This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 83%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
Hello,
I run into an issue when placing an AKS cluster behind a BASIC Azure Firewall.
I am basically following this guide: https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic?tabs=aks-with-system-assigned-identities (with the exception where I use a basic firewall).
My firewall route table looks like this:
Firewall policy contains following application rules:
Then DNAT rules to forward ingress traffic through the Firewall’s public IP.
When I try deploying the cluster into a subnet that has the Firewall RT associated nothing seems to work. Pods get stuck in a “Pending” state. I am using the Azure CNI network type and Calico network policy. One observation I made was that in this case pods do not get the IP assignment based on the subnet. As an example, when I deploy the cluster without the Firewall services get IP assignment with no issues (see the following image). But, with Firewall I get a "-" for Endpoint.
Can someone point me to where the issue can be?
Thank you.
Hello Kasun Buddika
Welcome to Microsoft Q&A Platform, thanks for posting your query here.
Based on the details shared, one possibility for the issue could be on the part where you set the API server authorized IP ranges.
Can you make sure that you have set both the Firewall Public IP and Current IP. If you set one but not the other, then the other address range will be overwritten.
Hope that helps.
Thanks for the prompt response. Are you referring to the application rule I have (allow-api-fqdn)? What do you mean by the current IP? Can you please explain a bit further?
Thank you!!!
Thanks for the prompt response. Are you referring to the application rule I have (allow-api-fqdn)? What do you mean by the Current IP in this case? Can you please explain a bit more?
Thank you!!!!
Hello Kasun Buddika
No, this is for the step “Enable developer access to the API server” – if you created the cluster with –api-server-authorized-ip-ranges.
Can you also please make sure that you have all the outbound rules set depending on all the Azure / AKS services you are using: https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress .