Context:

So I have a test script in an AKS Cluster; this script logs into a site using the single sign-on feature with a user from the Azure Active Directory.

The Test Script is located in Cluster A, and the site is located in Cluster B. There are subnets also assigned to the Clusters. and the site is only accessible through the internal VPN. For that, there is a firewall exception for the Cluster A internal node IP range (In this part, I assume there is one for the external IP as well cause the connection works as intended).

The problem:

A new access policy has been created that blocks external access. The access policy forbids specifics AAD users to log into this site if the request comes from a public IP.

The first thing that comes to mind is that I have to access the site using the internal IP, not the cluster public IP. This would be the equivalent of setting up VPN access to the site. There has to be an Azure configuration that would allow me to route traffic to internal subnets, but I don't want the cluster to lose internet connection either. The best scenario for me is to connect using the internal IP only when I want the test script to access/test the site, but I have no idea how to do that.

CodePudding user response：

You can specify the outbound type of the AKS Cluster: https://docs.microsoft.com/en-us/azure/aks/egress-outboundtype

Using user defined routing you can specify the egress path. E.g. on Azure Firewall which also connected with the VPN/Express Route Gateway to reach other internal resources. https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic#restrict-egress-traffic-using-azure-firewall