Azure AKS CNI Overlay network

Azure AKS introduced a very neat feature: Create an AKS cluster in the existing network without the need to modify route tables of the network itself. This approach is more secure in the start since the AKS doesn't need permission to modify route tables itself.

The concept is called Azure AKS CNI Overlay network. AKS Cluster nodes are created in a virtual network but don't need to modify it's routing table. Communication outside of the cluster is done via all time champion: NAT.

Minimal permission needed for the Service principal are:

• Microsoft.Network/virtualNetworks/subnets/read (Needed for private LoadBalancer service)
• Microsoft.Network/virtualNetworks/subnets/join/action (Needed for Nodes to join the subnet)

Great picture from the official Microsoft documentation.

As the architecture depicts - Nodegroup is created in the 192.168.0.0/16 more precisely Nodepool has 192.168.1.0/24 range. As you can see pod to pod communication is done via NAT. No additional routing needs to be added to the VNet itself.

This is great for setups that have strict governance policies over network rules which are often the case.

Creating AKS with CNI Overlay

Using Azure CLI one can create a cluster executing:

clusterName="myOverlayCluster"
resourceGroup="myResourceGroup"
location="westcentralus"

az aks create \
    --name $clusterName \
    --resource-group $resourceGroup \
    --location $location \
    --network-plugin azure \
    --network-plugin-mode overlay \
    --pod-cidr 192.168.0.0/16 \
    --generate-ssh-keys