When to use (Service Endpoints Vs Egress IPs) for accessing firewall enabled resources?


#1

I am relatively newbie and so wanted to explore the best possible use-cases here w.r.t Egress IPs and Service endpoints.

Can somebody share some light on when to use (Service Endpoints Vs Egress IPs) for accessing firewall enabled resources ? Some examples would be highly appreciated. We are on Azure.

Thanks.


#2

Hi!

A ServiceIP is used to expose a pod running in the kubernetes cluster (and only usable, most of the time, within the cluster). In contrast, egress IP is when you connect to some service outside the cluster.

For example, if you want to connect to a service outside the kubernetes cluster and it only accept connections from certain IPs, then you would use an egress IP. Because as each pod may run on any node, the connection on the remote service may be seen from any node, in other words: is not using a fixed IP.

To solve this problem, if a restriction on the IP address is needed on the remote service, you can use an egress IP so the remote service only sees a connection from this egress IP (no matter in which node the pod is running).

And an example for the service IP would be to expose a web servicer running on kubernetes. With a service IP, the pod running in the cluster can receive connections from remotes via this IPs.

Long story short: egress is to use a fixed IP when connecting to things not running in kubernetes, while service is to expose things running in kubernetes.

Does this help? :slight_smile:


#3

Thank you very much… That certainly helps.

Just a clarification… when I mentioned service endpoint, I was referring to a ‘service endpoint’ associated with ‘Virtual Network’ in MSFT Azure.


#4

Oh, I really don’t know what that azure thing is :frowning: