This documentation is for the most recent version of Anthos clusters on Azure, released on August 4. See the Release notes for more information.

Network security groups

This page describes and lists the Azure network security groups (NSGs) required by Anthos clusters on Azure.

Managed NSGs

Anthos clusters on Azure manages the NSGs attached to the virtual network interface card (NIC) of each virtual machine (VM) instance. To further control network traffic, you can add additional NSGs to your subnets.

Anthos clusters on Azure manages required NSG rules automatically. It adds missing NSG rules and removes rules that are no longer necessary. Anthos clusters on Azure also modifies rules based on your Kubernetes Service configuration. For example, when you add a Kubernetes Service of type LoadBalancer, Anthos clusters on Azure adds the corresponding NSG rules.

Rule priorities

Azure NSG rule priorities have a range between 100 and 4096. The lower the priority number, the higher the priority.

By design, Anthos clusters on Azure manages only NSG rules with a priority of 500 or higher. Therefore, if you need to implement a specific rule or create additional rules, you can use NSGs with a priority between 100 and 499.

Azure processes rules in order, starting with the lowest priority number and proceeding upward. When you create a new rule, always choose rule priorities in the 100 to 499 range to avoid conflict with existing Anthos NSG rules.

Application security groups

Anthos clusters on Azure creates two application security groups (ASGs) that apply to the virtual NICs of control planes and worker nodes. Anthos clusters on Azure updates ASGs automatically—for example, when you add a new node pool to a cluster. You can use these ASGs when creating NSG rules.

The Azure Resource Manager (ARM) IDs of the NSG and control plane ASG can be obtained from the output of gcloud container azure clusters describe.

For example, to allow SSH connections to the control plane VMs, run the az network nsg rule create command to create an NSG that references the control plane ASG:

NSG_NAME=$(basename $(gcloud container azure clusters describe \
  CLUSTER_NAME --location=GOOGLE_CLOUD_LOCATION \
  --format 'value(managedResources.networkSecurityGroupId)'))

ASG_CP_NAME=$(basename $(gcloud container azure clusters describe \
  CLUSTER_NAME --location=GOOGLE_CLOUD_LOCATION \
  --format 'value(managedResources.controlPlaneApplicationSecurityGroupId)'))

az network nsg rule create \
  --name AllowSshToControlPlane \
  --nsg-name "${NSG_NAME}" \
  --priority 100 \
  --resource-group "CLUSTER_RESOURCE_GROUP" \
  --access Allow \
  --protocol Tcp \
  --destination-port-ranges 22 \
  --destination-asgs "${ASG_CP_NAME}"

Replace the following:

  • CLUSTER_NAME: the name of your cluster
  • GOOGLE_CLOUD_LOCATION: the Google Cloud location that manages your cluster
  • CLUSTER_RESOURCE_GROUP: the name of the Azure resource group that holds your cluster

For more information about creating a new rule, follow the procedure described in Azure NSG rule creation.

Default NSG rules

When you set up Anthos clusters on Azure, it creates the following NSG rules in your Azure virtual network.

Priority Ports Protocol Source Destination Action Purpose
1000 2380, 2381 TCP Control plane NICs Control plane NICs Allow Control plane etcd communication
1001 443, 8132 TCP Any Control plane NICs Allow Allow accessing the Kubernetes API
1002 10250 TCP Control plane NICs Node pool NICs Allow Control plane to node communications
1003 10250, 10255 TCP Node pool NICs Node pool NICs Allow Node-to-node communication
1004 6081 UDP Node pool NICs Node pool NICs Allow Node-to-node CNI communication
1005 Any Any Azure load balancer Any Allow Allow inbound traffic to load balancer
4096 Any Any Any Any Deny Deny all inbound connections not covered by another rule