Azure Kubernetes 服务 (AKS) 中应用程序的网络概念Network concepts for applications in Azure Kubernetes Service (AKS)

在基于容器的微服务应用程序开发方法中,应用程序组件会协同工作以处理其任务。In a container-based, microservices approach to application development, application components work together to process their tasks. Kubernetes 提供了各种资源来促成这种合作:Kubernetes provides various resources enabling this cooperation:

  • 可以在内部或外部连接应用程序并将其公开。You can connect to and expose applications internally or externally.
  • 可以对应用程序进行负载均衡,从而生成高可用性应用程序。You can build highly available applications by load balancing your applications.
  • 对于更复杂的应用程序,可以配置 SSL/TLS 终止的入口流量或多个组件的路由。For your more complex applications, you can configure ingress traffic for SSL/TLS termination or routing of multiple components.
  • 出于安全考虑,可以限制网络流量流入或 Pod 和节点之间的流量。For security reasons, you can restrict the flow of network traffic into or between pods and nodes.

本文介绍了为 AKS 中的应用程序提供网络的核心概念:This article introduces the core concepts that provide networking to your applications in AKS:

Kubernetes 基础知识Kubernetes basics

为允许访问应用程序或是在应用程序组件之间进行访问,Kubernetes 为虚拟网络提供了抽象层。To allow access to your applications or between application components, Kubernetes provides an abstraction layer to virtual networking. Kubernetes 节点连接到虚拟网络,从而为 Pod 提供入站和出站连接。Kubernetes nodes connect to a virtual network, providing inbound and outbound connectivity for pods. kube-proxy 组件在每个节点上运行,以提供这些网络功能。The kube-proxy component runs on each node to provide these network features.

在 Kubernetes 中:In Kubernetes:

  • 服务以逻辑方式对 Pod 进行分组,以允许通过 IP 地址或 DNS 名称在特定端口上进行直接访问。Services logically group pods to allow for direct access on a specific port via an IP address or DNS name.
  • 可以使用负载均衡器分发流量。You can distribute traffic using a load balancer.
  • 使用入口控制器也可实现更复杂的应用程序流量路由。More complex routing of application traffic can also be achieved with Ingress Controllers.
  • 使用 Kubernetes 网络策略可提供安全性,还可筛选 Pod 网络流量。Security and filtering of the network traffic for pods is possible with Kubernetes network policies.

Azure 平台还可简化 AKS 群集的虚拟网络。The Azure platform also simplifies virtual networking for AKS clusters. 创建 Kubernetes 负载均衡器时,也会创建和配置基础 Azure 负载均衡器资源。When you create a Kubernetes load balancer, you also create and configure the underlying Azure load balancer resource. 打开 Pod 的网络端口时,会配置相应的 Azure 网络安全组规则。As you open network ports to pods, the corresponding Azure network security group rules are configured. 对于 HTTP 应用程序路由,Azure 还可以在配置新的入口路由时配置外部 DNS。For HTTP application routing, Azure can also configure external DNS as new ingress routes are configured.

服务Services

为简化应用程序工作负载的网络配置,Kubernetes 使用服务以逻辑方式对一组 Pod 进行分组并提供网络连接。To simplify the network configuration for application workloads, Kubernetes uses Services to logically group a set of pods together and provide network connectivity. 可用的服务类型如下:The following Service types are available:

  • 群集 IPCluster IP

    创建在 AKS 群集中使用的内部 IP 地址。Creates an internal IP address for use within the AKS cluster. 适用于支持群集中其他工作负载的仅限内部使用的应用程序。Good for internal-only applications that support other workloads within the cluster.

    显示 AKS 群集中群集 IP 流量的示意图

  • NodePortNodePort

    在基础节点上创建端口映射,该映射允许使用节点 IP 地址和端口直接访问应用程序。Creates a port mapping on the underlying node that allows the application to be accessed directly with the node IP address and port.

    显示 AKS 群集中 NodePort 流量的示意图

  • LoadBalancerLoadBalancer

    创建 Azure 负载均衡器资源、配置外部 IP 地址并将请求的 Pod 连接到负载均衡器后端池。Creates an Azure load balancer resource, configures an external IP address, and connects the requested pods to the load balancer backend pool. 为允许客户流量发送到应用程序,要在所需端口上创建负载均衡规则。To allow customers' traffic to reach the application, load balancing rules are created on the desired ports.

    显示 AKS 群集中负载均衡器流量的示意图

    针对入站流量的额外控制和路由,可能要改用入口控制器For extra control and routing of the inbound traffic, you may instead use an Ingress controller.

  • ExternalNameExternalName

    创建特定的 DNS 条目,便于访问应用程序。Creates a specific DNS entry for easier application access.

可以动态分配负载均衡器和服务 IP 地址,也可以指定现有静态 IP 地址。Either the load balancers and services IP address can be dynamically assigned, or you can specify an existing static IP address. 可以分配内部和外部静态 IP 地址。You can assign both internal and external static IP addresses. 现有静态 IP 地址通常与 DNS 条目绑定。Existing static IP addresses are often tied to a DNS entry.

可以创建内部和外部负载均衡器 。You can create both internal and external load balancers. 内部负载均衡器仅分配有一个专用 IP 地址,因此无法从 Internet 对其进行访问。Internal load balancers are only assigned a private IP address, so they can't be accessed from the Internet.

Azure 虚拟网络Azure virtual networks

在 AKS 中,可以部署使用以下两种网络模型之一的群集:In AKS, you can deploy a cluster that uses one of the following two network models:

  • Kubenet 网络Kubenet networking

    通常在部署 AKS 群集时创建和配置网络资源。The network resources are typically created and configured as the AKS cluster is deployed.

  • Azure 容器网络接口 (CNI) 网络Azure Container Networking Interface (CNI) networking

    AKS 群集连接到现有的虚拟网络资源和配置。The AKS cluster is connected to existing virtual network resources and configurations.

Kubenet(基本)网络Kubenet (basic) networking

kubenet 网络选项是用于创建 AKS 群集的默认配置。The kubenet networking option is the default configuration for AKS cluster creation. 使用 kubenet:With kubenet:

  1. 节点从 Azure 虚拟网络子网接收 IP 地址。Nodes receive an IP address from the Azure virtual network subnet.
  2. Pod 从逻辑上与节点 Azure 虚拟网络子网不同的地址空间接收 IP 地址。Pods receive an IP address from a logically different address space than the nodes' Azure virtual network subnet.
  3. 然后配置网络地址转换 (NAT),以便 Pod 可以访问 Azure 虚拟网络上的资源。Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network.
  4. 流量的源 IP 地址会转换为节点的主 IP 地址。The source IP address of the traffic is translated to the node's primary IP address.

节点使用 kubenet Kubernetes 插件。Nodes use the kubenet Kubernetes plugin. 你可以:You can:

  • 让 Azure 平台为你创建和配置虚拟网络,或是Let the Azure platform create and configure the virtual networks for you, or
  • 选择将 AKS 群集部署到现有虚拟网络子网中。Choose to deploy your AKS cluster into an existing virtual network subnet.

请记住,只有节点才会接收可路由 IP 地址。Remember, only the nodes receive a routable IP address. Pod 会使用 NAT 与 AKS 群集外部的其他资源通信。The pods use NAT to communicate with other resources outside the AKS cluster. 这种方法减少了需要在网络空间中保留供 Pod 使用的 IP 地址数量。This approach reduces the number of IP addresses you need to reserve in your network space for pods to use.

有关详细信息,请参阅为 AKS 群集配置 kubenet 网络For more information, see Configure kubenet networking for an AKS cluster.

Azure CNI(高级)网络Azure CNI (advanced) networking

借助 Azure CNI,每个 pod 都可以从子网获取 IP 地址,并且可以直接访问。With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. 这些 IP 地址必须事先计划,并且在网络空间中必须唯一。These IP addresses must be planned in advance and unique across your network space. 每个节点都有一个配置参数来表示它支持的最大 Pod 数。Each node has a configuration parameter for the maximum number of pods it supports. 这样,就会为每个节点预留相应的 IP 地址数。The equivalent number of IP addresses per node are then reserved up front. 如果不进行规划,则此方法可能会耗尽 IP 地址,或者在应用程序需求增长时需要在更大的子网中重建群集。Without planning, this approach can lead to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow.

与 kubenet 不同,流向同一虚拟网络中终结点的流量不会通过 NAT 转换到节点的主 IP。Unlike kubenet, traffic to endpoints in the same virtual network isn't NAT'd to the node's primary IP. 虚拟网络中流量的源地址是 Pod IP。The source address for traffic inside the virtual network is the pod IP. 虚拟网络外部的流量仍然通过 NAT 转换到节点的主 IP。Traffic that's external to the virtual network still NATs to the node's primary IP.

节点使用 Azure CNI Kubernetes 插件。Nodes use the Azure CNI Kubernetes plugin.

显示两个节点的示意图,其中的网桥将每个节点连接到单个 Azure VNet

有关详细信息,请参阅为 AKS 群集配置 Azure CNIFor more information, see Configure Azure CNI for an AKS cluster.

网络模型的比较Compare network models

Kubenet 和 Azure CNI 都为 AKS 群集提供网络连接。Both kubenet and Azure CNI provide network connectivity for your AKS clusters. 不过,这两个模型各有优缺点。However, there are advantages and disadvantages to each. 从较高层面讲,需要考虑以下因素:At a high level, the following considerations apply:

  • kubenetkubenet
    • 节省 IP 地址空间。Conserves IP address space.
    • 使用 Kubernetes 内部或外部负载均衡器可从群集外部访问 Pod。Uses Kubernetes internal or external load balancer to reach pods from outside of the cluster.
    • 可手动管理和维护用户定义的路由 (UDR)。You manually manage and maintain user-defined routes (UDRs).
    • 每个群集最多可包含 400 个节点。Maximum of 400 nodes per cluster.
  • Azure CNIAzure CNI
    • Pod 建立了全面的虚拟网络连接,可以通过其专用 IP 地址直接从已连接的网络对其进行访问。Pods get full virtual network connectivity and can be directly reached via their private IP address from connected networks.
    • 需要更多的 IP 地址空间。Requires more IP address space.

Kubenet 和 Azure CNI 之间存在以下行为差异:The following behavior differences exist between kubenet and Azure CNI:

功能Capability KubenetKubenet Azure CNIAzure CNI
在现有或新的虚拟网络中部署群集Deploy cluster in existing or new virtual network 支持 - 手动应用 UDRSupported - UDRs manually applied 支持Supported
Pod-Pod 连接Pod-pod connectivity 支持Supported 支持Supported
Pod-VM 连接;VM 位于同一虚拟网络中Pod-VM connectivity; VM in the same virtual network 由 Pod 发起时可正常工作Works when initiated by pod 采用两种工作方式Works both ways
Pod-VM 连接;VM 位于对等互连的虚拟网络中Pod-VM connectivity; VM in peered virtual network 由 Pod 发起时可正常工作Works when initiated by pod 采用两种工作方式Works both ways
使用 VPN 或 Express Route 进行本地访问On-premises access using VPN or Express Route 由 Pod 发起时可正常工作Works when initiated by pod 采用两种工作方式Works both ways
访问服务终结点保护的资源Access to resources secured by service endpoints 支持Supported 支持Supported
使用负载均衡器服务、应用程序网关或入口控制器公开 Kubernetes 服务Expose Kubernetes services using a load balancer service, App Gateway, or ingress controller 支持Supported 支持Supported
默认的 Azure DNS 和专用区域Default Azure DNS and Private Zones 支持Supported 支持Supported

关于 DNS,kubenet 和 Azure CNI 插件 DNS 都由 CoreDNS 提供,后者是一个在 AKS 中运行的部署,有其自己的自动缩放程序。Regarding DNS, with both kubenet and Azure CNI plugins DNS are offered by CoreDNS, a deployment running in AKS with its own autoscaler. 有关 Kubernetes 上的 CoreDNS 的详细信息,请参阅自定义 DNS 服务For more information on CoreDNS on Kubernetes, see Customizing DNS Service. 默认情况下,CoreDNS 配置为将未知域转发到部署 AKS 群集的 Azure 虚拟网络的 DNS 功能。CoreDNS by default is configured to forward unknown domains to the DNS functionality of the Azure Virtual Network where the AKS cluster is deployed. 因此,Azure DNS 和专用区域将适用于在 AKS 中运行的 Pod。Hence, Azure DNS and Private Zones will work for pods running in AKS.

网络模型之间的支持范围Support scope between network models

无论使用哪种网络模型,都可以通过以下方式之一部署 kubenet 和 Azure CNI:Whatever network model you use, both kubenet and Azure CNI can be deployed in one of the following ways:

  • 当你创建 AKS 群集时,Azure 平台可自动创建和配置虚拟网络资源。The Azure platform can automatically create and configure the virtual network resources when you create an AKS cluster.
  • 当你创建 AKS 群集时,可以手动创建和配置虚拟网络资源并附加到这些资源。You can manually create and configure the virtual network resources and attach to those resources when you create your AKS cluster.

尽管 Kubenet 和 Azure CNI 都支持服务终结点或 UDR 之类的功能,但你可以根据 AKS 的支持策略中的说明进行更改。Although capabilities like service endpoints or UDRs are supported with both kubenet and Azure CNI, the support policies for AKS define what changes you can make. 例如:For example:

  • 如果你为 AKS 群集手动创建虚拟网络资源,则在配置自己的 UDR 或服务终结点时将会获得支持。If you manually create the virtual network resources for an AKS cluster, you're supported when configuring your own UDRs or service endpoints.
  • 如果 Azure 平台为 AKS 群集自动创建虚拟网络资源,则无法手动更改 AKS 管理的这些资源来配置你自己的 UDR 或服务终结点。If the Azure platform automatically creates the virtual network resources for your AKS cluster, you can't manually change those AKS-managed resources to configure your own UDRs or service endpoints.

入口控制器Ingress controllers

创建 LoadBalancer 类型服务时,还会创建基础 Azure 负载均衡器资源。When you create a LoadBalancer-type Service, you also create an underlying Azure load balancer resource. 负载均衡器配置为在给定端口上将流量分发到服务中的 Pod。The load balancer is configured to distribute traffic to the pods in your Service on a given port.

LoadBalancer 仅在第 4 层工作。The LoadBalancer only works at layer 4. 在第 4 层,服务不知道实际的应用程序,不会考虑任何其他路由。At layer 4, the Service is unaware of the actual applications, and can't make any more routing considerations.

入口控制器在第 7 层工作,可使用更智能的规则来分发应用程序流量。Ingress controllers work at layer 7, and can use more intelligent rules to distribute application traffic. 入口控制器通常基于入站 URL 将 HTTP 流量路由到不同的应用程序。Ingress controllers typically route HTTP traffic to different applications based on the inbound URL.

显示 AKS 群集中入口流量的示意图

创建入口资源Create an ingress resource

在 AKS 中,可以使用 NGINX 、类似工具或 AKS HTTP 应用程序路由功能创建入口资源。In AKS, you can create an Ingress resource using NGINX, a similar tool, or the AKS HTTP application routing feature. 为 AKS 群集启用 HTTP 应用程序路由时,Azure 平台会创建入口控制器和 External-DNS 控制器。When you enable HTTP application routing for an AKS cluster, the Azure platform creates the Ingress controller and an External-DNS controller. 在 Kubernetes 中创建新的入口资源时,系统会在特定于群集的 DNS 区域中创建所需的 DNS A 记录。As new Ingress resources are created in Kubernetes, the required DNS A records are created in a cluster-specific DNS zone.

应用程序网关入口控制器 (AGIC)Application Gateway Ingress Controller (AGIC)

借助应用程序网关入口控制器 (AGIC) 加载项,AKS 客户可利用 Azure 的本机应用程序网关级别 7 负载均衡器向 Internet 公开云软件。With the Application Gateway Ingress Controller (AGIC) add-on, AKS customers leverage Azure's native Application Gateway level 7 load-balancer to expose cloud software to the Internet. AGIC 监视主机 Kubernetes 群集并持续更新应用程序网关,以便向 Internet 公开所选服务。AGIC monitors the host Kubernetes cluster and continuously updates an Application Gateway, exposing selected services to the Internet.

若要了解有关 AKS 的 AGIC 加载项的详细信息,请参阅什么是应用程序网关入口控制器?To learn more about the AGIC add-on for AKS, see What is Application Gateway Ingress Controller?.

SSL/TLS 终止SSL/TLS termination

SSL/TLS 终止是入口的另一个常见功能。SSL/TLS termination is another common feature of Ingress. 在通过 HTTPS 访问的大型 Web 应用程序上,入口资源会处理 TLS 终止,而不是在应用程序自身内部处理。On large web applications accessed via HTTPS, the Ingress resource handles the TLS termination rather than within the application itself. 要提供自动 TLS 认证生成和配置,可以将入口资源配置为使用“Let's Encrypt”之类的提供程序。To provide automatic TLS certification generation and configuration, you can configure the Ingress resource to use providers such as "Let's Encrypt".

有关使用 Let's Encrypt 配置 NGINX 入口控制器的详细信息,请参阅 Ingress 和 TLSFor more information on configuring an NGINX Ingress controller with Let's Encrypt, see Ingress and TLS.

客户端源 IP 保留Client source IP preservation

可配置入口控制器,以便在对 AKS 群集中的容器发出请求时保留客户端源 IP。Configure your ingress controller to preserve the client source IP on requests to containers in your AKS cluster. 当入口控制器将客户端的请求路由到 AKS 群集中的容器时,该请求的原始源 IP 不可用于目标容器。When your ingress controller routes a client's request to a container in your AKS cluster, the original source IP of that request is unavailable to the target container. 如果启用客户端源 IP 保留,则可以在请求标头中的 X-Forwarded-For 下使用客户端的源 IP。When you enable client source IP preservation, the source IP for the client is available in the request header under X-Forwarded-For.

如果在入口控制器上使用“客户端源 IP 保留”,则无法使用 TLS 直通。If you're using client source IP preservation on your ingress controller, you can't use TLS pass-through. 可对其他服务(例如 LoadBalancer 类型的服务)使用“客户端源 IP 保留”和 TLS 直通。Client source IP preservation and TLS pass-through can be used with other services, such as the LoadBalancer type.

网络安全组Network security groups

网络安全组筛选 VM(例如 AKS 节点)的流量。A network security group filters traffic for VMs like the AKS nodes. 创建服务(如 LoadBalancer)时,Azure 平台会自动配置所需的任何网络安全组规则。As you create Services, such as a LoadBalancer, the Azure platform automatically configures any necessary network security group rules.

无需手动配置网络安全组规则,以筛选 AKS 群集中 Pod 的流量。You don't need to manually configure network security group rules to filter traffic for pods in an AKS cluster. 只需在 Kubernetes 服务清单中定义任何所需的端口和转发。Simply define any required ports and forwarding as part of your Kubernetes Service manifests. 让 Azure 平台创建或更新适当的规则。Let the Azure platform create or update the appropriate rules.

还可以使用网络策略自动向 Pod 应用流量筛选器规则。You can also use network policies to automatically apply traffic filter rules to pods.

网络策略Network policies

默认情况下,AKS 群集中的所有 Pod 都可以无限制地发送和接收流量。By default, all pods in an AKS cluster can send and receive traffic without limitations. 为了提高安全性,可定义用来控制流量流的规则,如:For improved security, define rules that control the flow of traffic, like:

  • 后端应用程序只公开给所需的前端服务。Backend applications are only exposed to required frontend services.
  • 数据库组件只能由与其连接的应用程序层访问。Database components are only accessible to the application tiers that connect to them.

网络策略是 AKS 中提供的一项 Kubernetes 功能,允许你控制 Pod 之间的流量流。Network policy is a Kubernetes feature available in AKS that lets you control the traffic flow between pods. 你可以基于分配的标签、命名空间或流量端口等设置来允许或拒绝到 Pod 的流量。You allow or deny traffic to the pod based on settings such as assigned labels, namespace, or traffic port. 虽然网络安全组更适用于 AKS 节点,不过网络策略是一种更适合于的云原生方式,可控制 pod 的流量流。While network security groups are better for AKS nodes, network policies are a more suited, cloud-native way to control the flow of traffic for pods. 因为 Pod 是在 AKS 群集中动态创建的,则可以动态应用所需的网络策略。As pods are dynamically created in an AKS cluster, required network policies can be automatically applied.

有关详细信息,请参阅在 Azure Kubernetes 服务 (AKS) 中使用网络策略保护 Pod 之间的流量For more information, see Secure traffic between pods using network policies in Azure Kubernetes Service (AKS).

后续步骤Next steps

若要开始使用 AKS 网络,请通过 kubenetAzure CNI 创建并配置采用你自己的 IP 地址范围的 AKS 群集。To get started with AKS networking, create and configure an AKS cluster with your own IP address ranges using kubenet or Azure CNI.

如需相关的最佳做法,请参阅 AKS 中的网络连接和安全性的最佳做法For associated best practices, see Best practices for network connectivity and security in AKS.

有关核心 Kubernetes 和 AKS 概念的详细信息,请参阅以下文章:For more information on core Kubernetes and AKS concepts, see the following articles: