status code 470
< Date: Sun, 03 Sep 2023 12:27:41 GMT
< Content-Length: 70
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host www.tigera.io left intact
Action: Deny. Reason: No rule matched. Proceeding with default action.
```
Let's go ahead and activate the Calico Egress Gateways for the cluster. We'll also specify that pods in the default namespace should use the tenant0-egw Egress Gateway.
```
kubectl patch felixconfiguration default --type='merge' -p '{
"spec": {
"egressIPSupport": "EnabledPerNamespaceOrPerPod",
"flowLogsFlushInterval": "15s",
"flowLogsFileAggregationKindForAllowed": 1
}
}'
```
Set up the `default` namespace to utilize the Egress Gateway located in the `tenant0-egw` namespace.
```
kubectl annotate ns default \
egress.projectcalico.org/namespaceSelector="projectcalico.org/name == 'tenant0-egw'"
```
Traffic is now allowed through the Azure Firewall because the incoming requests originate from a specific, recognized CIDR range assigned to the `tenant0` Calico Egress Gateways.
```
kubectl exec -it -n default netshoot -- curl -v http://www.tigera.io
```
You should now be able to get requests through the Azure Firewall. To verify, go to the Azure Firewall located in the hub resource group and select "Logs" under the Monitoring settings. Filter the Application log data to display the last 30 minutes. Look for entries showing that traffic originating from the 10.99.0.0/29 IP range has been successfully allowed to pass outbound through the Azure Firewall to [www.tigera.io](http://www.tigera.io).
### Cleanup
To teardown and remove the resources created in this example:
```sh
cd azure
terraform destroy --auto-approve
```
or delete the Azure Resource Groups
```sh
az group delete --resource-group demo-hub-network --no-wait
az group delete --resource-group demo-spoke-networks --no-wait
```
近期下载者:
相关文件:
收藏者: