sigs.k8s.io/cluster-api-provider-azure@v1.14.3/docs/book/src/topics/node-outbound-connection.md (about) 1 # Node Outbound 2 3 This document describes how to configure your clusters' node outbound traffic. 4 5 ## IPv4 Clusters 6 7 For IPv4 clusters ie. clusters with CIDR type is `IPv4`, CAPZ automatically configures a [NAT gateway](https://learn.microsoft.com/azure/virtual-network/nat-gateway-resource) for node outbound traffic with the default settings. Default, the cluster is IPv4 type unless you specify the CIDR to be an IPv6 address. 8 9 To provide custom settings for a node NAT gateway, you can configure the NAT gateway in the node `subnets` section of cluster configuration by setting the NAT gateway's name. A Public IP will also be created for the NAT gateway once the NAT gateway name is provided. 10 11 ```yaml 12 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 13 kind: AzureCluster 14 metadata: 15 name: cluster-natgw 16 namespace: default 17 spec: 18 location: southcentralus 19 networkSpec: 20 vnet: 21 name: my-vnet 22 subnets: 23 - name: subnet-cp 24 role: control-plane 25 - name: subnet-node 26 role: node 27 natGateway: 28 name: node-natgw 29 NatGatewayIP: 30 name: pip-cluster-natgw-subnet-node-natgw 31 resourceGroup: cluster-natgw 32 ``` 33 34 You can also specify the Public IP name that should be used when creating the Public IP for the NAT gateway. 35 If you don't specify it, CAPZ will automatically generate a name for it. 36 37 <aside class="note"> 38 39 <h1>Note</h1> 40 41 You may want to more than one gateways within the same virtual network. You attach more NAT gateways to different node subnets. 42 Multiple gateways can't be attached to a single subnet. 43 44 </aside> 45 46 ```yaml 47 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 48 kind: AzureCluster 49 metadata: 50 name: cluster-natgw 51 namespace: default 52 spec: 53 location: southcentralus 54 networkSpec: 55 vnet: 56 name: my-vnet 57 subnets: 58 - name: subnet-cp 59 role: control-plane 60 - name: subnet-node-1 61 role: node 62 natGateway: 63 name: node-natgw-1 64 NatGatewayIP: 65 name: pip-cluster-natgw-subnet-node-natgw-1 66 - name: subnet-node-2 67 role: node 68 natGateway: 69 name: node-natgw-2 70 NatGatewayIP: 71 name: pip-cluster-natgw-subnet-node-natgw-2 72 resourceGroup: cluster-natgw 73 ``` 74 75 <aside class="note warning"> 76 77 <h1> Warning </h1> 78 79 CAPZ will ignore the NAT gateway configuration in the control plane subnet because we always create a load balancer for the control plane, which we use for outbound traffic. 80 81 </aside> 82 83 84 ## IPv6 Clusters 85 86 For IPv6 clusters ie. clusters with CIDR type is `IPv6`, NAT gateway is not supported for IPv6 cluster. IPv6 cluster uses load balancer for outbound connections. 87 88 ### Public IPv6 Clusters 89 90 For public IPv6 clusters ie. clusters with api server load balancer type set to `Public` and CIDR type set to `IPv6`, CAPZ automatically configures a node outbound load balancer with the default settings. 91 92 To provide custom settings for the node outbound load balancer, use the `nodeOutboundLB` section in cluster configuration. 93 94 The `idleTimeoutInMinutes` specifies the number of minutes to keep a TCP connection open for the outbound rule (defaults to 4). See [here](https://learn.microsoft.com/azure/load-balancer/load-balancer-tcp-reset#configurable-tcp-idle-timeout) for more details. 95 96 Here is an example of a node outbound load balancer with `frontendIPsCount` set to 3. CAPZ will read this value and create 3 front end ips for this load balancer. 97 98 <aside class="note"> 99 100 <h1>Note</h1> 101 102 You may want more than one outbound IP address if you are running a large cluster that is processing lots of connections. 103 See [here](https://learn.microsoft.com/azure/load-balancer/load-balancer-outbound-connections#multifesnat) for more documentation about how adding more outbound IP addresses can increase the number of SNAT ports available for use by the Standard Load Balancer in your cluster. 104 105 </aside> 106 107 ```yaml 108 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 109 kind: AzureCluster 110 metadata: 111 name: my-public-cluster 112 namespace: default 113 spec: 114 location: eastus 115 networkSpec: 116 apiServerLB: 117 type: Public 118 subnets: 119 - cidrBlocks: 120 - 2001:0DB8:0000:1/64 121 name: subnet-node 122 role: node 123 nodeOutboundLB: 124 frontendIPsCount: 3 125 idleTimeoutInMinutes: 4 126 ``` 127 128 <aside class="note warning"> 129 130 <h1> Warning </h1> 131 132 Only `frontendIPsCount` and `idleTimeoutInMinutes` can be configured for any node outbound load balancer. Trying to modify any other value will result in a validation error. 133 134 </aside> 135 136 ### Private IPv6 Clusters 137 138 For private IPv6 clusters ie. clusters with api server load balancer type set to `Internal` and CIDR type set to `IPv6`, CAPZ does not create a node outbound load balancer by default. 139 To create a node outbound load balancer, include the `nodeOutboundLB` section with the desired settings. 140 141 Here is an example of configuring a node outbound load balancer with 1 front end ip for a private IPv6 cluster: 142 143 ```yaml 144 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 145 kind: AzureCluster 146 metadata: 147 name: my-private-cluster 148 namespace: default 149 spec: 150 location: eastus 151 networkSpec: 152 apiServerLB: 153 type: Internal 154 subnets: 155 - cidrBlocks: 156 - 2001:0DB8:0000:1/64 157 name: subnet-node 158 role: node 159 nodeOutboundLB: 160 frontendIPsCount: 1 161 ```