This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 96%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
I have a load balancer in front of a kubernetes cluster. I installed a Fortigate firewall after the fact. I routed traffic from PIP of the firewall to the PIP for the load balancer. I changed DNS to point to the Fortigate PIP for those sites. So now the traffic flows through as expected, but it goes back out through the load balancer's PIP instead of the firewall. So it goes like this:
PIP Firewall --> PIP Load Balancer --> Kubernetes cluster --> PIP load balancer --> Internet.
So I have asynchronous traffic and I can't fully monitor it.
What I need to have happen is this:
PIP Firewall --> PIP Load Balancer --> AKS Cluster --> Fortigate Firewall --> Internet.
This way I can see the traffic in both directions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Hello, @Marty Timberlake !
If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 8%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hello @Marty Timberlake ,
Thank you for your question, to ensure that the outgoing traffic from AKS go through the Firewall you need to create a UDR with a hop to Azure Firewall.
The outbound type of UDR requires a route for 0.0.0.0/0 and a next hop destination of NVA in the route table. The route table already has a default 0.0.0.0/0 to the Internet. please check this link .
make sure you create an appropriate DNAT rule in the Firewall to correctly allow ingress traffic check this link for more information
Thank you!
If this has been helpful, please take a moment to accept answers as this helps increase the visibility of this question for other members of the Microsoft Q&A community. Thank you for helping to improve Microsoft Q&A!
I do have a route in the route table from 0.0.0.0/0 to the public interface IP of the firewall. Ingress is routing correctly with the Fortigate. The problem I'm struggling with is getting the AKS cluster to route traffic back to the outside interface on the Fortigate instead of back to the load balancer.
These are not the actual IP's:
Azure public IP (172.174.152.12) routes to the Fortigate interface Port 1 is 10.0.5.4. The traffic comes in on Port 1, and is redirected out Port 1 to the load balancers Public IP (172.175.56.114). The traffic is then routed into the AKS cluster. All of this is working as expected.
It's the egress from AKS I can't figure out. I just need to tell it to egress to 10.0.5.4 instead of 172.175.56.114
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 82%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAZ%3C/text%3E%3C/svg%3E)
sorry, duplicated my answer
Hi Marty,
We have a similar setup. along with the route table that @Ammar suggested, and links included in his answer are very helpful. I just thought to share how we configured it;
To configure the traffic flow as PIP Firewall → PIP Load Balancer → AKS Cluster → Fortigate Firewall → Internet.
Say, the Load Balancer IP is (x.x.x.x) and the Fortigate Firewall (let's say y.y.y.y)
Step 1: Configuring the Fortigate Firewall
Log into the Fortigate Firewall:
Create a Virtual IP (VIP):
Step 2: Setting Up a Firewall Policy
Create a New Policy:
Configure the Policy:
Step 3: Apply Changes
Hope this is helpful .
Thanks for the detail on this. I have most of this in place already. Where I'm struggling is getting AKS to route egress to Port 1 on the firewall instead of back to the load balancer. Right now, the outbound rule point to the Internet. How do I define where the internet is? I am unable to locate what that represents.
Could you please clarify if your intention is to route outbound (egress) traffic from the AKS cluster directly to the Fortigate Firewall, bypassing the Azure Load Balancer?
The typical setup of an AKS always includes an Azure Load Balancer (Public/Private) depends on your design. That Load Balancer handles inbound traffic, and outbound traffic. If the goal is to route egress traffic through the Fortigate Firewall, this would be a deviation from the standard architecture, and I don't think you can actually do that. If your Load Balancer has a public IP, you can create a private AKS cluster, with a private load balancer, then the LB will route all egress traffic to the firewall. Don't have to worry about the NSG. because all traffic is handed by the FW. you only need to allow the traffic between vNets. so, keep the first NSG rule, I would disable the second NSG rule though.
This might help visualize what I'm trying to do. The big issue is that the Dev team built their production environment BEFORE there was any kind of network protection in place. So I have to figure out how to side load this without interrupting those services, aside from changing the public DNS records, and route changes. So I am trying to work through it in a test environment that simulates the production environment.
This is from https://video2.skills-academy.com/en-us/azure/firewall/integrate-lb
Instead of looking at the Azure firewall integration with Standard load balancer, you need to check the integration of AKS with Firewall. https://video2.skills-academy.com/en-us/azure/architecture/guide/aks/aks-firewall
This might be helpful as well.
Control egress traffic using Azure Firewall in Azure Kubernetes Service (AKS)
https://video2.skills-academy.com/en-us/azure/aks/limit-egress-traffic
Thank you AdamZachary. I need to review these. Today has been crazy so it won't be until next week. Thanks!
No worries :)
If you find the provided information helpful and it resolves your query, please consider accepting the answer. Your feedback is valuable and helps ensure the quality and relevance of the responses.