This is such an amazing lecture. I have to conduct a workshop in 3 hours and I thought of brushing up the concepts and now I finished the video with a bunch of so many other details I didn't know. I am so confident right now. Thanks a lot!!! Keep teaching us.
Finally at the point where I could thoroughly enjoy this video, and that's what I did, about the 4th time I started watching and always skewed off to ingesting something else, not this time, and the Load balancer crescendo at the end was my reward, amazing work, thankyou.
yeah this is great explanation of this topic thankyou very much I dont think this has been done anywhere else in this depth and it demystified the ip address / overlay NW thing for me. Probably not easy to explain in front of a camera so great job.
Brilliant video ❤️ was hitting up my head to connect all the dots related to aks networking. Then I found your video. It's amazing. You connected all the concepts superbly. Thanks for making this video
thank you John, great stuff, info you presented here comes only after dedicating lots of time, work hours on AKS networking, some people use AKS but they have no idea on how it works and what lies under. You overlayed AKS concepts on top of Azure :)
We are all indebted to your great contribution to humanity in educating us to a very high standard. May God bless you with all the happiness in life. You can rightly be proud of yourself for doing something that really matters.
Great video John! I've immediately subscribed to your channel. Proper deep-dive without skipping any important part but with very understandable/consumable explanation. Not boring (because you don't explain fundamentals), so I was able to keep the focus and HL enough not be lost in code, yamls and whatnot. Thanks for this content (-:
Amazing video John, looking at what you said regarding having the App Gateway in front of an load balancer seems like the most versatile way for L4 and L7 traffic.
This was exactly the kind of information I needed. Especially on the Ingress controller vs azure app gateway. Thank you very much and keep the videos coming :) One small suggestion I have is to use sections in your videos as they are quite long. It would make it easier to skim the video and figure out if it contains the information I am looking for. It would be awesome if you could do a comparison of the different ingress controllers that are available in terms of security, performance, features.
Hi John, Thanks for the excellent tutorial once again! Quick question, @41:55, why Azure LB only uses NodePort (port 31645 in your case) for Health Probe, but Not sending actually application traffic through it, after all the NodePort is accessible from outside of the cluster, thanks
node ports are random and ports can be scarce. I don't want that externally hence why not used for actual services. instead traffic goes to a worker with floating IP. and kube-proxy works out which pod(s)
but if you have layer 4 between app gateway and the backends some of the affinity may be lost since the app gateway only sees one backend member. Some things yes would be benefits.
@@NTFAQGuy Thanks and make sense. Is NGIX implementation supports in Azure ? Also choosing basic and CNI network for aks. I understand PODS will have their own IP in CNO vs internal IP for basic and that is useful for app gateway implementation. Other than this advantages. Does CNI provide value if we want to use one cluster to host dev and qa applications ?
Your videos are great , Got a lot of exposure and understanding about CNI after watching this video . I have a question though , the service CIDR and Docker bridge CIDR can be reused among various AKS clusters right !! What will happen if we have two clusters with same service and docker cidr and both the vnet of aks clusters are peered ? Will there be any impact ? Also what's the suggestion address space for service and docker cidr ?
Hi John, First off, thanks much for your great videos and especially this deep dive one. I got a question and was hoping that you could shed some light on it. Because of some design/application constraints, we need to do a 1-to-1 NATing on our firewall appliance (CheckPoint FW) for the K8S containers' IP addresses attached to an Azure subnet that's functioning in CNI mode. I was expecting that the source IP address of the packets reaching the firewall to be the container's IP address so we can do the 1-to-1 mapping; however, the source IP of the packets is the IP of the Node interface that the container is running on. I wonder if there is a way to change this default behavior to distinguish what container has created the packet, or in other words, the packets come with the containers' source IP and not the Node's IP? Thanks in advance for taking the time to respond to my question.
Would guess the firewall is in some peer vnet for it to SNAT. It should not SNAT for the same CIDR vnet (or maybe you changed the vnet IP config at some point). Check ip-masq-agent iptables rules.
Each of them have their own process for certificates, that is not AKS specific which is really just hosting workloads. Just search the web for ssl cert for the particular ingress controller, e.g. nginx.
Great content as usual John! May I (ab)use your knowledge in order to clarify an architectural doubt? In the case of a nginx ingress solution, I see that the ALB gets a backendpool pointing to the VMSS that supports the cluster nodepool. So far, so good. So an incoming packet is routed to a NodePort. However, the destination port that I see in the ALB is *not* showing up in a netstat command performed at the node level. Shouldn't it? Furthermore, a kubectl get svc shows a nodeport number different from the ALB's destination port in the portal.... I'm confused!
@@NTFAQGuy yes I’m aware of that. Still, the ALB routes to the node right? Which destination port on the selected node? The one specified in the FE config, right? The thing that surprised me is the fact that no one is listening on that port. But the answer always lies on iptables… 😀
Thanks for this amazing video, really sets out stuff clearly. though in a way it's opened up more questions for me. I kind of inherited an AKS cluster. We use an app gateway where the backends are manually set point to a service internal lb IP for an app. The gateway is in a subnet in the cluster Vnet. Is this a bad way to do it? I'm thinking the nginx way you described might be a future way to go.
He’s to 100% follow you but app gateway is great and no need to switch out for a different l7 unless there was some functionality you needed. Being in the same vnet as aks cluster is totally fine and very common. Glad you liked the video.
Hi John, Thank you so much for this great video! It really helped me understand AKS networking. I have a question related to use of external (public) service IP address to identify the internal service in the Kubernetes cluster. How does the worker node see the external (public) IP address in the packets to identify the internal service? My assumption is, the Azure NLB forwards the traffic to the worker node after translating the destination IP address to the IP address of worker node, so the worker node will never receive traffic with the external (public) IP address in IP header.
John ….One of the best 60 minutes spent . Seriously good lecture and I sincerely thank you for sharing your hard earned knowledge.
still helpful 4 years later! thank you, good sir!
Not just the best AKS networking tutorial, but probably the best kubernetes networking explanation I’ve seen.
Thank you
4y later and still it's 100% worthy to watch. great presentation!
This is such an amazing lecture. I have to conduct a workshop in 3 hours and I thought of brushing up the concepts and now I finished the video with a bunch of so many other details I didn't know. I am so confident right now. Thanks a lot!!! Keep teaching us.
Glad it was helpful!
My level of understanding of what is happening is multiplied by 100x with this video - awesome stuff.
Finally at the point where I could thoroughly enjoy this video, and that's what I did, about the 4th time I started watching and always skewed off to ingesting something else, not this time, and the Load balancer crescendo at the end was my reward, amazing work, thankyou.
Thank you, John, for your in-depth videos. I've only been watching your videos for Azure topics since you cover so much depth with your videos.
You know the best way to how to break a complex topic in to small pieces that can be digested. Thanks for all the knowledge sharing.
This is an outstanding explanation of AKS networking. Thank you, John!
Just about to deploy AKS in Dev so this was very timely! A fantastic explanation as ever John, many thanks!
Welcome
This was one of the clearest, accurate, well presented azure tutorials I've seen in a while. Thanks John!
Wow, thanks!
This is really great content. Thanks for taking the time to make this so comprehensive!
Amazing work mate ! Really incredible how easy you make these complicated things to look :)
Keep going with this work.
Thank you! Cheers!
Great content and great presentation. The subtle pauses you make gives us time to better absorb the information. Thank you!
Glad you liked it!
Really appreciate. I can't imagine the number of careers saved by this.
Wow, just wow. This was the best course I've seen in AKS networking. Thank you John for sharing all this with us.
Thank you for this. Your delivery is clear and concise, this has cleared up AKS networking for me in a big way.
Great to hear, thanks for watching.
One of the best explanation to understand AKS, Thank you very much John!
Hands down the best explanation on AKS networking.
Thanks.
This video has answer to most of your questions. Only requirment is, you need to listen to it completely
Thanks to the community to understand this complex topic in simple way of explanation. Loved your videos.
Most welcome!
This was great stuff John. I always love you videos which are mostly great content & point to point explainations.
Very well explained Jhon, anyone can understand easily with the way you are explaining. Thank you so much
John, I can't thank you enough. You have explained the topic fantastically well. 👏
yeah this is great explanation of this topic thankyou very much I dont think this has been done anywhere else in this depth and it demystified the ip address / overlay NW thing for me. Probably not easy to explain in front of a camera so great job.
Learning with drawings is so much better, thank you.
Very welcome
Brilliant video ❤️ was hitting up my head to connect all the dots related to aks networking. Then I found your video. It's amazing. You connected all the concepts superbly. Thanks for making this video
My pleasure 😊
Thanks John, you made something complex simple again. You rock sir!
thank you John, great stuff, info you presented here comes only after dedicating lots of time, work hours on AKS networking, some people use AKS but they have no idea on how it works and what lies under. You overlayed AKS concepts on top of Azure :)
Much appreciated!
We are all indebted to your great contribution to humanity in educating us to a very high standard. May God bless you with all the happiness in life. You can rightly be proud of yourself for doing something that really matters.
that is very kind, thank you.
thoroughly explanation in a such complex thread as AKS Networking...just perfect!
Thanks!
Awesome !!! Finally, after a long time, I can understand Azure AKS networking.
Awesome!
Excellent John this is my first ever comment on any RUclips channel this is what i was looking for on RUclips since long!!!!👍🏻
Awesome, thank you!
WOW, What an amazing video on AKS. No words, Great job sir.
So nice of you
What a great explanation, thank you! I love your reaction at 58:32 😁
You're the best! I can't find a better video that explains azure aks networking like yours!
Very kind, thank you.
Amazing video .. This has cleared how AKS networking works especially the App Gateway.. thanks a lot
Welcome
Just amazing as always!! You are a legend. This really helped me get my head around AKS Networking. Thanks John.
Glad to help!
Excellent explanation, especially in the App GW part.
Thanks John, very clearly explained. Always refer to your videos whenever I need some clarity on concepts. many thanks !
Awesome stuff and awesome detail, probably will take two re-run to understand completely. Thanks John.
Took me more than twice to grasp and plan out :)
Wow! That was an awesome explanation. Thank you, John!
Thank you, thank you, Thank you. Great video!!! I have to be able to manage AKS Network overnight and this puts it into prospective.
Great video John! I've immediately subscribed to your channel. Proper deep-dive without skipping any important part but with very understandable/consumable explanation. Not boring (because you don't explain fundamentals), so I was able to keep the focus and HL enough not be lost in code, yamls and whatnot. Thanks for this content (-:
Welcome!
Amazing video John, looking at what you said regarding having the App Gateway in front of an load balancer seems like the most versatile way for L4 and L7 traffic.
app gateway brings a lot of functionality as a managed offering and you can add WAF to it.
you are one the best teachers around
Loved this one!! Exactly what I needed.
Great work as always, John.
Thanks for another great video John. You have the best content around.
Very kind, thank you.
Excellent as always. I think I understand this well enough that I can confidently make some choices.
Awesome
Very cool video. This helped me a lot to understand all the AKS network stuff. Thank you very much!
Great to hear
Thank you for this video, I could have watched other hours of this!
Excellent explanation, also smiled a lot during AppGateway part )
This was exactly the kind of information I needed. Especially on the Ingress controller vs azure app gateway. Thank you very much and keep the videos coming :) One small suggestion I have is to use sections in your videos as they are quite long. It would make it easier to skim the video and figure out if it contains the information I am looking for. It would be awesome if you could do a comparison of the different ingress controllers that are available in terms of security, performance, features.
i add them to the new ones.
Excellent video. Detailed explanations and demonstrations makes all the difference👍
Thanks!
Thanks for this video. Now I can say that I trully understood how network in AKS works ! :)
Excellent explanation of networking. Superb
Glad you liked it
Hi John-- Thanks for an amazing lesson, very thorough!!
Another superb video Jon, excellent content
Very welcome
Awesome. You always make great videos. Thank you so much, I learned a lot from your deep dive videos. Keep sharing your knowledge.
So nice of you
One of the best tutorials. Thank you
Glad you think so!
It is a wonderful lecture. Thanks John..
Hi John, Thanks for the excellent tutorial once again! Quick question, @41:55, why Azure LB only uses NodePort (port 31645 in your case) for Health Probe, but Not sending actually application traffic through it, after all the NodePort is accessible from outside of the cluster, thanks
node ports are random and ports can be scarce. I don't want that externally hence why not used for actual services. instead traffic goes to a worker with floating IP. and kube-proxy works out which pod(s)
@@NTFAQGuy Great, thanks for the prompt reply.
This is helping me better understand AKS networking but I probably need to see see this in action.
Yep, create one
HI John, Good video. Like it. But pop'ed any questions. Is it easier to app gateway infront of Azure load balancer to get the layer 7 benefits ?
but if you have layer 4 between app gateway and the backends some of the affinity may be lost since the app gateway only sees one backend member. Some things yes would be benefits.
@@NTFAQGuy Thanks and make sense. Is NGIX implementation supports in Azure ? Also choosing basic and CNI network for aks. I understand PODS will have their own IP in CNO vs internal IP for basic and that is useful for app gateway implementation. Other than this advantages. Does CNI provide value if we want to use one cluster to host dev and qa applications ?
Thank you! This helped me finally get my head around AKS networking :)
Awesome, glad it helped.
Excellent explanation.Its so structured.Thank you.
Glad you liked it
Awesome! your channel is goldmine... I can understand Azure AKS networking...
Glad you enjoy it!
This video is pure gold! Really, Really helpful
Great to hear, thanks!
Amazingly detailed and thorough, thank you !
You're very welcome!
Great video! You’re a great teacher. Keep up the good work
Thanks a lot! That was exactly the level of detail I was looking for. This answered a lot of question I had about AKS Networking :)
Awesome!
Awesome video! Helped a lot to understand the traffic flow, under the hood :)
Glad it helped!
Good presentation. I really like that smart board.
This stuff is worth its weight in gold.
Glad you find it useful!
Great Job John!!! Saved lot of my time. App Gateway seems to be awkward. With just 1 Pod there could be potential downtime.
Remember traffic is not flowing through that pod. It’s just to update app gw when a change is made.
Thanks for the great content ...very clear and precise
Another very informative video John, thank you very much.
Thanks!
Thanks John, this was quite helpful, very informative
Your videos are great , Got a lot of exposure and understanding about CNI after watching this video . I have a question though , the service CIDR and Docker bridge CIDR can be reused among various AKS clusters right !! What will happen if we have two clusters with same service and docker cidr and both the vnet of aks clusters are peered ? Will there be any impact ? Also what's the suggestion address space for service and docker cidr ?
The internal ip ranges are not exposed outside the cluster nodes so can overlap with others. Size depends on planned number of pods etc
@@NTFAQGuy Thanks once again , your awesome 🔥
This was pretty awesome John, thanks for you do... now we need something about storage.
Lol, should have seen that coming. Adding to the list :)
Crystal clear. Realy liked ! Just would be nice to have egress included.
I did mention egress when I showed on the LB the outbound rule, that is for egress.
Thank you so much. This was just what i've been looking for. Amazing explanation
Awesome, thank you
Hi John,
First off, thanks much for your great videos and especially this deep dive one.
I got a question and was hoping that you could shed some light on it.
Because of some design/application constraints, we need to do a 1-to-1 NATing on our firewall appliance (CheckPoint FW) for the K8S containers' IP addresses attached to an Azure subnet that's functioning in CNI mode. I was expecting that the source IP address of the packets reaching the firewall to be the container's IP address so we can do the 1-to-1 mapping; however, the source IP of the packets is the IP of the Node interface that the container is running on.
I wonder if there is a way to change this default behavior to distinguish what container has created the packet, or in other words, the packets come with the containers' source IP and not the Node's IP?
Thanks in advance for taking the time to respond to my question.
Would guess the firewall is in some peer vnet for it to SNAT. It should not SNAT for the same CIDR vnet (or maybe you changed the vnet IP config at some point). Check ip-masq-agent iptables rules.
great channel, cleared lot of doubts
Awesome to hear, thanks.
enjoying this video for today learning, thanks a lot! .
great video!! Thank you for sharing. Where do we configure the SSL certificate on both the case App gateway and NGNIX?
Each of them have their own process for certificates, that is not AKS specific which is really just hosting workloads. Just search the web for ssl cert for the particular ingress controller, e.g. nginx.
Too good presentation.. very succinct!
Excellent content as usual. I like the t-shirt!
Thanks :) I thought it was pretty awesome :)
Thanks John. Do you have any videos on videos on AKS domain naming, cluster naming, Azure DNS integration, Kubernetes ExternalDNS, CoreDNS, etc?
John never responds to these types of comments lol. When he has it's "search the channel, if I have something it will be there".
Just amazing. Thank you very much 🙂
Thank you!!! As always quality content
Much appreciated!
Superb... U r very good teacher... Keep the good work...
Thanks a lot
Great content as usual John! May I (ab)use your knowledge in order to clarify an architectural doubt? In the case of a nginx ingress solution, I see that the ALB gets a backendpool pointing to the VMSS that supports the cluster nodepool. So far, so good. So an incoming packet is routed to a NodePort. However, the destination port that I see in the ALB is *not* showing up in a netstat command performed at the node level. Shouldn't it? Furthermore, a kubectl get svc shows a nodeport number different from the ALB's destination port in the portal.... I'm confused!
ALB does not use nodeport other than for health probe. its the pod that has the ports.
@@NTFAQGuy yes I’m aware of that. Still, the ALB routes to the node right? Which destination port on the selected node? The one specified in the FE config, right? The thing that surprised me is the fact that no one is listening on that port. But the answer always lies on iptables… 😀
@@kamatapa goes to Kube-Proxy that works out where it should go
Nice video John!, I have a question, could I use an existing subnet instead of use the new one?. In my scenario I have also a s2s vpn.Cheers!
You pick the existing subnet.
discovered you through this video. Great explanation!
Welcome aboard!
Thanks for this amazing video, really sets out stuff clearly. though in a way it's opened up more questions for me. I kind of inherited an AKS cluster. We use an app gateway where the backends are manually set point to a service internal lb IP for an app. The gateway is in a subnet in the cluster Vnet. Is this a bad way to do it? I'm thinking the nginx way you described might be a future way to go.
He’s to 100% follow you but app gateway is great and no need to switch out for a different l7 unless there was some functionality you needed. Being in the same vnet as aks cluster is totally fine and very common. Glad you liked the video.
Hi John, does the pod CIDR range in Kubenet deployment have to come from the subnet where it is hosted?
No
Hi John, Thank you so much for this great video! It really helped me understand AKS networking. I have a question related to use of external (public) service IP address to identify the internal service in the Kubernetes cluster. How does the worker node see the external (public) IP address in the packets to identify the internal service? My assumption is, the Azure NLB forwards the traffic to the worker node after translating the destination IP address to the IP address of worker node, so the worker node will never receive traffic with the external (public) IP address in IP header.
thats floating IP if need that.