Over the past decade, organizations have increasingly adopted microservices hosted in containers. This shift has created a demand for essential features such as deployment, management, scalability, high availability, security, and monitoring. Azure AKS has emerged to meet these needs, incorporating key components like the Control Plane, Node Pools, Kubernetes resources, Networking, and Storage.
In this article, I will discuss an important aspect called network policies, which are part of the Networking component.
Azure AKS network policies are implemented by the network plugin and control traffic between pods in a cluster. They define rules for how pods can communicate with each other, helping to boost security and keep your container apps more isolated. Network Policies identify pods by their labels and determine which rules apply to them. There are two main types of Network Policies:
- Ingress Policies: Controls incoming traffic by specifying which sources and ports are allowed.
- Egress Policies: Controls outgoing traffic by stating which destinations and ports are allowed.
By default all types of ingress and egress connections are open
Network policy options
- Calico: Calico is popular for its flexible policy enforcement and IP management across different container networks.
- Azure Network Policy Manager (NPM) integrates well with Azure and focuses on basic Kubernetes network policies.
- Cilium for AKS: Cilium uses eBPF for fast, identity-based networking and deep visibility, making it well-suited to complex cases.
The matrix below is from the official Microsoft Learn documentation. It shows the differences between Azure NPM, Cilium, and Calico.
| Capability | Azure Network Policy Manager | Calico | Cilium |
| Supported platforms | Linux, Windows Server 2022 (Preview). | Linux, Windows Server 2019 and 2022. | Linux |
| Supported networking options | Azure Container Networking Interface (CNI). | Azure CNI (Linux, Windows Server 2019 and 2022) and kubenet (Linux). | Azure CNI. |
| Compliance with the Kubernetes specification | All policy types are supported | All policy types are supported | All policy types are supported. |
| Other features | None. | While Calico has many features that AKS doesn’t block, AKS does not test or support them. History | FQDN, L3/4, L7 |
| Support | Supported by the Azure Support and Engineering team. | Supported by the Azure Support and Engineering team. | Supported by the Azure Support and Engineering team. |
Reference: Differences between Network Policy engines: Cilium, Azure NPM, and Calico
How can I implement Network policies?
To implement network policies within a cluster, a set of libraries is used to build container network plugins, called the Container Network Interface (CNI).
Implement Network Policies Steps
| Name | Description |
| default | Namespace for user-created objects without a specified namespace. |
| kube-node-lease | Holds node lease objects for heartbeat and node status updates. |
| kube-public | Publicly readable namespace for cluster-wide information sharing. |
| kube-system | Contains system components and core Kubernetes resources. |
I will explain how to allow or block traffic between pods. For this demonstration, I created three pods: web, db, and app.
By default, as I pointed out above, ingress and egress connections are open.
After starting the pods, I run a command to check the pod IP addresses.
kubectl get pods -o wide
I wanted to test the database connection to the website, so I ran the command:
kubectl exec -it db -- sh
Right away, I was able to ping the web pod successfully.
I created a new network policy to block access from the db pod to the web. To do so, since we are working in a Linux environment, I used the Nano text editor to create a policy that denies access.
nano test-deny-policy.yaml
To save the content in the YAML file, press CTRL + X. Then, press Y to confirm, and then hit Enter.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-deny-policy
spec:
podSelector: {}
policyTypes:
- Ingress
Then, apply the new deny policy
kubectl apply -f test-deny-policy.yaml
To check the IP addresses of your pods, run this command.
kubectl get pods -o wide
A few lines above, I mentioned that I created three pods to explain how the network policies work. The following case blocks access from any other pod to the DB, except the web pod. To achieve that, I created a new YAML file called AllowWebToDB.yaml.
nano AllowWebToDBPolicy.yaml
To save the content in the YAML file, press CTRL + X. Then, press Y to confirm, and then hit Enter.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: AllowWebToDBPolicy
spec:
podSelector:
matchLabels:
app: db
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: web
I reran the command below to list the created pods and verify that the total number is 3.
kubectl get pods
kubectl exec -it app -- sh
I hope you like it, and most of it. I hope this gives you an idea of what you can do with network policies for your Kubernetes cluster.