7:[["$","$12",null,{"fallback":null,"children":["$","$L13",null,{"reason":"next/dynamic","children":["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org/\",\"@type\":\"Article\",\"headline\":\"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\",\"image\":\"https://cdn.sanity.io/images/xinsvxfu/production/24098a792e3fa188e6a0d6af9ee08eca96e34e88-2800x1417.png\",\"datePublished\":\"2025-03-03T13:04:00.000Z\",\"dateModified\":\"2024-06-06T05:10:59.000Z\",\"description\":\"This blog post will walk you through deploying Cilium and Egress Gateway in AKS (Azure Kubernetes Service) using BYOCNI as the network plugin.\",\"author\":[{\"@type\":\"Person\",\"name\":\"Amit Gupta\",\"url\":\"https://isovalent.com/\"}]}"}}]}]}],["$","main",null,{"id":"top","children":[["$","header",null,{"className":"restricted mt-10 mb-14","children":[["$","$L18",null,{"href":"/blog/","className":"flex items-center justify-items-center gap-1 mb-6 text-sm font-bold text-action max-w-max","children":[["$","isov-icon",null,{"class":"block rotate-90","name":"arrow-right","size":"small"}],["$","isov-content",null,{"children":["$","span",null,{"className":"ui-text","children":"Blog"}]}]]}],["$","h1",null,{"className":"text-4xl text-nightfall font-bold mb-5 max-w-3xl","children":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)"}],["$","div",null,{"className":"article-details block sm:flex items-center justify-items-start sm:justify-items-center cursor-default","children":[[["$","isov-avatar","ff5e2eda-05bb-ade9-8831-4dddc66e927d",{"size":"medium","name":"Amit Gupta","class":"mr-1","children":["$","$L19",null,{"src":"https://cdn.sanity.io/images/xinsvxfu/production/19b2e7212433d6c85f9a7cbb62beb590d8044fa0-528x1009.jpg?auto=format&q=80&fit=clip&w=200","alt":"Amit Gupta Image","slot":"avatar","height":200,"width":200}]}]],["$","div",null,{"className":"text-charcoal","children":[["$","span",null,{"className":"hidden sm:inline","children":"| "}],["$","span",null,{"children":["Published:"," ",["$","strong",null,{"className":"font-bold","children":"June 6, 2024"}],[" ","| Updated:"," ",["$","strong",null,{"className":"font-bold","children":"March 3, 2025"}]]]}]," | ",[["$","$L1a","2159f293-7dd2-46f3-9b11-bf943ad2ae98",{"href":"/blog/networking-for-kubernetes","className":"inline-block text-action hover:underline font-bold pr-1","children":["Networking for Kubernetes",false]}]]]}]]}]]}],["$","section",null,{"id":"page-content","className":"mb-8","children":["$","$12",null,{"fallback":null,"children":["$","$L13",null,{"reason":"next/dynamic","children":["$","$L1b",null,{"content":[{"_key":"0413203e-f032-478d-a951-67626c88bf93","_type":"block","children":[{"_key":"a3063ce9-d6be-4f92-9e41-51c7626e9eda","_type":"span","marks":[],"text":"Kubernetes changes the way we think about networking. In an ideal Kubernetes world, the network would be flat, and the Pod network would control all routing and security between the applications using Network Policies. In many Enterprise environments, though, the applications hosted on Kubernetes need to communicate with workloads outside the Kubernetes cluster, subject to connectivity constraints and security enforcement. Because of the nature of these networks, traditional firewalling usually relies on static IP addresses (or at least IP ranges). This can make it difficult to integrate a Kubernetes cluster, which has a varying and, at times, dynamic number of nodes, into such a network. Cilium’s Egress Gateway feature changes this by allowing you to specify which nodes should be used by a pod to reach the outside world. "},{"_key":"19fc2e36-acf9-4b73-85f1-ee0ed8c1bab1","_type":"span","marks":["strong"],"text":"This blog post will walk you through deploying Cilium and Egress Gateway in AKS"},{"_key":"16c8908c-b28c-4ea5-8d9a-348fb3670b7b","_type":"span","marks":[],"text":" "},{"_key":"969e4cfe-ddce-4c5a-abf7-98b90d3a905e","_type":"span","marks":["strong"],"text":"(Azure Kubernetes Service)"},{"_key":"53e03c17-26de-4a66-b497-f39b4bb89ef9","_type":"span","marks":[],"text":" "},{"_key":"bcd75d03-c556-406a-b7df-8d3cb410fb1d","_type":"span","marks":["strong"],"text":"using BYOCNI as the network plugin"},{"_key":"f78c61d4-cc29-4fab-b60e-b444397a6165","_type":"span","marks":[],"text":"."}],"markDefs":[],"style":"normal"},{"_key":"f3e91345-d1cb-4616-98a7-24add5bd1d22","_type":"block","children":[{"_key":"25bbf436-5d57-4f51-a410-802a6ffbcde9","_type":"span","marks":[],"text":"What is an Egress Gateway?"}],"markDefs":[],"style":"h2"},{"_key":"85e447a9-ba21-4b63-adf9-29a7d5d3b2b2","_type":"block","children":[{"_key":"d2ce9ae2-5bcb-4a51-891f-0c0d49c623c2","_type":"span","marks":[],"text":"The egress gateway feature allows redirecting traffic originating in pods destined to specific CIDRs outside the cluster to be routed through particular nodes."}],"markDefs":[],"style":"normal"},{"_key":"226de337-9d3c-4d0b-a704-c4e9bfd71d43","_type":"block","children":[{"_key":"cd4160fb-c147-4a66-81b4-3f21202c7d37","_type":"span","marks":[],"text":"When the egress gateway feature is enabled and egress gateway policies are in place, packets leaving the cluster are masqueraded with selected, predictable IPs associated with the gateway nodes. This feature can be used with legacy firewalls to allow traffic to legacy infrastructure only from specific pods within a given namespace. These pods typically have ever-changing IP addresses. Even if masquerading were to be used to mitigate this, the IP addresses of nodes can also change frequently over time."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:31Z","_id":"45b33e01-3014-ea74-e663-19e133b1933f","_key":"85bd3928-ca1f-4808-951c-7aa506185630","_ref":"45b33e01-3014-ea74-e663-19e133b1933f","_rev":"VO3Rz3CKgO8VZQnLmrPQCQ","_type":"mediaImage","_updatedAt":"2024-09-30T11:20:31Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-f2c2f76b630bc63f2f1e0481e4fc13d3123dec46-1472x824-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"egressip.png","size":"large","title":"egressip.png - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/f2c2f76b630bc63f2f1e0481e4fc13d3123dec46-1472x824.png"},{"_key":"ff36c597-165c-4256-bb22-38b2d0ddfe7c","_type":"block","children":[{"_key":"781635be-879b-4fc4-b9ab-50e821faf24e","_type":"span","marks":[],"text":"For example, with the following resource: "}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:52Z","_id":"fc597bcd-4039-d47f-b801-9988c8e60bba","_key":"93ce1b5a-24b1-4ff4-91db-b89dd0861add","_ref":"fc597bcd-4039-d47f-b801-9988c8e60bba","_rev":"P5GVFsWfT1LlxauxUA3ok0","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:00Z","code":"apiVersion: isovalent.com/v1\nkind: IsovalentEgressGatewayPolicy\nmetadata:\n name: egress-sample\nspec:\n destinationCIDRs:\n - \"192.168.11.0/24\"\n selectors:\n - podSelector: {}\n egressGroups:\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"","language":"yaml","title":"yaml - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"dddc4697-f5f2-4239-8c78-6bdb5a837423","_type":"block","children":[{"_key":"a12655d0-f9ca-4670-953a-146909d78777","_type":"span","marks":[],"text":"All pods that match the "},{"_key":"30892789-6313-4f09-8fa7-9d95584f4866","_type":"span","marks":["code"],"text":"label=egress-node"},{"_key":"8798a9ad-48cf-41f1-b59b-a0271f21f3d7","_type":"span","marks":[],"text":" will be routed through the "},{"_key":"dfaf4617-6c33-481d-b15c-7dd06a974084","_type":"span","marks":["code"],"text":"192.168.11.4"},{"_key":"7cb59ce9-356e-4f24-90fd-0867589af241","_type":"span","marks":[],"text":" IP when they reach out to any address in the "},{"_key":"35113e2a-dd81-4deb-9171-ee69b3c4591b","_type":"span","marks":["code"],"text":"192.168.11.0/24"},{"_key":"6835cb3a-df06-45a6-855e-075f93d3a5c6","_type":"span","marks":[],"text":" IP range, which is outside the cluster."}],"markDefs":[],"style":"normal"},{"_key":"e9a2d689-7ae5-4c13-88d5-dea1e9947c1f","_type":"block","children":[{"_key":"204f418a-bb07-4b01-bd97-706902990d74","_type":"span","marks":[],"text":"What is Isovalent Enterprise for Cilium?"}],"markDefs":[],"style":"h2"},{"_key":"802eab37-0c7e-4fe5-b545-0d14afd8e3b7","_type":"block","children":[{"_key":"0c1d42e1-9f53-46d7-a1e0-2bcb53191a36","_type":"span","marks":[],"text":"Isovalent Enterprise for Cilium is an enterprise-grade, hardened distribution of open-source projects "},{"_key":"7c9ef175-91ae-49bb-a883-fb5d71b703a9","_type":"span","marks":["1b3d18f6-79da-4f1c-ae20-eadf257b003c"],"text":"Cilium"},{"_key":"edbb7a36-9986-414f-ba12-99b55d88f4e9","_type":"span","marks":[],"text":", "},{"_key":"d9e46ac8-eaf3-4880-b532-7e56b99b8d2a","_type":"span","marks":["3e1c80e3-d8ed-4144-a439-e9f263c99e17"],"text":"Hubble"},{"_key":"b8ee1fd9-6ff5-41ed-be0a-3dc2b2fe646e","_type":"span","marks":[],"text":", and "},{"_key":"39c9f7d8-281f-4f7e-a047-b353e1c693ce","_type":"span","marks":["df2d03be-0609-4be1-aedd-e97b511d8b70"],"text":"Tetragon"},{"_key":"88b06048-2586-4481-87a0-ed76ba0adb2b","_type":"span","marks":[],"text":", built and supported by the Cilium creators. Cilium enhances networking and security at the network layer, while Hubble ensures thorough network observability and tracing. Tetragon ties it all together with runtime enforcement and security observability, offering a well-rounded solution for connectivity, compliance, multi-cloud, and security concerns."}],"markDefs":[{"_key":"1b3d18f6-79da-4f1c-ae20-eadf257b003c","_type":"link","href":"http://cilium.io/","openInNewTab":true},{"_key":"3e1c80e3-d8ed-4144-a439-e9f263c99e17","_type":"link","href":"/projects/hubble/","openInNewTab":true},{"_key":"df2d03be-0609-4be1-aedd-e97b511d8b70","_type":"link","href":"/projects/tetragon/","openInNewTab":true}],"style":"normal"},{"_key":"f434c431-4930-4d13-8716-3777764e083e","_type":"block","children":[{"_key":"abd2b34a-4ed4-4a2e-b4a2-ec515071733c","_type":"span","marks":[],"text":"Why Isovalent Enterprise for Cilium?"}],"markDefs":[],"style":"h2"},{"_key":"452ec69b4258","_type":"block","children":[{"_key":"4bf1a9bd7dec","_type":"span","marks":[],"text":"While Egress Gateway in "},{"_key":"de101511bf1d","_type":"span","marks":["b5d3ece2fbe5"],"text":"Cilium"},{"_key":"5ada43ae9b2b","_type":"span","marks":[],"text":" is a great step forward, most enterprise environments should not rely on a single point of failure for network routing. For this reason, Isovalent introduced Egress Gateway High Availability (HA), which supports multiple egress nodes. The multiple egress nodes can be configured using a "},{"_key":"74b41f7f98e6","_type":"span","marks":["code"],"text":"egressGroups"},{"_key":"6015b03f1dac","_type":"span","marks":[],"text":" parameter in the "},{"_key":"771d5f07a2cd","_type":"span","marks":["code"],"text":"IsovalentEgressGatewayPolicy"},{"_key":"c0ca87fe7f2b","_type":"span","marks":[],"text":" resource specification that we will detail in Scenario 2 in the tutorial below."}],"markDefs":[{"_key":"b5d3ece2fbe5","_type":"link","href":"http://cilium.io/"}],"style":"normal"},{"_key":"0fefdd87f717","_type":"block","children":[{"_key":"fecdeb531c9d","_type":"span","marks":[],"text":"Whenever one of these two groups doesn’t contain healthy nodes, traffic will only be routed through the other one. If both groups contain healthy nodes, traffic will be randomly distributed between them."}],"markDefs":[],"style":"normal"},{"_key":"43b688f6-e528-4fce-a80e-381b24858c59","_type":"block","children":[{"_key":"4ab5e2d7-29c9-46a8-9836-20efc0114f61","_type":"span","marks":[],"text":"Pre-Requisites"}],"markDefs":[],"style":"h2"},{"_key":"6b2087cc-7665-4769-bb70-f0be0c4e042d","_type":"block","children":[{"_key":"59295516-753b-4e71-8439-a4221024f07f","_type":"span","marks":[],"text":"The following prerequisites need to be taken into account before you proceed with this tutorial:"}],"markDefs":[],"style":"normal"},{"_key":"359ae05c019c","_type":"block","children":[{"_key":"1c6aa229a1dd","_type":"span","marks":[],"text":"An Azure account with an active subscription- "},{"_key":"630fe5f00e63","_type":"span","marks":["dc6e2562f47d"],"text":"Create an account for free"}],"level":1,"listItem":"bullet","markDefs":[{"_key":"dc6e2562f47d","_type":"link","href":"https://azure.microsoft.com/free/?WT.mc_id=A261C142F"}],"style":"normal"},{"_key":"996f9da1d802","_type":"block","children":[{"_key":"32f36c442801","_type":"span","marks":[],"text":"Azure CLI version 2.48.1 or later. Run "},{"_key":"59a8c563efe2","_type":"span","marks":["code"],"text":"az --version"},{"_key":"87a571b90e06","_type":"span","marks":[],"text":" to see the currently installed version. If you need to install or upgrade, see "},{"_key":"8235b1dbcd05","_type":"span","marks":["6643dd179828"],"text":"Install Azure CLI"},{"_key":"054bd99dd67c","_type":"span","marks":[],"text":"."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"6643dd179828","_type":"link","href":"https://learn.microsoft.com/en-us/cli/azure/install-azure-cli"}],"style":"normal"},{"_key":"94d99e5fbaad","_type":"block","children":[{"_key":"9efb2debb8a3","_type":"span","marks":[],"text":"If using ARM templates or the REST API, the AKS API version must be 2022-09-02-preview or later."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"5f57b9cd0eab","_type":"block","children":[{"_key":"6715d5b2c706","_type":"span","marks":[],"text":"The kubectl command line tool is installed on your device. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is 1.26, you can use kubectl version 1.25, 1.26, or 1.27 with it. To install or upgrade kubectl, see "},{"_key":"fe1fade7af22","_type":"span","marks":["373b08b67071"],"text":"Installing or updating kubectl"},{"_key":"ef1c068fb56a","_type":"span","marks":[],"text":"."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"373b08b67071","_type":"link","href":"https://kubernetes.io/docs/tasks/tools/#kubectl"}],"style":"normal"},{"_key":"986fd622cbdb","_type":"block","children":[{"_key":"de8e102a49af","_type":"span","marks":[],"text":"Install "},{"_key":"fa0dad9dc158","_type":"span","marks":["e10a470450d0"],"text":"Cilium CLI"},{"_key":"735851d14e49","_type":"span","marks":[],"text":"."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"e10a470450d0","_type":"link","href":"https://docs.cilium.io/en/v1.12/gettingstarted/k8s-install-default/#install-the-cilium-cli"}],"style":"normal"},{"_key":"1c6e5069-c72f-48e8-bca9-4cc40e389aeb","_type":"block","children":[{"_key":"8555386d-2168-4ae7-b3e9-4454a3471f91","_type":"span","marks":[],"text":"Limitations to keep in mind?"}],"markDefs":[],"style":"h2"},{"_key":"6344079e-7f07-4b2a-b748-1beef9033e11","_type":"block","children":[{"_key":"4a1c2e3d-aea7-4462-a936-e252f035c957","_type":"span","marks":[],"text":"You must remember certain limitations, which will be added over time."}],"markDefs":[],"style":"normal"},{"_key":"7345e2fe06a1","_type":"block","children":[{"_key":"457f670a363a","_type":"span","marks":[],"text":"The Egress gateway feature is partially incompatible with L7 policies."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"1a7e12735ae5","_type":"block","children":[{"_key":"919f01cac757","_type":"span","marks":[],"text":"Specifically, when an egress gateway policy and an L7 policy both select the same endpoint, traffic from that endpoint does not go through the egress gateway, even if the policy allows it."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"f876513be7aa","_type":"block","children":[{"_key":"64c722a492b3","_type":"span","marks":[],"text":"Egress Gateway is incompatible with Isovalent’s Cluster Mesh feature."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"c5a81d43-a7bf-4e0c-b73e-3df28ff05f79","_type":"block","children":[{"_key":"906c2d6d-1cd4-42cf-ba7b-f1e286797c87","_type":"span","marks":[],"text":"Which network plugin can I use for Egress Gateway in AKS?"}],"markDefs":[],"style":"h2"},{"_key":"dfaad322-37c6-4049-8ff7-a96ca12e39ec","_type":"block","children":[{"_key":"e0047e1e-5234-4dd4-8264-883991c3c5cd","_type":"span","marks":[],"text":"Considering two scenarios, we will create an Azure Kubernetes (AKS) Cluster with Bring Your Own CNI (BYOCNI) as the network plugin for this tutorial."}],"markDefs":[],"style":"normal"},{"_key":"06ee8bcc-364e-4c15-83f6-09ca3421b3c3","_type":"block","children":[{"_key":"ef083dcd-0f39-492b-9c44-324ed776a51f","_type":"span","marks":[],"text":"Scenario 1- Egress Gateways in a single Availability Zone."}],"markDefs":[],"style":"h3"},{"_key":"80e87c75-5412-40a3-9337-8c27bebf4ac7","_type":"block","children":[{"_key":"287726f3-97e2-4a2c-93ed-647384199992","_type":"span","marks":[],"text":"Pre-Requisites:"}],"markDefs":[],"style":"h4"},{"_key":"e266cf338ca5","_type":"block","children":[{"_key":"8917183c063a","_type":"span","marks":[],"text":"The AKS cluster is created in VNET A, subnet A"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"2935dbd732ae","_type":"block","children":[{"_key":"0fe5330f435b","_type":"span","marks":[],"text":"The Egress Gateway is created in VNET A, subnet B "}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"164f1e9e16b2","_type":"block","children":[{"_key":"eebdf09ae02e","_type":"span","marks":[],"text":"VNET= 192.168.8.0/22"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"f62e80702f33","_type":"block","children":[{"_key":"65e725264d85","_type":"span","marks":[],"text":"Subnet A= 192.168.10.0/24"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"4083d7c915a9","_type":"block","children":[{"_key":"7c4df338a75c","_type":"span","marks":[],"text":"Subnet B= 192.168.11.0/24"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"b11b73cbba40","_type":"block","children":[{"_key":"dcc86f21cbdf","_type":"span","marks":[],"text":"A test VM is created in VNET A, subnet B"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"0ac9ab04-9692-4f37-970d-3171aef3d83f","_type":"block","children":[{"_key":"4ce63e72-c02f-4856-b51b-f724439f376b","_type":"span","marks":[],"text":"Set the subscription"}],"markDefs":[],"style":"h4"},{"_key":"3af950d2-bfad-45bb-bdc7-e6db87d1ae6a","_type":"block","children":[{"_key":"0427dd22-7706-42f2-a56f-29466ee33df4","_type":"span","marks":[],"text":"Choose the subscription you want to use if you have multiple Azure subscriptions."}],"markDefs":[],"style":"normal"},{"_key":"8ef01006a63b","_type":"block","children":[{"_key":"7d48cb814f75","_type":"span","marks":[],"text":"Replace "},{"_key":"d19501860841","_type":"span","marks":["code"],"text":"SubscriptionName"},{"_key":"16cc79d5aa64","_type":"span","marks":[],"text":" with your subscription name."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"7a92b497fff3","_type":"block","children":[{"_key":"82e050b3ff9f","_type":"span","marks":[],"text":"You can also use your subscription ID instead of your subscription name."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:53Z","_id":"78306909-d12b-e55a-46e8-212573d8d92e","_key":"3915e59b-902e-4cf5-9b2e-c26dc746ed53","_ref":"78306909-d12b-e55a-46e8-212573d8d92e","_rev":"OU5lQsExGohDwkAnEcWDbj","_type":"codeBlock","_updatedAt":"2024-10-01T11:02:55Z","code":"az account set --subscription SubscriptionName","language":"bash","title":"bash - \"Cilium in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"ca661106-0ec3-47cf-a0b4-cb20fc2eb097","_type":"block","children":[{"_key":"76e8538e-0cd1-4a8e-82e2-f94a07d94187","_type":"span","marks":[],"text":"AKS Cluster creation"}],"markDefs":[],"style":"h4"},{"_key":"91be96b2-c10a-40f7-acf6-cdc90fa73993","_type":"block","children":[{"_key":"9a77f2cd-0e40-42cd-befb-976891a13d7e","_type":"span","marks":[],"text":"Create an AKS cluster with the network plugin as "},{"_key":"ae46ea82-c399-4aab-9ab9-068ec293344a","_type":"span","marks":["code"],"text":"BYOCNI"},{"_key":"44789bd3-241b-408e-98fb-9090131822af","_type":"span","marks":[],"text":"."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:54Z","_id":"6ec5e408-b8b3-5123-2dd9-283a7267735c","_key":"eeac65eb-6abb-4441-ad38-750b0fbedda5","_ref":"6ec5e408-b8b3-5123-2dd9-283a7267735c","_rev":"P5GVFsWfT1LlxauxUA3lCB","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:02Z","code":"az group create -l eastus -n byocni\n\naz network vnet create -g byocni --location canadacentral --name byocni-vnet --address-prefixes 192.168.8.0/22 -o none\n\naz network vnet subnet create -g byocni --vnet-name byocni-vnet --name byocni-subnet --address-prefixes 192.168.10.0/24 -o none \n\naz network vnet subnet create -g byocni --vnet-name byocni-vnet --name egressgw-subnet --address-prefixes 192.168.11.0/24 -o none \n\naz aks create -l eastus -g byocni -n byocni --network-plugin none --vnet-subnet-id /subscriptions/#############################/resourceGroups/byocni/providers/Microsoft.Network/virtualNetworks/byocni-vnet/subnets/byocni-subnet\n\naz aks get-credentials --resource-group byocni --name byocni","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"a176989a-b402-41eb-b5ab-cd5f3ead2b54","_type":"block","children":[{"_key":"80b436b4-e317-4596-b734-a173ebf60b24","_type":"span","marks":["strong"],"text":"Note- "},{"_key":"a660ffb9-eb6c-4510-b5b1-8ea4116ff976","_type":"span","marks":[],"text":"You can also create an AKS cluster with BYOCNI using "},{"_key":"5082430a-b1a8-4869-9cbb-c37c2275444a","_type":"span","marks":["90461eeb-1da5-4971-8e4d-cfdcdb32d2f5"],"text":"Terraform"},{"_key":"6868f3b1-2483-46d3-9c3e-50a53e927e56","_type":"span","marks":[],"text":"."}],"markDefs":[{"_key":"90461eeb-1da5-4971-8e4d-cfdcdb32d2f5","_type":"link","href":"https://github.com/amitmavgupta/azure-terraform/tree/main/BYOCNI","openInNewTab":true}],"style":"normal"},{"_key":"f6f77577-a8dd-4188-92c4-87f097df45ca","_type":"block","children":[{"_key":"4e6e6cb9-a790-4f87-b4a4-ca4eefc726a1","_type":"span","marks":[],"text":"Create an unmanaged AKS nodepool in a different subnet."}],"markDefs":[],"style":"h4"},{"_key":"4057acdb-7db8-4038-b4de-ff65288689c1","_type":"block","children":[{"_key":"731a20fd-c883-4e5f-a1ab-674d7a39b3cb","_type":"span","marks":[],"text":"Create an AKS nodepool in the egressgw-subnet (created in the previous step)."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:55Z","_id":"5e6c9b7c-fc77-c44d-4785-0557d168fbab","_key":"c5880929-6b8f-436e-be5b-76b0be83ee81","_ref":"5e6c9b7c-fc77-c44d-4785-0557d168fbab","_rev":"9px8ir0NfLa6aydsXNQ8Vf","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:03Z","code":"az aks nodepool add -g byocni --cluster-name byocni -n egressgw --enable-node-public-ip --node-count 1 --vnet-subnet-id /subscriptions/###############################/resourceGroups/byocni/providers/Microsoft.Network/virtualNetworks/byocni-vnet/subnets/egressgw-subnet","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"e42da34f-d828-430c-af98-c3ed21f8017e","_type":"block","children":[{"_key":"88a6d5d9-10bb-4969-a98b-778ab322c389","_type":"span","marks":[],"text":"Assign a label to the unmanaged nodepool"}],"markDefs":[],"style":"h4"},{"_key":"ee80be8330e7","_type":"block","children":[{"_key":"709a5afb85ba","_type":"span","marks":[],"text":"Create a node pool with a label and specify a name for the "},{"_key":"39d1865d5947","_type":"span","marks":["code"],"text":"--name"},{"_key":"da267df5de31","_type":"span","marks":[],"text":" parameters and labels for the "},{"_key":"eb22d9fec162","_type":"span","marks":["code"],"text":"--labels"},{"_key":"fbd772797b5c","_type":"span","marks":[],"text":" Parameter. Labels must be a key/value pair and have a "},{"_key":"b9b26d1499ac","_type":"span","marks":["ec449a53cc7b"],"text":"valid syntax"},{"_key":"af925a622d3d","_type":"span","marks":[],"text":"."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"ec449a53cc7b","_type":"link","href":"https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set"}],"style":"normal"},{"_createdAt":"2024-09-30T11:19:56Z","_id":"8007b4f4-310e-160e-ead0-911dd68574a3","_key":"73ba925c-73a4-4f32-962a-0bb9a41b37ef","_ref":"8007b4f4-310e-160e-ead0-911dd68574a3","_rev":"9px8ir0NfLa6aydsXNQHLX","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:04Z","code":"az aks nodepool update --resource-group byocni --cluster-name byocni --name egressgw --labels io.cilium/egress-gateway=true","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"97fe2f9d-c238-48e4-a2e9-2ed8ce6c42c1","_type":"block","children":[{"_key":"5c83cae2-44d7-4c07-9b49-1888bffc20f1","_type":"span","marks":[],"text":"Check the status of the nodes."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:57Z","_id":"dfc633ee-f991-d092-6e6a-a602312c3c34","_key":"50d90a8d-59c5-4ade-902a-9e3e34215ea3","_ref":"dfc633ee-f991-d092-6e6a-a602312c3c34","_rev":"be3C7ysj1QqQyrHso4aHmM","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:05Z","code":"kubectl get nodes -o wide\n\nNAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME\naks-byocni-35717205-vmss000000 Ready 5h34m v1.29.2 192.168.10.4 Ubuntu 22.04.4 LTS 5.15.0-1060-azure containerd://1.7.15-1\naks-byocni-35717205-vmss000001 Ready 5h34m v1.29.2 192.168.10.5 Ubuntu 22.04.4 LTS 5.15.0-1060-azure containerd://1.7.15-1\naks-egressgw-36500661-vmss000000 Ready 3h52m v1.29.2 192.168.11.5 52.156.19.241 Ubuntu 22.04.4 LTS 5.15.0-1060-azure containerd://1.7.15-1\naks-egressgw-36500661-vmss000001 Ready 3h52m v1.29.2 192.168.11.6 53.172.12.120 Ubuntu 22.04.4 LTS 5.15.0-1060-azure containerd://1.7.15-1","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"9ea71259-6d80-4d43-9185-98dd6b99e88f","_type":"block","children":[{"_key":"1fd5b635-9bf7-4cc6-9a60-1f7fdbe81266","_type":"span","marks":[],"text":"Note- this doesn’t create a new NIC. It means traffic from the client pod is EGW-redirected to the egress-node: \"true\" node’s eth0 192.168.11.5, and from there, it’s also automatically NATed to the node's assigned public IP."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"7853cdbb-c75a-445e-a628-574c2a270eab","_type":"block","children":[{"_key":"08d4c6d7-cc7c-4164-94cd-1fde3f595dfc","_type":"span","marks":[],"text":"Install Isovalent Enteprise for Cilium"}],"markDefs":[],"style":"h4"},{"_key":"f70e90a9f19e","_type":"block","children":[{"_key":"83a881b62617","_type":"span","marks":[],"text":"Users can contact their partner Sales/SE representative(s) at "},{"_key":"c5af77a21244","_type":"span","marks":["29e4d25fea85"],"text":"sales@isovalent.com"},{"_key":"9dd61bd23a6a","_type":"span","marks":[],"text":" to access the requisite documentation and how to "},{"_key":"adc458ddd6bc","_type":"span","marks":["1810bdb83934"],"text":"install Isovalent Enteprpise for Cilium on an AKS cluster with BYOCNI"},{"_key":"2043e7d2ed5e","_type":"span","marks":[],"text":" as the network plugin."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"29e4d25fea85","_type":"link","href":"mailto:sales@isovalent.com"},{"_key":"1810bdb83934","_type":"link","href":"https://docs.isovalent.com/operations-guide/installation/clean-install.html"}],"style":"normal"},{"_key":"50a2ca68edc0","_type":"block","children":[{"_key":"fd75c13338b1","_type":"span","marks":[],"text":"Make sure that the following Helm values are taken into account while enabling the Egress Gateway feature:"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:58Z","_id":"368345dc-52cb-3b04-54ed-e6f842a9591e","_key":"f23ada33-6e8e-4618-9699-79edb33bc8cc","_ref":"368345dc-52cb-3b04-54ed-e6f842a9591e","_rev":"be3C7ysj1QqQyrHso4aPED","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:06Z","code":"--set egressGateway.enabled=true \n--set enterprise.egressGatewayHA.enabled=true \n--set bpf.masquerade=true \n--set kubeProxyReplacement=true \n--set l7Proxy=false","language":"yaml","title":"yaml - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"0f420c6b-bd2e-4762-b690-956b2de7e94b","_type":"block","children":[{"_key":"5e35a477-de86-452e-a89e-44719b1ad7bc","_type":"span","marks":[],"text":"Restart Cilium Operator and Cilium Daemonset"}],"markDefs":[],"style":"h4"},{"_key":"2b9efbeb-a5e7-4e47-a92d-3acd28fc1185","_type":"block","children":[{"_key":"35e34e70-7f30-4ccd-ac65-07fcb501fbd6","_type":"span","marks":[],"text":"Restart the cilium operator and cilium daemonset for egress gateway changes to take effect. "}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:59Z","_id":"048cd8b3-b161-1d54-ce97-3dd6907f2e24","_key":"4022245b-90e2-480c-8d5b-2e63bf7355d2","_ref":"048cd8b3-b161-1d54-ce97-3dd6907f2e24","_rev":"P5GVFsWfT1LlxauxUA3o3B","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:07Z","code":"kubectl rollout restart ds cilium -n kube-system\nkubectl rollout restart deploy cilium-operator -n kube-system","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"2bf5363a-e86a-431c-811c-114abdda0d25","_type":"block","children":[{"_key":"d8d2bb6e-a774-4c58-9816-d718b5608711","_type":"span","marks":[],"text":"Check the status of the pods."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:01Z","_id":"07241693-4c2e-2378-0839-ec2f785240b9","_key":"0405f6ab-d145-4bb6-836c-2c8246939df3","_ref":"07241693-4c2e-2378-0839-ec2f785240b9","_rev":"e9qWp8BVYg77bOSczeJ6O3","_type":"codeBlock","_updatedAt":"2025-05-30T23:25:32Z","code":"$1c","language":"bash","lineRestriction":8,"restrictHeight":true,"title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"0d47f439-572a-417e-9f5b-3612f880b427","_type":"block","children":[{"_key":"e26c80de-71cb-4182-840f-a2969c66ce96","_type":"span","marks":[],"text":"Create an Egress Gateway Policy"}],"markDefs":[],"style":"h4"},{"_key":"f04e671a7cac","_type":"block","children":[{"_key":"76bf251ece43","_type":"span","marks":[],"text":"The API provided by Isovalent to drive the Egress Gateway feature is the "},{"_key":"0eabb2197fc2","_type":"span","marks":["code"],"text":"IsovalentEgressGatewayPolicy"},{"_key":"21232bd3c382","_type":"span","marks":[],"text":" resource."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"963a01b0a6bf","_type":"block","children":[{"_key":"8eb1bf61b054","_type":"span","marks":[],"text":"The "},{"_key":"1aaca7ab4487","_type":"span","marks":["code"],"text":"selectors"},{"_key":"696b3d2782fd","_type":"span","marks":[],"text":" field of an "},{"_key":"7808845dfda3","_type":"span","marks":["code"],"text":"IsovalentEgressGatewayPolicy"},{"_key":"756165b60e42","_type":"span","marks":[],"text":" resource is used to select source pods via a label selector. This can be done using "},{"_key":"9c77df936e18","_type":"span","marks":["code"],"text":"matchLabels"},{"_key":"38559a565eb8","_type":"span","marks":[],"text":":"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:02Z","_id":"de9a56d3-f435-971c-882b-16c30fbb2191","_key":"5245dde7-cff8-4128-a38a-69fdae980b94","_ref":"de9a56d3-f435-971c-882b-16c30fbb2191","_rev":"be3C7ysj1QqQyrHso4aJCi","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:09Z","code":"selectors:\n- podSelector:\n matchLabels:\n labelKey: labelVal","language":"yaml","title":"yaml - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"4fe827dd-b162-4550-80dd-66741a4b33be","_type":"block","children":[{"_key":"8de8e3f3-6205-4845-83f9-67b9253217c1","_type":"span","marks":[],"text":"One or more destination CIDRs can be specified with destinationCIDRs:"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:03Z","_id":"f3208e78-a9c1-fd62-a6a3-85846a802e0a","_key":"2b07f5bb-df13-471a-a46f-907abea01910","_ref":"f3208e78-a9c1-fd62-a6a3-85846a802e0a","_rev":"be3C7ysj1QqQyrHso4aJmr","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:10Z","code":"destinationCIDRs:\n- \"a.b.c.d/32\"\n- \"e.f.g.0/24\"","language":"yaml","title":"yaml - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"2df17c7ed258","_type":"block","children":[{"_key":"d2fdb1260cfc","_type":"span","marks":[],"text":"The group of nodes that should act as gateway nodes for a given policy can be configured with the "},{"_key":"0501d762515f","_type":"span","marks":["code"],"text":"egressGroups"},{"_key":"b0829b3da1e6","_type":"span","marks":[],"text":" field. Nodes are matched based on their labels, with the "},{"_key":"069cf30971a9","_type":"span","marks":["code"],"text":"nodeSelector"},{"_key":"84cecfe4b863","_type":"span","marks":[],"text":" field:"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:04Z","_id":"32724bef-c40d-1d78-90d2-cd7fc3944d26","_key":"e062851b-eb52-4999-863a-c6bef831ae71","_ref":"32724bef-c40d-1d78-90d2-cd7fc3944d26","_rev":"9px8ir0NfLa6aydsXNQByS","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:11Z","code":"egressGroups:\n- nodeSelector:\n matchLabels:\n testLabel: testVal","language":"yaml","title":"yaml - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"182842e1-1aa1-478d-b92e-4bd3b8375294","_type":"block","children":[{"_key":"a3671768-64e2-455f-bfab-30dc7a90b5db","_type":"span","marks":[],"text":"Sample policy as below:"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:52Z","_id":"fc597bcd-4039-d47f-b801-9988c8e60bba","_key":"0839ef9d-283b-4b7d-a8b0-beb65c1048ad","_ref":"fc597bcd-4039-d47f-b801-9988c8e60bba","_rev":"P5GVFsWfT1LlxauxUA3ok0","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:00Z","code":"apiVersion: isovalent.com/v1\nkind: IsovalentEgressGatewayPolicy\nmetadata:\n name: egress-sample\nspec:\n destinationCIDRs:\n - \"192.168.11.0/24\"\n selectors:\n - podSelector: {}\n egressGroups:\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"","language":"yaml","title":"yaml - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"b35d8f95-0e3a-44de-ba96-e84c8e56e2c2","_type":"block","children":[{"_key":"d68a0489-037f-40d5-a960-c8fc79ce92ca","_type":"span","marks":[],"text":"Testing Egress Gateway"}],"markDefs":[],"style":"h4"},{"_key":"d4efeb2cc4f1","_type":"block","children":[{"_key":"f77a1791fd2c","_type":"span","marks":[],"text":"Deploy a client pod and apply the "},{"_key":"029694d34ffb","_type":"span","marks":["code"],"text":"IsovalentEgressGatewayPolicy"},{"_key":"cbe43da729b5","_type":"span","marks":[],"text":", and observe that the pod’s connection gets redirected through the Gateway node."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"672bd2b1574e","_type":"block","children":[{"_key":"05590be6a0fe","_type":"span","marks":[],"text":"The client pod gets deployed to one of the two nodes (managed), and the IEGP (Isovalent Egress Gateway Policy) selects one or both the nodes ( depending on the egress gateway IPs specified) as the Gateway node."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"f58250625b33","_type":"block","children":[{"_key":"0d8cbddd7752","_type":"span","marks":[],"text":"Sample client pod yaml:"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:05Z","_id":"cca3a964-80c3-9b82-1e17-1ddd68184efa","_key":"7acf758c-18d1-400d-ab3e-61109ab30d1a","_ref":"cca3a964-80c3-9b82-1e17-1ddd68184efa","_rev":"9px8ir0NfLa6aydsXNQDmW","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:13Z","code":"apiVersion: v1\nkind: Pod\nmetadata:\n creationTimestamp: null\n labels:\n run: busybox\n name: busybox\nspec:\n containers:\n - image: nginx\n name: nginx\n command:\n - /bin/sh\n - -c\n securityContext:\n capabilities:\n add:\n - NET_ADMIN # Add the cap_net_admin capability\n env:\n - name: EGRESS_IPS\n value: 192.168.11.5/24, 192.168.11.4/24\n resources: {}\n dnsPolicy: ClusterFirst\n nodeSelector:\n kubernetes.io/hostname: aks-byocni-35717205-vmss000000\n restartPolicy: Always\nstatus: {}","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"e76b72f4-d52f-489a-9430-4ef80ea70385","_type":"block","children":[{"_key":"086cf8c7-fc8b-4483-8475-7d78728b5104","_type":"span","marks":[],"text":"Create the client pod and check that it's up and running and pinned on one of the worker nodes as specified in the yaml file for the client pod."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:06Z","_id":"0261a4cc-a56b-3a28-9cdf-473f6f0f86d8","_key":"b89f6f06-17a9-43c2-9df6-ed9d15aa16a9","_ref":"0261a4cc-a56b-3a28-9cdf-473f6f0f86d8","_rev":"9px8ir0NfLa6aydsXNQDvr","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:14Z","code":"kubectl apply -f busyboxegressgw.yaml\n\nkubectl get pods -o wide\nNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\nbusybox 1/1 Running 0 3h53m 10.0.0.165 aks-byocni-35717205-vmss000000 ","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"dd169f56-63fe-4480-b91f-8c1c2f1ad271","_type":"block","children":[{"_key":"91379e47-6e1a-4684-96ee-f0eb7d97d69b","_type":"span","marks":[],"text":"Apply an Egress Gateway Policy"}],"markDefs":[],"style":"h5"},{"_key":"e83674f4-a996-4a66-9dce-1ea649028dbc","_type":"block","children":[{"_key":"7fe269d8-ec67-43f7-bc84-de40688d89e1","_type":"span","marks":[],"text":"Apply an Egress Gateway Policy"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:52Z","_id":"fc597bcd-4039-d47f-b801-9988c8e60bba","_key":"8de8750b-674f-4719-9955-23748e83a256","_ref":"fc597bcd-4039-d47f-b801-9988c8e60bba","_rev":"P5GVFsWfT1LlxauxUA3ok0","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:00Z","code":"apiVersion: isovalent.com/v1\nkind: IsovalentEgressGatewayPolicy\nmetadata:\n name: egress-sample\nspec:\n destinationCIDRs:\n - \"192.168.11.0/24\"\n selectors:\n - podSelector: {}\n egressGroups:\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"","language":"yaml","title":"yaml - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"cab4ffe4-6dc6-42d0-92fa-1e66edd48d8d","_type":"block","children":[{"_key":"8ab0dc29-1b65-4899-8cce-49ec59e1cb6b","_type":"span","marks":[],"text":"Label the Egress Gateway Node"}],"markDefs":[],"style":"h5"},{"_key":"8e70a54a-23b8-4bf2-8e3a-a343f2b68c2c","_type":"block","children":[{"_key":"f5964d54-7702-4bc7-8ec8-f40ab00371f6","_type":"span","marks":[],"text":"To let the policy select the node designated as the Egress Gateway, apply the label, "},{"_key":"a431aafc-509a-42f6-b7c9-4b5340d68473","_type":"span","marks":["code"],"text":"egress-node:true"},{"_key":"8829a829-cebc-439f-85d2-77d8bc435440","_type":"span","marks":[],"text":" to it:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:07Z","_id":"b8268121-b0f6-7df0-630f-8cdf25d4127d","_key":"3c76dff4-22b0-400e-87d3-c58b2ffe63d6","_ref":"b8268121-b0f6-7df0-630f-8cdf25d4127d","_rev":"P5GVFsWfT1LlxauxUA3mo6","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:16Z","code":"$1d","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"d7186815-ab29-4166-8d67-422a1998a8f3","_type":"block","children":[{"_key":"a6efa3e2-0620-4545-924c-9a6486db6169","_type":"span","marks":[],"text":"Create a test VM in the Egress Gateway subnet."}],"markDefs":[],"style":"h5"},{"_key":"3c94f7d6589d","_type":"block","children":[{"_key":"adcd570a4a59","_type":"span","marks":[],"text":"Create a "},{"_key":"ef1248e830e3","_type":"span","marks":["9240caa41845"],"text":"VM"},{"_key":"590a2940807f","_type":"span","marks":[],"text":" in the same subnet as Egress Gateway and run a simple service on port 80 (like NGINX) that will respond to traffic sent from a pod on one of the worker nodes."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"9240caa41845","_type":"link","href":"https://learn.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-portal?tabs=ubuntu"}],"style":"normal"},{"_key":"4c6adb8e9fea","_type":"block","children":[{"_key":"94300bc5febc","_type":"span","marks":[],"text":"Test VM IP, in this case, is "},{"_key":"a8dfa8f4b1e0","_type":"span","marks":["code"],"text":"192.168.11.4"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:08Z","_id":"2b9eef4b-6c0c-671a-9200-c0577f3474c0","_key":"a17ac3a6-9bf1-4b18-8b70-eb8a6d7ebebf","_ref":"2b9eef4b-6c0c-671a-9200-c0577f3474c0","_rev":"be3C7ysj1QqQyrHso4aQ4Q","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:17Z","code":"2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000\n link/ether 00:22:48:3c:63:51 brd ff:ff:ff:ff:ff:ff\n inet 192.168.11.4/24 brd 192.168.11.255 scope global eth0\n valid_lft forever preferred_lft forever\n inet6 fe80::222:48ff:fe3c:6351/64 scope link\n valid_lft forever preferred_lft forever","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"ae05b98c-fa49-4a96-b328-976750d4bd46","_type":"block","children":[{"_key":"a4f1d7c2-f0e5-4e6c-81aa-bb9271c56ccd","_type":"span","marks":[],"text":"Traffic Generation (towards the server in Egress GW subnet)"}],"markDefs":[],"style":"h5"},{"_key":"d33c4fe1-bb25-437b-a4b8-cbc72b2d58b2","_type":"block","children":[{"_key":"892019e4-f3b2-4bdd-b8cf-4dfee5438403","_type":"span","marks":[],"text":"Send traffic toward the test VM."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:09Z","_id":"ea67c614-ba56-6439-10ea-45107c1e20d4","_key":"a16b3f2f-8f74-4824-8887-684b648d3eb6","_ref":"ea67c614-ba56-6439-10ea-45107c1e20d4","_rev":"P5GVFsWfT1LlxauxUA3opi","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:18Z","code":"kubectl exec busybox -- curl -I 192.168.11.4\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n 0 612 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\nHTTP/1.1 200 OK\nServer: nginx/1.18.0 (Ubuntu)\nDate: Mon, 29 Apr 2024 12:44:07 GMT\nContent-Type: text/html\nContent-Length: 612\nLast-Modified: Mon, 29 Apr 2024 08:55:12 GMT\nConnection: keep-alive\nETag: \"662f6070-264\"\nAccept-Ranges: byte","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"930a78ea-f34c-456b-9f34-0f512f2efba4","_type":"block","children":[{"_key":"c1add455-2baa-47ba-a8f0-c0ace9f12899","_type":"span","marks":[],"text":"Traffic Generation (outside of the cluster towards the Internet)"}],"markDefs":[],"style":"h5"},{"_key":"df9815a2-8c1a-466c-81ad-a9f2614ebc9d","_type":"block","children":[{"_key":"291304f4-925d-409e-850d-c2248b7ba8fc","_type":"span","marks":[],"text":"Send traffic to a public service. "}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"ba4b04f8f59d","_type":"block","children":[{"_key":"59ca5fcd8fd7","_type":"span","marks":[],"text":"Note the IP it returns is the egress gateway node’s Public IP."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:10Z","_id":"f43654ab-9bca-5708-131d-1f07bfa12a92","_key":"58f26f0a-6884-4ba9-b78d-d4e4eb9ff94f","_ref":"f43654ab-9bca-5708-131d-1f07bfa12a92","_rev":"P5GVFsWfT1LlxauxUA3nAw","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:19Z","code":"kubectl exec busybox -- curl ifconfig.me\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n100 13 100 13 0 0 181 0 --:--:-- --:--:-- --:--:-- 183\n52.156.19.241","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"21b6401a128f","_type":"block","children":[{"_key":"9ab0778db186","_type":"span","marks":[],"text":"Take a tcpdump from one of the egress gateway nodes."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"73c2adb65367","_type":"block","children":[{"_key":"0db34b8d16b5","_type":"span","marks":[],"text":"Install tcpdump on the egress gateway node via "},{"_key":"2ec0232d82de","_type":"span","marks":["code"],"text":"apt-get install tcpdump"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"acdf0e1be421","_type":"block","children":[{"_key":"ae689ed1b426","_type":"span","marks":[],"text":"As you can see "},{"_key":"19eae9be5e38","_type":"span","marks":["code"],"text":"10.0.0.165"},{"_key":"46f9b52e5a44","_type":"span","marks":[],"text":" is the client-pod IP that the egress gateway node is receiving packets from and "},{"_key":"0cffa491847c","_type":"span","marks":["code"],"text":"192.168.11.5"},{"_key":"d40225298ddd","_type":"span","marks":[],"text":" is the egress gateway node’s "},{"_key":"6cb77a732459","_type":"span","marks":["code"],"text":"eth0"},{"_key":"f52457a19244","_type":"span","marks":[],"text":" IP address."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:11Z","_id":"1272db8f-8f32-dcfd-b819-066a52d6d5f6","_key":"2a644d80-38e6-47f3-ad1e-587b1527d079","_ref":"1272db8f-8f32-dcfd-b819-066a52d6d5f6","_rev":"9px8ir0NfLa6aydsXNQEHe","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:20Z","code":"$1e","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"9633e5c8-7271-4892-a87d-70ce5146f446","_type":"block","children":[{"_key":"ce18acc4-8cf6-4335-86ed-d8a780d90f4f","_type":"span","marks":[],"text":"Scenario 2- Egress Gateways in a Multi-Availability Zone environment."}],"markDefs":[],"style":"h3"},{"_key":"90bbbdca-305d-4ffc-a769-6b63f650c678","_type":"block","children":[{"_key":"bdb33147-71b8-4550-8e41-99b8c5dc6057","_type":"span","marks":[],"text":"Geo redundancy across availability zones is a must, and combined with HA for the Egress GW, it is a solution that enterprises are always willing to consider."}],"markDefs":[],"style":"normal"},{"_key":"48747f7d-5622-4c86-a585-91b715206d48","_type":"block","children":[{"_key":"dcac2e7f-bc6a-4fcd-aed8-72efbae73dfe","_type":"span","marks":[],"text":"Pre-Requisites:"}],"markDefs":[],"style":"h4"},{"_key":"8d20518cf7c8","_type":"block","children":[{"_key":"bd8e662b0e56","_type":"span","marks":[],"text":"The AKS cluster is created in VNET A, subnet A"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"7027cffa5d70","_type":"block","children":[{"_key":"3c512cd44d1d","_type":"span","marks":[],"text":"The Egress Gateway is created in VNET A, subnet B "}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"6836a6640315","_type":"block","children":[{"_key":"e99730850d44","_type":"span","marks":[],"text":"VNET= 192.168.8.0/22"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"24ebfbf6c97e","_type":"block","children":[{"_key":"e6ed4d04ed47","_type":"span","marks":[],"text":"Subnet A= 192.168.10.0/24"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"f0457732d70b","_type":"block","children":[{"_key":"7c3cadff5744","_type":"span","marks":[],"text":"Subnet B= 192.168.11.0/24"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"1accd9f7e824","_type":"block","children":[{"_key":"45f6d1690121","_type":"span","marks":[],"text":"A test VM is created in VNET A, subnet B"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"2b8c9069-dc66-4f58-9598-17dd2910228a","_type":"block","children":[{"_key":"d9040574-995f-4232-a57e-f076695c2a10","_type":"span","marks":[],"text":"Set the subscription"}],"markDefs":[],"style":"h4"},{"_key":"e0aa5e8a-742d-4ccc-96c8-5a05d1e19115","_type":"block","children":[{"_key":"c0fd7237-ba88-4be5-a327-25ad73cfc26c","_type":"span","marks":[],"text":"Choose the subscription you want to use if you have multiple Azure subscriptions."}],"markDefs":[],"style":"normal"},{"_key":"b2d48ce2d0ae","_type":"block","children":[{"_key":"72e2ba8ab7bb","_type":"span","marks":[],"text":"Replace "},{"_key":"9e91c2cfdf3f","_type":"span","marks":["code"],"text":"SubscriptionName"},{"_key":"5cbb04c6f70d","_type":"span","marks":[],"text":" with your subscription name."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"dc052874ca10","_type":"block","children":[{"_key":"1a291e360e41","_type":"span","marks":[],"text":"You can also use your subscription ID instead of your subscription name."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:53Z","_id":"78306909-d12b-e55a-46e8-212573d8d92e","_key":"70533ef3-546b-4073-85e7-640a5ccc8cb7","_ref":"78306909-d12b-e55a-46e8-212573d8d92e","_rev":"OU5lQsExGohDwkAnEcWDbj","_type":"codeBlock","_updatedAt":"2024-10-01T11:02:55Z","code":"az account set --subscription SubscriptionName","language":"bash","title":"bash - \"Cilium in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"a6197c9c-fee0-4f93-a6a5-d692c0a5d81a","_type":"block","children":[{"_key":"ee8eccf4-8eed-45a4-8a80-6cbdfb6e60bb","_type":"span","marks":[],"text":"AKS cluster creation with nodepools across AZ’s"}],"markDefs":[],"style":"h4"},{"_key":"d4139f5d-cce6-4ac9-ba0e-9c2d7b056330","_type":"block","children":[{"_key":"3065bbe6-04fe-4678-a7de-b9a7db69d8ab","_type":"span","marks":[],"text":"Create an AKS cluster with the network plugin as "},{"_key":"482e1164-ea04-4e5c-b1d7-b3bb48f5e722","_type":"span","marks":["code"],"text":"BYOCNI"},{"_key":"9f6e4521-896c-48ed-bea5-cae10a06f53d","_type":"span","marks":[],"text":" and nodepools across different Availability Zones."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:12Z","_id":"e954bab9-9c01-a13f-57d0-ba00a8315afa","_key":"983d4981-f06a-4215-b9ca-30d35c5c7d7b","_ref":"e954bab9-9c01-a13f-57d0-ba00a8315afa","_rev":"9px8ir0NfLa6aydsXNQGh4","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:22Z","code":"az group create -l eastus -n byocni\n\naz network vnet create -g byocni --location canadacentral --name byocni-vnet --address-prefixes 192.168.8.0/22 -o none\n\naz network vnet subnet create -g byocni --vnet-name byocni-vnet --name byocni-subnet --address-prefixes 192.168.10.0/24 -o none \n\naz network vnet subnet create -g byocni --vnet-name byocni-vnet --name egressgw-subnet --address-prefixes 192.168.11.0/24 -o none \n\naz aks create -l eastus -g byocni -n byocni --network-plugin none --vm-set-type VirtualMachineScaleSets --zones 1 2 --vnet-subnet-id /subscriptions/###############################/resourceGroups/byocni/providers/Microsoft.Network/virtualNetworks/byocni-vnet/subnets/byocni-subnet\n\naz aks get-credentials --resource-group byocni --name byocni","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"9051bf5e-4eb8-4739-bfe8-cea35838ac28","_type":"block","children":[{"_key":"e6b75463-4c55-4cc3-9587-7d8c1c57ae6b","_type":"span","marks":[],"text":"Create an unmanaged AKS nodepool in a different subnet."}],"markDefs":[],"style":"h4"},{"_key":"99edf1d1-8799-4bf2-ac58-3b563ef515aa","_type":"block","children":[{"_key":"d6027a07-d5b9-4953-a11f-d5273b059fe5","_type":"span","marks":[],"text":"Create an AKS nodepool in the egressgw-subnet (created in the previous step)."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:13Z","_id":"a45e682d-9b38-4393-39f2-c268ffad967d","_key":"24097343-61cd-41a0-b2cb-3d3482f179b0","_ref":"a45e682d-9b38-4393-39f2-c268ffad967d","_rev":"9px8ir0NfLa6aydsXNQH5y","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:23Z","code":"az aks nodepool add -g byocni --cluster-name byocni -n egressgw --enable-node-public-ip --node-count 2 --vnet-subnet-id /subscriptions/#######################################/resourceGroups/byocni/providers/Microsoft.Network/virtualNetworks/byocni-vnet/subnets/egressgw-subnet --vm-set-type VirtualMachineScaleSets --zones 1 2","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"9cacd331-d131-4548-a262-499a74dbd6cc","_type":"block","children":[{"_key":"c5016e9f-c2be-48f6-be27-33ff2a580999","_type":"span","marks":[],"text":"Assign a label to the unmanaged nodepool"}],"markDefs":[],"style":"h4"},{"_key":"500437505148","_type":"block","children":[{"_key":"bd540a1c3ef2","_type":"span","marks":[],"text":"Create a node pool with a label and specify a name for the "},{"_key":"345afb19d1ea","_type":"span","marks":["code"],"text":"--name"},{"_key":"0adb189851e2","_type":"span","marks":[],"text":" parameters and labels for the "},{"_key":"f558fbc720cc","_type":"span","marks":["code"],"text":"--labels"},{"_key":"b9821a5711d7","_type":"span","marks":[],"text":" Parameter. Labels must be a key/value pair and have a "},{"_key":"ba7a241a826f","_type":"span","marks":["f7679fd145b8"],"text":"valid syntax"},{"_key":"5ac9132fb46c","_type":"span","marks":[],"text":"."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"f7679fd145b8","_type":"link","href":"https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set"}],"style":"normal"},{"_createdAt":"2024-09-30T11:19:56Z","_id":"8007b4f4-310e-160e-ead0-911dd68574a3","_key":"b0fa4f75-2f2d-4b6d-992e-b4ebf04de255","_ref":"8007b4f4-310e-160e-ead0-911dd68574a3","_rev":"9px8ir0NfLa6aydsXNQHLX","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:04Z","code":"az aks nodepool update --resource-group byocni --cluster-name byocni --name egressgw --labels io.cilium/egress-gateway=true","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"3133b0d0-a8ad-45c6-b347-49138d63fe73","_type":"block","children":[{"_key":"b3d11a7a-62b0-4976-814e-a67123b1733f","_type":"span","marks":[],"text":"Check the status of the nodes."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:15Z","_id":"6f5d0322-2b67-3590-93b0-6e2937d14d3e","_key":"474ef016-d206-4780-8d55-b12c4b6d953f","_ref":"6f5d0322-2b67-3590-93b0-6e2937d14d3e","_rev":"9px8ir0NfLa6aydsXNQHRl","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:25Z","code":"kubectl get nodes -o wide\n\nNAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME\naks-byocni-22760683-vmss000000 Ready 16d v1.29.2 192.168.10.4 Ubuntu 22.04.4 LTS 5.15.0-1060-azure containerd://1.7.15-1\naks-byocni-22760683-vmss000001 Ready 16d v1.29.2 192.168.10.5 Ubuntu 22.04.4 LTS 5.15.0-1060-azure containerd://1.7.15-1\naks-egressgw-27814974-vmss000000 Ready 15d v1.29.2 192.168.11.4 20.151.98.78 Ubuntu 22.04.4 LTS 5.15.0-1060-azure containerd://1.7.15-1\naks-egressgw-27814974-vmss000001 Ready 15d v1.29.2 192.168.11.5 4.172.207.202 Ubuntu 22.04.4 LTS 5.15.0-1060-azure containerd://1.7.15-1","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"cb59ba46-de1b-4f05-8613-8ae7f6174a48","_type":"block","children":[{"_key":"51daf8e5-84f5-45ee-a53c-64210e99fb5d","_type":"span","marks":[],"text":"Note- this doesn’t create a new NIC. It means traffic from the client pod is EGW-redirected to the egress-node: \"true\" node’s eth0 192.168.11.5 or 192.168.11.4, and from there, it’s also automatically NATed to the node assigned public IP."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"53ee55f59f83","_type":"block","children":[{"_key":"43a25f1b8536","_type":"span","marks":[],"text":"Check that all nodes have been created in different Availability Zones."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:16Z","_id":"49dc8968-083d-cf16-fce8-18f339b171ba","_key":"f314cb8b-f654-4238-8f46-1139444081ec","_ref":"49dc8968-083d-cf16-fce8-18f339b171ba","_rev":"9px8ir0NfLa6aydsXNQHb6","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:26Z","code":"kubectl describe nodes | grep -e \"Name:\" -e \"topology.kubernetes.io/zone\"\n\nName: aks-byocni-22760683-vmss000000\n topology.kubernetes.io/zone=canadacentral-2\nName: aks-byocni-22760683-vmss000001\n topology.kubernetes.io/zone=canadacentral-1\nName: aks-egressgw-27814974-vmss000000\n topology.kubernetes.io/zone=canadacentral-1\nName: aks-egressgw-27814974-vmss000001\n topology.kubernetes.io/zone=canadacentral-2","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"d5ab5287-43b1-41ee-9156-49b2db30bfc7","_type":"block","children":[{"_key":"427e04fe-0af0-460d-a23e-34663477c233","_type":"span","marks":[],"text":"Install Isovalent Enteprise for Cilium"}],"markDefs":[],"style":"h4"},{"_key":"47273d372821","_type":"block","children":[{"_key":"b03873e554aa","_type":"span","marks":[],"text":"Users can contact their partner Sales/SE representative(s) at "},{"_key":"b6c3007ede51","_type":"span","marks":["988b6a5fb70d"],"text":"sales@isovalent.com"},{"_key":"f95ef09c91e2","_type":"span","marks":[],"text":" to access the requisite documentation and how to "},{"_key":"772ff246e0a1","_type":"span","marks":["6adfda4c325d"],"text":"install Isovalent Enteprpise for Cilium on an AKS cluster with BYOCNI"},{"_key":"5db28587572e","_type":"span","marks":[],"text":" as the network plugin."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"988b6a5fb70d","_type":"link","href":"mailto:sales@isovalent.com"},{"_key":"6adfda4c325d","_type":"link","href":"https://docs.isovalent.com/operations-guide/installation/clean-install.html"}],"style":"normal"},{"_key":"d0e60783eb6c","_type":"block","children":[{"_key":"199b6526c3e1","_type":"span","marks":[],"text":"Make sure that the following Helm values are taken into account while enabling the Egress Gateway feature:"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:58Z","_id":"368345dc-52cb-3b04-54ed-e6f842a9591e","_key":"97c31e98-651d-4dfa-86d4-b2d4a16469ed","_ref":"368345dc-52cb-3b04-54ed-e6f842a9591e","_rev":"be3C7ysj1QqQyrHso4aPED","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:06Z","code":"--set egressGateway.enabled=true \n--set enterprise.egressGatewayHA.enabled=true \n--set bpf.masquerade=true \n--set kubeProxyReplacement=true \n--set l7Proxy=false","language":"yaml","title":"yaml - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"4e4388c9-80b8-492d-b221-33b2b2d5c529","_type":"block","children":[{"_key":"c3d1f1c7-af1e-4d65-93ba-9ff8c3b4990e","_type":"span","marks":[],"text":"Restart Cilium Operator and Cilium Daemonset"}],"markDefs":[],"style":"h4"},{"_key":"283e8280-22ad-4c5e-8b92-1a2266b700b5","_type":"block","children":[{"_key":"f46d10a5-af57-4f99-80d5-f8c0fe911915","_type":"span","marks":[],"text":"Restart the cilium operator and cilium daemonset for egress gateway changes to take effect. "}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:59Z","_id":"048cd8b3-b161-1d54-ce97-3dd6907f2e24","_key":"a0c59120-891b-447f-a16d-a148537a7d99","_ref":"048cd8b3-b161-1d54-ce97-3dd6907f2e24","_rev":"P5GVFsWfT1LlxauxUA3o3B","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:07Z","code":"kubectl rollout restart ds cilium -n kube-system\nkubectl rollout restart deploy cilium-operator -n kube-system","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"c798799c-92d1-4b1a-a462-c813abd38b5c","_type":"block","children":[{"_key":"8c09dcd5-e0a3-4a91-96d8-e68dce3c9faa","_type":"span","marks":[],"text":"Check the status of the pods."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:01Z","_id":"07241693-4c2e-2378-0839-ec2f785240b9","_key":"5e8371e1-92ea-40db-80d7-a38d640be5c4","_ref":"07241693-4c2e-2378-0839-ec2f785240b9","_rev":"e9qWp8BVYg77bOSczeJ6O3","_type":"codeBlock","_updatedAt":"2025-05-30T23:25:32Z","code":"$1f","language":"bash","lineRestriction":8,"restrictHeight":true,"title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"df48e08b-4d15-44df-b2bb-d2da32b9e323","_type":"block","children":[{"_key":"760a5467-cff1-4e2b-b338-cb9630662f45","_type":"span","marks":[],"text":"Create an Egress Gateway Policy"}],"markDefs":[],"style":"h4"},{"_key":"1dc51f0c-6d7e-428c-8fb3-387ea5f4b828","_type":"block","children":[{"_key":"155e9826-39c5-4bb5-b4c2-5b1e6d8c647b","_type":"span","marks":[],"text":"The API provided by Isovalent to drive the Egress Gateway feature is the "},{"_key":"23d71a15-9831-404a-a611-16ce559d4f21","_type":"span","marks":["code"],"text":"IsovalentEgressGatewayPolicy"},{"_key":"cc564d7c-9649-4dc4-a030-e91722276060","_type":"span","marks":[],"text":" resource."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:52Z","_id":"fc597bcd-4039-d47f-b801-9988c8e60bba","_key":"ac6d4ebe-5f34-4974-b7db-06282cacacef","_ref":"fc597bcd-4039-d47f-b801-9988c8e60bba","_rev":"P5GVFsWfT1LlxauxUA3ok0","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:00Z","code":"apiVersion: isovalent.com/v1\nkind: IsovalentEgressGatewayPolicy\nmetadata:\n name: egress-sample\nspec:\n destinationCIDRs:\n - \"192.168.11.0/24\"\n selectors:\n - podSelector: {}\n egressGroups:\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"","language":"yaml","title":"yaml - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"ceaf2330-41d5-4506-8efd-a934d23de329","_type":"block","children":[{"_key":"3b7d88be-a8aa-4ace-9d3e-92ddc17739c9","_type":"span","marks":[],"text":"Testing Egress Gateway"}],"markDefs":[],"style":"h4"},{"_key":"b4d9d13932df","_type":"block","children":[{"_key":"323de6167696","_type":"span","marks":[],"text":"Deploy a client pod and apply the "},{"_key":"49f46dc2d8f7","_type":"span","marks":["code"],"text":"IsovalentEgressGatewayPolicy"},{"_key":"a4b625c40e12","_type":"span","marks":[],"text":", and observe that the pod’s connection gets redirected through the Gateway node."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"71bbaeb84d0c","_type":"block","children":[{"_key":"7f514e358f1d","_type":"span","marks":[],"text":"The client pod gets deployed to one of the two nodes (managed), and the IEGP (Isovalent Egress Gateway Policy) selects one or both the nodes ( depending on the egress gateway IPs specified) as the Gateway node."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"c32e0fb9b72e","_type":"block","children":[{"_key":"4575193d2c7d","_type":"span","marks":[],"text":"Sample client pod yaml:"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:17Z","_id":"dab9a9ba-00c7-8b3e-523e-ddbf8bfe775e","_key":"02202361-f261-44b2-be58-462bfbf1931b","_ref":"dab9a9ba-00c7-8b3e-523e-ddbf8bfe775e","_rev":"be3C7ysj1QqQyrHso4aPUH","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:31Z","code":"apiVersion: v1\nkind: Pod\nmetadata:\n creationTimestamp: null\n labels:\n run: busybox\n name: busybox\nspec:\n containers:\n - image: nginx\n name: nginx\n command:\n - /bin/sh\n - -c\n securityContext:\n capabilities:\n add:\n - NET_ADMIN # Add the cap_net_admin capability\n env:\n - name: EGRESS_IPS\n value: 192.168.11.5/24, 192.168.11.4/24\n resources: {}\n dnsPolicy: ClusterFirst\n nodeSelector:\n kubernetes.io/hostname: aks-byocni-22760683-vmss000000\n restartPolicy: Always\nstatus: {}","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"1322c384-22bb-41fb-8b51-44ef3248a962","_type":"block","children":[{"_key":"8583c097-533b-4be8-a773-db0990aa7484","_type":"span","marks":[],"text":"Create the client pod and check that it's up and running and pinned on one of the worker nodes as specified in the yaml file for the client pod."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:18Z","_id":"6cbba070-faf4-92a8-696d-eb143448cbd8","_key":"da6f7192-c09a-4f9e-9e52-ab8f7dd179e4","_ref":"6cbba070-faf4-92a8-696d-eb143448cbd8","_rev":"P5GVFsWfT1LlxauxUA3obR","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:32Z","code":"kubectl apply -f busyboxegressgw.yaml\n\nkubectl get pods -o wide\nNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\nbusybox 1/1 Running 0 3h53m 10.0.0.241 aks-byocni-22760683-vmss000000 ","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"b68de620-537e-4287-ae27-cda4dcdb88c8","_type":"block","children":[{"_key":"4a939632-3cb4-4436-b91e-f4a463186002","_type":"span","marks":[],"text":"Apply an Egress Gateway Policy"}],"markDefs":[],"style":"h5"},{"_key":"acbe9c52-927c-4dc1-b300-aaacb351ef54","_type":"block","children":[{"_key":"60c66ecc-7fb7-4b35-832b-119089892faf","_type":"span","marks":[],"text":"Apply an Egress Gateway Policy"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:19:52Z","_id":"fc597bcd-4039-d47f-b801-9988c8e60bba","_key":"1dbd4c99-0fed-4481-856a-83a3bf9da5c7","_ref":"fc597bcd-4039-d47f-b801-9988c8e60bba","_rev":"P5GVFsWfT1LlxauxUA3ok0","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:00Z","code":"apiVersion: isovalent.com/v1\nkind: IsovalentEgressGatewayPolicy\nmetadata:\n name: egress-sample\nspec:\n destinationCIDRs:\n - \"192.168.11.0/24\"\n selectors:\n - podSelector: {}\n egressGroups:\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"","language":"yaml","title":"yaml - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"b647c7d9-babc-4cde-b638-2e3c8def24f1","_type":"block","children":[{"_key":"ae8817f8-ade1-4144-b853-f41287dbec64","_type":"span","marks":[],"text":"Label the Egress Gateway Node"}],"markDefs":[],"style":"h5"},{"_key":"7d393129-67fa-4491-a0b3-6fd16bc62b3f","_type":"block","children":[{"_key":"8e296d30-b0c9-4108-8981-2276140d7a97","_type":"span","marks":[],"text":"To let the policy select the node designated as the Egress Gateway, apply the label, "},{"_key":"1b5e6330-d2db-47ed-8e68-4ad00a92bb64","_type":"span","marks":["code"],"text":"egress-node:true"},{"_key":"a61daebb-8bff-4892-8695-72c869711963","_type":"span","marks":[],"text":" to it:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:19Z","_id":"2fe21478-18d6-6e84-3d2b-55539f51b2b6","_key":"4339b199-57cd-4afd-a401-56649b033fad","_ref":"2fe21478-18d6-6e84-3d2b-55539f51b2b6","_rev":"9px8ir0NfLa6aydsXNQIkh","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:34Z","code":"$20","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"bf55e742-8993-42ac-8693-8f57382326f7","_type":"block","children":[{"_key":"b057cb0f-f2c8-481e-ba7a-f6302b0b600d","_type":"span","marks":[],"text":"Create a test VM in the Egress Gateway subnet."}],"markDefs":[],"style":"h5"},{"_key":"5dcbea6b1230","_type":"block","children":[{"_key":"f94263ada9f5","_type":"span","marks":[],"text":"Create a VM in the same subnet as Egress Gateway and run a simple service on port 80 (like NGINX) that will respond to traffic sent from a pod on one of the worker nodes."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"70b2122b8462","_type":"block","children":[{"_key":"c2862172891c","_type":"span","marks":[],"text":"Test VM IP, in this case, is "},{"_key":"a1454f9f0c6f","_type":"span","marks":["code"],"text":"192.168.11.4"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:08Z","_id":"2b9eef4b-6c0c-671a-9200-c0577f3474c0","_key":"952bf410-513b-491f-a05a-d17de27425a8","_ref":"2b9eef4b-6c0c-671a-9200-c0577f3474c0","_rev":"be3C7ysj1QqQyrHso4aQ4Q","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:17Z","code":"2: eth0: mtu 1500 qdisc mq state UP group default qlen 1000\n link/ether 00:22:48:3c:63:51 brd ff:ff:ff:ff:ff:ff\n inet 192.168.11.4/24 brd 192.168.11.255 scope global eth0\n valid_lft forever preferred_lft forever\n inet6 fe80::222:48ff:fe3c:6351/64 scope link\n valid_lft forever preferred_lft forever","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"48ead9b4-7e8d-4147-9e09-0b9341d07392","_type":"block","children":[{"_key":"1fb8d482-ba05-4797-a54c-5f25b1e8b17d","_type":"span","marks":[],"text":"Traffic Generation (towards the server in Egress GW subnet)"}],"markDefs":[],"style":"h5"},{"_key":"0710b59f-9e93-4402-8ccd-1c79b5661f1b","_type":"block","children":[{"_key":"16ed1c3d-e90b-4350-984c-1e0537bb1408","_type":"span","marks":[],"text":"Send traffic toward the test VM."}],"markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:09Z","_id":"ea67c614-ba56-6439-10ea-45107c1e20d4","_key":"209ca9af-385a-4d7d-b37d-6234829cd3c2","_ref":"ea67c614-ba56-6439-10ea-45107c1e20d4","_rev":"P5GVFsWfT1LlxauxUA3opi","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:18Z","code":"kubectl exec busybox -- curl -I 192.168.11.4\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n 0 612 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\nHTTP/1.1 200 OK\nServer: nginx/1.18.0 (Ubuntu)\nDate: Mon, 29 Apr 2024 12:44:07 GMT\nContent-Type: text/html\nContent-Length: 612\nLast-Modified: Mon, 29 Apr 2024 08:55:12 GMT\nConnection: keep-alive\nETag: \"662f6070-264\"\nAccept-Ranges: byte","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"588f07f9-c39d-4590-bd06-ed094da0b49f","_type":"block","children":[{"_key":"29bef751-da92-4111-aeec-fa1810e70272","_type":"span","marks":[],"text":"Traffic Generation (outside of the cluster towards the Internet)"}],"markDefs":[],"style":"h5"},{"_key":"8e5ff331-a216-4a92-8872-badebb197f83","_type":"block","children":[{"_key":"6abba873-0da2-47b5-ac15-5d83e4cd8ecc","_type":"span","marks":[],"text":"Send traffic to a public service."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"51117f8a9797","_type":"block","children":[{"_key":"083465df672a","_type":"span","marks":[],"text":"Note the IP it returns is the egress gateway node’s Public IP."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:20Z","_id":"a8454484-e2f1-1fbc-2311-37287833972c","_key":"42b7db6f-d8e7-4e5f-ae70-798980db4ef3","_ref":"a8454484-e2f1-1fbc-2311-37287833972c","_rev":"be3C7ysj1QqQyrHso4aRYn","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:37Z","code":"kubectl exec busybox -- curl ifconfig.me\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n100 13 100 13 0 0 161 0 --:--:-- --:--:-- --:--:-- 162\n\n4.172.200.224\n\nkubectl exec busybox -- curl ifconfig.me\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n100 13 100 13 0 0 155 0 --:--:-- --:--:-- --:--:-- 15620.63.116.127","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"2d2b144d984c","_type":"block","children":[{"_key":"6a31dd9cf071","_type":"span","marks":[],"text":"Take a tcpdump from one of the egress gateway nodes."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"aaef35ddd34c","_type":"block","children":[{"_key":"c10778f7211b","_type":"span","marks":[],"text":"Install tcpdump on the egress gateway node via "},{"_key":"54b5d16ba7fd","_type":"span","marks":["code"],"text":"apt-get install tcpdump"},{"_key":"ae51662de52f","_type":"span","marks":[],"text":"."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"e063d33a0b74","_type":"block","children":[{"_key":"fbb000e80caf","_type":"span","marks":[],"text":"As you can see "},{"_key":"c1d18a56ceef","_type":"span","marks":["code"],"text":"10.0.0.225"},{"_key":"542b3ab86f36","_type":"span","marks":[],"text":" is the client-pod IP that the egress gateway node is receiving packets from and "},{"_key":"0f86147340b6","_type":"span","marks":["code"],"text":"192.168.11.5"},{"_key":"f05e62431733","_type":"span","marks":[],"text":" is the egress gateway node’s "},{"_key":"594b4ceecab3","_type":"span","marks":["code"],"text":"eth0"},{"_key":"5a57738d216f","_type":"span","marks":[],"text":" IP address."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:21Z","_id":"376749e7-0387-e315-f583-c2389f00bf4f","_key":"73087fe5-9600-4b6e-aa00-7e1eb649aa95","_ref":"376749e7-0387-e315-f583-c2389f00bf4f","_rev":"9px8ir0NfLa6aydsXNQMlj","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:38Z","code":"$21","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"bbb26bf2-52fe-4f81-9b08-1bedac77a4fe","_type":"block","children":[{"_key":"89c623e8-2e55-414c-9baa-1fea13c1050b","_type":"span","marks":[],"text":"Availability Zone Affinity"}],"markDefs":[],"style":"h3"},{"_key":"47deb999-2db4-4484-99a7-db61f7c1adea","_type":"block","children":[{"_key":"cac20a18-38cd-4670-8fa9-7cd8e96cbf1e","_type":"span","marks":[],"text":"It is possible to control the AZ affinity of the egress gateway traffic with "},{"_key":"ce03f322-6fee-4386-b6a6-973fd66f8185","_type":"span","marks":["code"],"text":"azAffinity"},{"_key":"2fb18ba5-c4e4-463c-84db-2d24232aa986","_type":"span","marks":[],"text":". This feature relies on the well-known, "},{"_key":"e2f2a968-9fd3-4345-8df2-2d3a63780eb6","_type":"span","marks":["code"],"text":"topology.kubernetes.io/zone"},{"_key":"96436e1b-a331-49cc-b0f3-6f25f1f020dd","_type":"span","marks":[],"text":" node label to match or prefer gateway nodes within the same AZ of the source pods (\"local\" gateways) based on the configured mode of operation."}],"markDefs":[],"style":"normal"},{"_key":"94e2e5f48c12","_type":"block","children":[{"_key":"cd8092265790","_type":"span","marks":[],"text":"The following modes of operation are available:"}],"markDefs":[],"style":"normal"},{"_key":"98e048412722","_type":"block","children":[{"_key":"33cdb1ea699f","_type":"span","marks":["code"],"text":"disabled: "},{"_key":"eb803b03cbd7","_type":"span","marks":[],"text":"This mode uses all the active gateways available, regardless of their AZ. This is the default mode of operation."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"cb422e57ccb4","_type":"block","children":[{"_key":"7ac333547226","_type":"span","marks":[],"text":"By taking a tcpdump from both the egress nodes, we can see that the traffic flows across both the egress nodes."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"1abbcd19c2a0","_type":"block","children":[{"_key":"97fd64f08b0e","_type":"span","marks":[],"text":"sample egress policy for the mode of operation"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:22Z","_id":"1cd006d1-ea75-4502-95a2-a3e482ef305a","_key":"69c69f49-33ca-449d-a53a-767daad42f82","_ref":"1cd006d1-ea75-4502-95a2-a3e482ef305a","_rev":"9px8ir0NfLa6aydsXNQNfl","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:39Z","code":"apiVersion: isovalent.com/v1\nkind: IsovalentEgressGatewayPolicy\nmetadata:\n name: egress-sample\nspec:\n destinationCIDRs:\n - \"192.168.11.0/24\"\n selectors:\n - podSelector: {}\n azAffinity: disabled\n egressGroups:\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"\n topology.kubernetes.io/zone: canadacentral-1\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"\n topology.kubernetes.io/zone: canadacentral-2","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_createdAt":"2024-09-30T11:20:36Z","_id":"e82ff284-1719-cf6e-0cf5-a996bfb2feee","_key":"010f9a58-3666-4966-a418-1c612ab651c4","_ref":"e82ff284-1719-cf6e-0cf5-a996bfb2feee","_rev":"VO3Rz3CKgO8VZQnLmrPRGE","_type":"mediaImage","_updatedAt":"2024-09-30T11:20:36Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-7cafd8207e02a7138c7b6777e980173de0734bcd-2560x1080-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"Screenshot-2024-04-30-at-13.10.45.png","size":"large","title":"Screenshot-2024-04-30-at-13.10.45.png - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/7cafd8207e02a7138c7b6777e980173de0734bcd-2560x1080.png"},{"_key":"e6438493ceed","_type":"block","children":[{"_key":"7b5e2f25dfa0","_type":"span","marks":["code"],"text":"localOnly"},{"_key":"d54ea7a6f0ca","_type":"span","marks":[],"text":": This mode selects only local gateways. If no local gateways are available, traffic will not pass through the non-local gateways and will be dropped."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"22a53e6d382c","_type":"block","children":[{"_key":"059230b9e04b","_type":"span","marks":[],"text":"By taking a tcpdump from both the egress nodes, we can see that the traffic flows across one of the local gateways."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"8d71d38bb304","_type":"block","children":[{"_key":"898eec416781","_type":"span","marks":[],"text":"sample egress policy for the mode of operation"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:23Z","_id":"b27aca0b-e890-8a75-6a31-cd30e3bf80a8","_key":"a7ed083e-b441-4af9-adc5-8044be9f7037","_ref":"b27aca0b-e890-8a75-6a31-cd30e3bf80a8","_rev":"be3C7ysj1QqQyrHso4aVVm","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:40Z","code":"apiVersion: isovalent.com/v1\nkind: IsovalentEgressGatewayPolicy\nmetadata:\n name: egress-sample\nspec:\n destinationCIDRs:\n - \"192.168.11.0/24\"\n selectors:\n - podSelector: {}\n azAffinity: localOnly\n egressGroups:\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"\n topology.kubernetes.io/zone: canadacentral-1\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"\n topology.kubernetes.io/zone: canadacentral-2","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_createdAt":"2024-09-30T11:20:35Z","_id":"90ed9214-a3e6-77dd-8dd9-aeb94c3a1b14","_key":"6c040b4a-6b60-4330-ab1f-e7f66c1319e2","_ref":"90ed9214-a3e6-77dd-8dd9-aeb94c3a1b14","_rev":"Od5GBPOpQCpKCdmrmvLX3W","_type":"mediaImage","_updatedAt":"2024-09-30T11:20:35Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-1f245c3a5e713ecc413203d626799cf2387f2a10-2560x1080-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"Screenshot-2024-04-30-at-13.11.40-1.png","size":"large","title":"Screenshot-2024-04-30-at-13.11.40-1.png - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/1f245c3a5e713ecc413203d626799cf2387f2a10-2560x1080.png"},{"_key":"e9bfa34986a4","_type":"block","children":[{"_key":"cfc189a6e3e2","_type":"span","marks":["code"],"text":"localOnlyFirst: "},{"_key":"af87f8b9d061","_type":"span","marks":[],"text":"This mode selects only local gateways as long as at least one is available in a given AZ. When no more local gateways are available, non-local gateways will be selected."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"9d9e60f80afa","_type":"block","children":[{"_key":"6bcf2a25250d","_type":"span","marks":[],"text":"By taking a tcpdump from both the egress nodes, we can see that the traffic flows across one of the local gateways."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"87a4442304cc","_type":"block","children":[{"_key":"d0a92167a1df","_type":"span","marks":[],"text":"sample egress policy for the mode of operation"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:24Z","_id":"192161c2-6a63-4449-adef-63d661043f67","_key":"efab015d-a449-4c5b-8c2c-93d09f4215eb","_ref":"192161c2-6a63-4449-adef-63d661043f67","_rev":"9px8ir0NfLa6aydsXNQPNb","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:41Z","code":"apiVersion: isovalent.com/v1\nkind: IsovalentEgressGatewayPolicy\nmetadata:\n name: egress-sample\nspec:\n destinationCIDRs:\n - \"192.168.11.0/24\"\n selectors:\n - podSelector: {}\n azAffinity: localOnlyFirst\n egressGroups:\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"\n topology.kubernetes.io/zone: canadacentral-1\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"\n topology.kubernetes.io/zone: canadacentral-2","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_createdAt":"2024-09-30T11:20:32Z","_id":"07680fcf-d0fb-96a4-f88f-c37e7f0642ca","_key":"0d2a8da1-89b5-4c0c-a7f5-2383c1f5e81e","_ref":"07680fcf-d0fb-96a4-f88f-c37e7f0642ca","_rev":"KumNi9dIgfgqhzzomxnzFj","_type":"mediaImage","_updatedAt":"2024-09-30T11:20:32Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-54d2903d915e449d086bdc8a47fe0ef8504f479e-2560x1080-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"Screenshot-2024-04-30-at-13.12.53-1.png","size":"large","title":"Screenshot-2024-04-30-at-13.12.53-1.png - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/54d2903d915e449d086bdc8a47fe0ef8504f479e-2560x1080.png"},{"_key":"56eafafdfa9b","_type":"block","children":[{"_key":"88b89f6441eb","_type":"span","marks":["code"],"text":"localPriority"},{"_key":"6712955f6700","_type":"span","marks":[],"text":": this mode selects all gateways, but local gateways are picked up "},{"_key":"fa41f25eef26","_type":"span","marks":["em"],"text":"first"},{"_key":"69a87d95fce8","_type":"span","marks":[],"text":". In conjunction with "},{"_key":"e2464439c38d","_type":"span","marks":["code"],"text":"maxGatewayNodes"},{"_key":"eea416a8a71e","_type":"span","marks":[],"text":", this can prioritize local gateways over non-local ones, allowing for a graceful fallback to non-local gateways in case the local ones become unavailable."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"353814f98d0a","_type":"block","children":[{"_key":"62d1f97e33d3","_type":"span","marks":[],"text":"By taking a tcpdump from both the egress nodes, we can see that the traffic flows across one of the local gateways."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"7b33e7dff3b2","_type":"block","children":[{"_key":"3337f01b3a1e","_type":"span","marks":[],"text":"sample egress policy for the mode of operation"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:25Z","_id":"1cde18cf-4d70-5169-c438-47e83a0edbd1","_key":"edd83133-6ae3-421e-a2e8-3acc4065905c","_ref":"1cde18cf-4d70-5169-c438-47e83a0edbd1","_rev":"9px8ir0NfLa6aydsXNQPTp","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:43Z","code":"apiVersion: isovalent.com/v1\nkind: IsovalentEgressGatewayPolicy\nmetadata:\n name: egress-sample\nspec:\n destinationCIDRs:\n - \"192.168.11.0/24\"\n selectors:\n - podSelector: {}\n azAffinity: localPriority\n egressGroups:\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"\n topology.kubernetes.io/zone: canadacentral-1\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"\n topology.kubernetes.io/zone: canadacentral-2","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_createdAt":"2024-09-30T11:20:34Z","_id":"674dbfd7-2e10-5405-d6c2-e1063145cc6f","_key":"8446ce9e-4720-4d8b-a225-91ae3daa7a69","_ref":"674dbfd7-2e10-5405-d6c2-e1063145cc6f","_rev":"VO3Rz3CKgO8VZQnLmrPRDU","_type":"mediaImage","_updatedAt":"2024-09-30T11:20:34Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-0f70661f02cdef23e63ced29f1e63d64e9ab3d9b-2560x1080-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"Screenshot-2024-04-30-at-13.14.01.png","size":"large","title":"Screenshot-2024-04-30-at-13.14.01.png - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/0f70661f02cdef23e63ced29f1e63d64e9ab3d9b-2560x1080.png"},{"_key":"4d90a277-99f9-4d26-b845-b843f0105efa","_type":"block","children":[{"_key":"c00f0bec-3026-42eb-a618-4ed44de8c7bb","_type":"span","marks":[],"text":"How can you scale the Egress Gateway solution?"}],"markDefs":[],"style":"h2"},{"_key":"b88d9afb56c2","_type":"block","children":[{"_key":"a042dd0b76fc","_type":"span","marks":[],"text":"With "},{"_key":"12ed925c3a62","_type":"span","marks":["d2f0083d0e30"],"text":"Isovalent Enterprise for the Cilium 1.16 release"},{"_key":"6786750121d9","_type":"span","marks":[],"text":", we introduced the support for "},{"_key":"07127d1063aa","_type":"span","marks":["strong"],"text":"Egress Gateway IPAM"},{"_key":"78e75c363596","_type":"span","marks":[],"text":" and combined it with BGP to cater to the Egress GW scaling needs."}],"markDefs":[{"_key":"d2f0083d0e30","_type":"link","href":"https://isovalent.com/blog/post/isovalent-enterprise-for-cilium-1-16/#h-egress-gateway-ipam"}],"style":"normal"},{"_key":"b5d5ee8116a2","_type":"block","children":[{"_key":"b3dfce5f79ef","_type":"span","marks":[],"text":"We have also used Azure Route Server to demonstrate how Cilium can use the same Egress GW Node IP’s advertisement for multiple "},{"_key":"3461b4ea40e3","_type":"span","marks":["strong"],"text":"BGP Peers"},{"_key":"92acc6ad2aa0","_type":"span","marks":[],"text":" and how application VMs peering with the Azure Route Server from different VNETs can access the services."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:36:06Z","_id":"caca8ad4-f056-4163-8c5a-6e0f41bf50ed","_key":"4cabb0e455d1","_ref":"caca8ad4-f056-4163-8c5a-6e0f41bf50ed","_rev":"e9qWp8BVYg77bOSczeKQbJ","_type":"mediaImage","_updatedAt":"2025-05-30T23:36:10Z","alignment":"center","clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-2cef8a5080a1ac2f6a7cf46d173b530edc01b614-1638x587-webp","_type":"reference"}},"languages":["en"],"offset":0,"rounded":false,"scale":0,"size":"large","url":"https://cdn.sanity.io/images/xinsvxfu/production/2cef8a5080a1ac2f6a7cf46d173b530edc01b614-1638x587.webp"},{"_key":"5fef85ced3c7","_type":"block","children":[{"_key":"3aceb87fbe02","_type":"span","marks":["strong"],"text":"Pre-Requisites"}],"markDefs":[],"style":"normal"},{"_key":"1bc717541e1a","_type":"block","children":[{"_key":"b1a572336b19","_type":"span","marks":[],"text":"Azure Route Server has a "},{"_key":"dde6648cf3d4","_type":"span","marks":["99f38a6d2207"],"text":"limit "},{"_key":"f1bcabdb75df","_type":"span","marks":[],"text":"of 8 BGP Peers."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"99f38a6d2207","_type":"link","href":"https://learn.microsoft.com/en-us/azure/route-server/overview#route-server-limits"}],"style":"normal"},{"_key":"9bbfce1fb4c2","_type":"block","children":[{"_key":"a7c2850ade20","_type":"span","marks":[],"text":"Application VM running on-premise."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"dbc208cb5b14","_type":"block","children":[{"_key":"3fbafff133e4","_type":"span","marks":[],"text":"The Egress Gateway configuration is already described in this section."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"5fe487fd8b20","_type":"block","children":[{"_key":"bcbfae0fa9e0","_type":"span","marks":[],"text":"Note the node IPs of the Egress Gateways. These will be used to add as peers in Azure Route Server configuration.\n"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:40:29Z","_id":"1f3e1424-7e9a-4c5c-9a36-3ab4144604b5","_key":"7e2aa886f862","_ref":"1f3e1424-7e9a-4c5c-9a36-3ab4144604b5","_rev":"PCAo7lqnhsEmi6r6qhm9kv","_type":"codeBlock","_updatedAt":"2025-05-30T23:41:02Z","code":"kubectl get nodes -o wide --selector egress-node=true\nNAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME\naks-egressgw-26124580-vmss000000 Ready 30d v1.29.10 192.168.8.36 20.185.176.35 Ubuntu 22.04.5 LTS 5.15.0-1073-azure containerd://1.7.22-1\naks-egressgw-26124580-vmss000001 Ready 30d v1.29.10 192.168.8.37 172.174.59.5 Ubuntu 22.04.5 LTS 5.15.0-1073-azure containerd://1.7.22-1","language":"bash","lineNumbers":"hide","lineRestriction":7,"restrictHeight":false,"title":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS) - code block"},{"_key":"e94101da8a51","_type":"block","children":[{"_key":"db7dd81eb9a8","_type":"span","marks":["strong"],"text":"VNET "},{"_key":"5b6538d63c2c","_type":"span","marks":[],"text":"for peering with the Azure Route Server for propagating routes towards an Application VM."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:48:56Z","_id":"f80e237f-223c-43d2-a817-012bac293cbc","_key":"819da21eff45","_ref":"f80e237f-223c-43d2-a817-012bac293cbc","_rev":"e9qWp8BVYg77bOSczeMQIV","_type":"mediaImage","_updatedAt":"2025-05-30T23:48:59Z","alignment":"center","clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-87b5e085716ca71fbceffd7a1db5886a76f179ff-1220x254-webp","_type":"reference"}},"languages":["en"],"offset":0,"rounded":false,"scale":0,"size":"large","url":"https://cdn.sanity.io/images/xinsvxfu/production/87b5e085716ca71fbceffd7a1db5886a76f179ff-1220x254.webp"},{"_key":"407d738e3542","_type":"block","children":[{"_key":"8ada7b5b2334","_type":"span","marks":["strong"],"text":"Subnet "},{"_key":"e9f11dea7f67","_type":"span","marks":[],"text":"for the Azure Route Server. This subnet will be in the same VNET "}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"ac2eaa817365","_type":"block","children":[{"_key":"b0dce5cd88dc","_type":"span","marks":[],"text":"where egress gateway nodes are also running."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:49:24Z","_id":"ea092789-f59b-4cda-a74a-a6fea8b0c51b","_key":"dccb1530d035","_ref":"ea092789-f59b-4cda-a74a-a6fea8b0c51b","_rev":"Ay0qd2uUQtJvWcq7nspZxz","_type":"mediaImage","_updatedAt":"2025-05-30T23:49:31Z","alignment":"center","clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-508184d12d05a3e92919bd429b68ea672e63d635-1549x333-webp","_type":"reference"}},"languages":["en"],"offset":0,"rounded":false,"scale":0,"size":"large","title":"ARS_Subnet.webp","url":"https://cdn.sanity.io/images/xinsvxfu/production/508184d12d05a3e92919bd429b68ea672e63d635-1549x333.webp"},{"_key":"fe90a174348f","_type":"block","children":[{"_key":"3c290ff916db","_type":"span","marks":[],"text":"VNET Peering across the two VNETs (Azure Route Server and Application VM residing in an another VNET)."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:50:02Z","_id":"a805de12-20ec-48d1-8c17-22db95f1e568","_key":"95149de1eb17","_ref":"a805de12-20ec-48d1-8c17-22db95f1e568","_rev":"e9qWp8BVYg77bOSczeMY2L","_type":"mediaImage","_updatedAt":"2025-05-30T23:50:06Z","alignment":"center","clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-704bdf960f828a22d1fa163ea83f9a5c5b8563bc-756x836-png","_type":"reference"}},"languages":["en"],"offset":0,"rounded":false,"scale":0,"size":"large","url":"https://cdn.sanity.io/images/xinsvxfu/production/704bdf960f828a22d1fa163ea83f9a5c5b8563bc-756x836.png"},{"_createdAt":"2025-05-30T23:50:21Z","_id":"3c0c19d5-c339-4d0f-bf71-79331d99d292","_key":"e57fcd4382e3","_ref":"3c0c19d5-c339-4d0f-bf71-79331d99d292","_rev":"PCAo7lqnhsEmi6r6qhn52t","_type":"mediaImage","_updatedAt":"2025-05-30T23:50:25Z","alignment":"center","clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-389e3478283c9b7258d5aec4aed36ff716dcee20-756x774-png","_type":"reference"}},"languages":["en"],"offset":0,"rounded":false,"scale":0,"size":"large","url":"https://cdn.sanity.io/images/xinsvxfu/production/389e3478283c9b7258d5aec4aed36ff716dcee20-756x774.png"},{"_key":"ca027f92db6f","_type":"block","children":[{"_key":"0a409540ff60","_type":"span","marks":[],"text":"Egress Gateway IPAM"}],"markDefs":[],"style":"h3"},{"_key":"54677182053e","_type":"block","children":[{"_key":"a5a3c406e999","_type":"span","marks":[],"text":"Egress Gateway IPAM allows users additional control of the IP address distribution to their Egress Gateway nodes."}],"markDefs":[],"style":"normal"},{"_key":"7da4beefe83a","_type":"block","children":[{"_key":"e733b87c6927","_type":"span","marks":[],"text":"It removes the complexity of manually targeting each Egress Gateway node with a specific configuration for IP address management."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"76af7c09a851","_type":"block","children":[{"_key":"1328758b9ae6","_type":"span","marks":[],"text":"The IPAM feature allows you to specify an IP pool in the "},{"_key":"d41e30c0a071","_type":"span","marks":["code"],"text":"IsovalentEgressGatewayPolicy"},{"_key":"ffc327c38f2d","_type":"span","marks":[],"text":" from which Cilium leases egress IPs and assigns them to the selected egress interfaces."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"c87a4651ce38","_type":"block","children":[{"_key":"05ab7c703bf1","_type":"span","marks":[],"text":"The IP pool should be specified in the "},{"_key":"a5b68644cf0b","_type":"span","marks":["code"],"text":"egressCIDRs"},{"_key":"b8f95b9b119d","_type":"span","marks":[],"text":" field of the "},{"_key":"96e4dae06c42","_type":"span","marks":["code"],"text":"IsovalentEgressGatewayPolicy"},{"_key":"777cb1d9faeb","_type":"span","marks":[],"text":" and may be composed of one or more CIDRs:"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"8e947a1cd6d3","_type":"block","children":[{"_key":"ef985ba592ab","_type":"span","marks":[],"text":"In the policy example below, you can see the new addition of the key "},{"_key":"4b82ac5e057b","_type":"span","marks":["code"],"text":"egressCIDR"},{"_key":"a5dfe5c0088d","_type":"span","marks":[],"text":"."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:51:14Z","_id":"3e07df64-1c91-4249-ba01-09a4e25c13f8","_key":"48b9c3837188","_ref":"3e07df64-1c91-4249-ba01-09a4e25c13f8","_rev":"CIV5kX5RePhBEnKohQ79h8","_type":"codeBlock","_updatedAt":"2025-05-30T23:51:27Z","code":"apiVersion: isovalent.com/v1\nkind: IsovalentEgressGatewayPolicy\nmetadata:\n name: egress-sample\n labels:\n egw: bgp-advertise\nspec:\n destinationCIDRs:\n - 0.0.0.0/0\n egressCIDRs:\n - 10.100.255.50/28\n - 10.100.255.100/28\n selectors:\n - podSelector: {}\n egressGroups:\n -\n nodeSelector:\n matchLabels:\n egress-node: \"true\"","lineNumbers":"hide","lineRestriction":7,"restrictHeight":true,"title":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS) code snippet 22"},{"_key":"1d33e5319e14","_type":"block","children":[{"_key":"f5fe0026738b","_type":"span","marks":[],"text":"Log in to the nodes to observe the secondary IP on the NIC of the Egress Gateway Node(s)."}],"markDefs":[],"style":"normal"},{"_key":"209747167276","_type":"block","children":[{"_key":"403d05c85684","_type":"span","marks":["code"],"text":"10.100.255.48/32"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"634022984d8f","_type":"block","children":[{"_key":"7693763f64ab","_type":"span","marks":["code"],"text":"10.100.255.49/32"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:52:05Z","_id":"6ed4c818-2408-4a5a-945a-beecb4feff27","_key":"f1a60b139351","_ref":"6ed4c818-2408-4a5a-945a-beecb4feff27","_rev":"e9qWp8BVYg77bOSczeMdLN","_type":"codeBlock","_updatedAt":"2025-05-30T23:52:20Z","code":"$22","language":"bash","lineNumbers":"hide","lineRestriction":7,"restrictHeight":true,"title":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS) code snippet 24"},{"_createdAt":"2025-05-30T23:52:42Z","_id":"7c89ac08-d023-4bba-9c19-35cb258c49ca","_key":"bc68aff34071","_ref":"7c89ac08-d023-4bba-9c19-35cb258c49ca","_rev":"PCAo7lqnhsEmi6r6qhnAOX","_type":"codeBlock","_updatedAt":"2025-05-30T23:52:52Z","code":"$23","language":"bash","lineNumbers":"hide","lineRestriction":7,"restrictHeight":true,"title":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS) - code snippet 25"},{"_key":"1a67aec63602","_type":"block","children":[{"_key":"00f77cf4fa2d","_type":"span","marks":[],"text":"Azure Route Server configuration"}],"markDefs":[],"style":"h3"},{"_key":"97658f7b1b3a","_type":"block","children":[{"_key":"47e860516e39","_type":"span","marks":[],"text":"Sign in to the "},{"_key":"96da46bf4534","_type":"span","marks":["891dc2d578ea"],"text":"Azure portal"},{"_key":"ca31cb701bd8","_type":"span","marks":[],"text":"."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"891dc2d578ea","_type":"link","href":"https://portal.azure.com/"}],"style":"normal"},{"_key":"f8fcf38f7010","_type":"block","children":[{"_key":"06bae3092574","_type":"span","marks":[],"text":"In the search box at the portal’s top, enter "},{"_key":"32852d0f27d1","_type":"span","marks":["em","strong"],"text":"route server"},{"_key":"c3ec9d90d8b5","_type":"span","marks":[],"text":", and select "},{"_key":"7357965bc650","_type":"span","marks":["strong"],"text":"Route Server"},{"_key":"eac6dd27d978","_type":"span","marks":[],"text":" from the search results."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"d504fb83ff3b","_type":"block","children":[{"_key":"6465b4c5bb2f","_type":"span","marks":[],"text":"On the "},{"_key":"deb120989709","_type":"span","marks":["dd188454a10b","strong"],"text":"Route Servers"},{"_key":"8aa0493dba59","_type":"span","marks":[],"text":" page, select "},{"_key":"c12bd6f1d677","_type":"span","marks":["strong"],"text":"+ Create"},{"_key":"5202b5e953dd","_type":"span","marks":[],"text":"."}],"level":1,"listItem":"bullet","markDefs":[{"_key":"dd188454a10b","_type":"link","href":"https://learn.microsoft.com/en-us/azure/route-server/quickstart-create-route-server-portal"}],"style":"normal"},{"_key":"0a36f46b4571","_type":"block","children":[{"_key":"fa2da97b894f","_type":"span","marks":[],"text":"Take note of the Azure Route Server peer IP addresses."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"4fe1818b79a8","_type":"block","children":[{"_key":"4646543dd301","_type":"span","marks":["code"],"text":"192.168.8.68"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"3426c8d3f8ce","_type":"block","children":[{"_key":"b9bb977bcaf5","_type":"span","marks":["code"],"text":"192.168.8.69"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:53:37Z","_id":"96307b9e-ad34-40d5-9318-ef638133f910","_key":"1be8acdce282","_ref":"96307b9e-ad34-40d5-9318-ef638133f910","_rev":"e9qWp8BVYg77bOSczeMfov","_type":"mediaImage","_updatedAt":"2025-05-30T23:53:43Z","alignment":"center","clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-bda3a8db8acd4b4a9c85d4e332bd07a8ffbd879c-1938x356-webp","_type":"reference"}},"languages":["en"],"offset":0,"rounded":false,"scale":0,"size":"large","title":"ars_1.webp","url":"https://cdn.sanity.io/images/xinsvxfu/production/bda3a8db8acd4b4a9c85d4e332bd07a8ffbd879c-1938x356.webp"},{"_key":"dcf6034f6fb5","_type":"block","children":[{"_key":"d58cceba4ef3","_type":"span","marks":[],"text":"Azure Route Server peering with Cilium"}],"markDefs":[],"style":"h3"},{"_key":"3ae95375d12c","_type":"block","children":[{"_key":"dd883c6bbfb9","_type":"span","marks":[],"text":"Once the deployment is complete, select "},{"_key":"6ba4aca6b711","_type":"span","marks":["strong"],"text":"Go to resource"},{"_key":"311dbf35827f","_type":"span","marks":[],"text":" to go to the "},{"_key":"cfae5570f798","_type":"span","marks":["strong"],"text":"myRouteServer"},{"_key":"211aef66dc2e","_type":"span","marks":[],"text":"."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"3205e7a8ad0a","_type":"block","children":[{"_key":"0457960eae0e","_type":"span","marks":[],"text":"Under "},{"_key":"bc10f86ad62f","_type":"span","marks":["strong"],"text":"Settings"},{"_key":"0d0d477b981a","_type":"span","marks":[],"text":", select "},{"_key":"bbbb9888179f","_type":"span","marks":["strong"],"text":"Peers"},{"_key":"0f213bc80a63","_type":"span","marks":[],"text":"."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"001c3269e953","_type":"block","children":[{"_key":"145884a72b43","_type":"span","marks":[],"text":"Select "},{"_key":"d51cad3f69e3","_type":"span","marks":["strong"],"text":"+ Add"},{"_key":"9aa1958d139e","_type":"span","marks":[],"text":" to add a peer."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"6475665c0a8c","_type":"block","children":[{"_key":"6417b1fd4723","_type":"span","marks":["code"],"text":"192.168.8.36"},{"_key":"5b48cefb21a9","_type":"span","marks":[],"text":" is the IP address of one of the Egress GW nodes."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"1965fcd962da","_type":"block","children":[{"_key":"0d78c0933e34","_type":"span","marks":["code"],"text":"192.168.8.37"},{"_key":"da07299ac2ed","_type":"span","marks":[],"text":" is the IP address of one of the Egress GW nodes."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"b70453cfd8ae","_type":"block","children":[{"_key":"af64346b5641","_type":"span","marks":[],"text":"On the "},{"_key":"67f5dd762098","_type":"span","marks":["strong"],"text":"Add Peer"},{"_key":"dac84aeeb8ae","_type":"span","marks":[],"text":" page, enter the following information: "}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"ec7eeb75e247","_type":"block","children":[{"_key":"a8ae1e005d3a","_type":"span","marks":[],"text":"Name"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"4a01c5b043bb","_type":"block","children":[{"_key":"d1b330712919","_type":"span","marks":[],"text":"ASN"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"af4c8d10eba4","_type":"block","children":[{"_key":"10d9d573ac5e","_type":"span","marks":[],"text":"IPv4 Address"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:54:16Z","_id":"dbd893fd-8525-42c8-88d9-501523f58eb6","_key":"35d2260f3fa3","_ref":"dbd893fd-8525-42c8-88d9-501523f58eb6","_rev":"e9qWp8BVYg77bOSczeMiFj","_type":"mediaImage","_updatedAt":"2025-05-30T23:54:22Z","alignment":"center","clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-e88f9080b5c16b458e24d7efbdd04153cc9ccfff-2048x334-webp","_type":"reference"}},"languages":["en"],"offset":0,"rounded":false,"scale":0,"size":"large","title":"ars_2-2048x334.webp","url":"https://cdn.sanity.io/images/xinsvxfu/production/e88f9080b5c16b458e24d7efbdd04153cc9ccfff-2048x334.webp"},{"_key":"e8ba2f3f3428","_type":"block","children":[{"_key":"817f8472d285","_type":"span","marks":[],"text":"BGP support for Egress Gateway"}],"markDefs":[],"style":"h3"},{"_key":"1767b75ceb40","_type":"block","children":[{"_key":"a31184a047c5","_type":"span","marks":[],"text":"BGP is one of the most commonly used methods to connect Kubernetes clusters to existing networks and Cilium’s built-in implementation of BGP enables "},{"_key":"21dd23e6627d","_type":"span","marks":["27ab71b99fac"],"text":"seamless connectivity between Kubernetes services and the existing network"},{"_key":"efde2b0b1cf3","_type":"span","marks":[],"text":". This feature supports BGP in advertising the Egress NAT IPs to external routers."}],"markDefs":[{"_key":"27ab71b99fac","_type":"link","href":"/blog/post/connecting-your-kubernetes-island-to-your-network-with-cilium-bgp/"}],"style":"normal"},{"_key":"3001682aa797","_type":"block","children":[{"_key":"94361933b909","_type":"span","marks":[],"text":"BGP support can be enabled by:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:54:59Z","_id":"061cba1b-7fd1-4f5f-b145-a6a41aa1b664","_key":"9f04413a2f26","_ref":"061cba1b-7fd1-4f5f-b145-a6a41aa1b664","_rev":"PCAo7lqnhsEmi6r6qhnLn5","_type":"codeBlock","_updatedAt":"2025-05-30T23:55:10Z","code":"enterprise:\n bgpControlPlane:\n enabled: true","language":"bash","lineNumbers":"hide","lineRestriction":7,"restrictHeight":false,"title":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS) - code snippet 26"},{"_key":"e70195c03859","_type":"block","children":[{"_key":"53d7f20620e0","_type":"span","marks":[],"text":"Sample BGP peering Policy with Azure Route Server:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:55:32Z","_id":"3c1b2b5d-742e-4d2c-bea6-1f398f7df4e8","_key":"3a077612240c","_ref":"3c1b2b5d-742e-4d2c-bea6-1f398f7df4e8","_rev":"e9qWp8BVYg77bOSczeNFVf","_type":"codeBlock","_updatedAt":"2025-05-30T23:56:42Z","code":"$24","language":"bash","lineNumbers":"hide","lineRestriction":7,"restrictHeight":true,"title":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS) - code snippet 27"},{"_key":"5c8c06a1ebf0","_type":"block","children":[{"_key":"e45ceb8038ae","_type":"span","marks":[],"text":"Check the status of BGP peers across Cilium and Azure Route Server."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:55:46Z","_id":"41fd4e22-8436-4ad1-a796-9ab086cff35e","_key":"afd18a8d08a8","_ref":"41fd4e22-8436-4ad1-a796-9ab086cff35e","_rev":"Ay0qd2uUQtJvWcq7nspxjN","_type":"codeBlock","_updatedAt":"2025-05-30T23:56:57Z","code":"cilium bgp peers\nNode Local AS Peer AS Peer Address Session State Uptime Family Received Advertised\naks-egressgw-26124580-vmss000000 65516 65515 192.168.8.68 established 96h51m40s ipv4/unicast 2 1\n 65516 65515 192.168.8.69 established 96h58m16s ipv4/unicast 2 1\naks-egressgw-26124580-vmss000001 65516 65515 192.168.8.68 established 96h50m40s ipv4/unicast 2 1\n 65516 65515 192.168.8.69 established 96h58m52s ipv4/unicast 2 1","language":"bash","lineNumbers":"hide","lineRestriction":7,"restrictHeight":true,"title":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS) - code snippet 28"},{"_key":"520bdfc883c3","_type":"block","children":[{"_key":"d886697ae167","_type":"span","marks":[],"text":"Check if routes are being exchanged between Cilium and Azure Route Server."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:56:00Z","_id":"6545aabc-b446-4e57-994d-8a834f92bbde","_key":"a49985313ee1","_ref":"6545aabc-b446-4e57-994d-8a834f92bbde","_rev":"e9qWp8BVYg77bOSczeNGkR","_type":"codeBlock","_updatedAt":"2025-05-30T23:57:09Z","code":"$25","language":"bash","lineNumbers":"hide","lineRestriction":7,"restrictHeight":true,"title":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS) - code snippet 29"},{"_key":"910bb947-19ca-48bd-beef-2682ffc43c03","_type":"block","children":[{"_key":"a78aebd5-93cf-4e18-b3f2-79230351056a","_type":"span","marks":[],"text":"Common questions for Egress Gateway?"}],"markDefs":[],"style":"h2"},{"_key":"953a20b896f1","_type":"block","children":[{"_key":"9b1414a985e5","_type":"span","marks":["strong"],"text":"How is the traffic encapsulated from the worker node to the egress node?"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"80f723c85ee6","_type":"block","children":[{"_key":"6146830ccafb","_type":"span","marks":[],"text":"The traffic is encapsulated from a worker node to an egress node regardless of the cluster’s routing mode, and in this case, the AKS cluster with BYOCNI uses VXLAN as the encapsulation."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"d613f13090b4","_type":"block","children":[{"_key":"d24ee34ab8e0","_type":"span","marks":["strong"],"text":"How can you find the identity of the source endpoint if the traffic is encapsulated?"},{"_key":"ca4cdbe6a3a8","_type":"span","marks":[],"text":" "}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"e43e47f56050","_type":"block","children":[{"_key":"3cc92d38e07e","_type":"span","marks":[],"text":"VNI of the VXLAN header equals the Identity of a source endpoint. In this case, the VNI maps to "},{"_key":"2c7e7e1b12e2","_type":"span","marks":["code"],"text":"53596"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"e31b92434147","_type":"block","children":[{"_key":"de55641db7fc","_type":"span","marks":[],"text":"You can then track the identity using the Cilium CLI, which indicates that it’s the busybox Pod.\n\n"}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:37Z","_id":"c940069d-a808-7531-72c6-8686ab158ed2","_key":"d45fa8b0-1ed2-41a9-bee2-30f292481b8d","_ref":"c940069d-a808-7531-72c6-8686ab158ed2","_rev":"aqlQcDxeGqIJo7q9YqikeF","_type":"mediaImage","_updatedAt":"2024-09-30T11:20:37Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-dacc41bf3e93aaf3e75e0c4a5da0e7572639f960-2940x944-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"Screenshot-2024-04-29-at-21.47.09.png","size":"large","title":"Screenshot-2024-04-29-at-21.47.09.png - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/dacc41bf3e93aaf3e75e0c4a5da0e7572639f960-2940x944.png"},{"_createdAt":"2024-09-30T11:20:29Z","_id":"d5910656-c3d9-25b9-25cc-9ae841bcbe2c","_key":"8dfdf699-5db9-4554-90b8-290386912ce8","_ref":"d5910656-c3d9-25b9-25cc-9ae841bcbe2c","_rev":"P5GVFsWfT1LlxauxUA3uaZ","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:46Z","code":"kubectl -n kube-system exec ds/cilium -- cilium identity get 53596\n\nDefaulted container \"cilium-agent\" out of: cilium-agent, config (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), wait-for-node-init (init), clean-cilium-state (init), install-cni-binaries (init)\nID LABELS\n53596 k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default\n k8s:io.cilium.k8s.policy.cluster=default\n k8s:io.cilium.k8s.policy.serviceaccount=default\n k8s:io.kubernetes.pod.namespace=default\n k8s:run=busybox","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"42a1cc50ff5a","_type":"block","children":[{"_key":"237a21dfbcce","_type":"span","marks":["strong"],"text":"How can you find the identity of the remote endpoint if the traffic is encapsulated?"},{"_key":"49ea13433062","_type":"span","marks":[],"text":" "}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"e6263e1b9339","_type":"block","children":[{"_key":"64a952b279c7","_type":"span","marks":[],"text":"Traffic is encapsulated over VXLAN from the server to the busy box pod behind one of the worker nodes."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"6f0b1a21bc4c","_type":"block","children":[{"_key":"b5688f7c15e8","_type":"span","marks":[],"text":"In this case, "},{"_key":"ffa38f61b3b4","_type":"span","marks":["code"],"text":"VNI=6"},{"_key":"885b6b70ad4c","_type":"span","marks":[],"text":" is the identity of the server VM called "},{"_key":"355eed820d1b","_type":"span","marks":["code"],"text":"remote-node"},{"_key":"a4eea34934e9","_type":"span","marks":[],"text":" by Cilium."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"5eeadf3cf39f","_type":"block","children":[{"_key":"a7995a6d9b77","_type":"span","marks":[],"text":"You can then track the identity using the Cilium CLI, indicating it’s the remote node."}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2024-09-30T11:20:33Z","_id":"9e4256f7-a7d2-62c5-4fca-ae60ac8524de","_key":"047349b0-b5e1-4597-97f7-254dad9e3453","_ref":"9e4256f7-a7d2-62c5-4fca-ae60ac8524de","_rev":"aqlQcDxeGqIJo7q9Yqijdp","_type":"mediaImage","_updatedAt":"2024-09-30T11:20:33Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-7391bbe8d0b0b3c54ceb00b32cb605f175fa351d-2846x1232-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"Screenshot-2024-06-07-at-07.48.41.png","size":"large","title":"Screenshot-2024-06-07-at-07.48.41.png - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/7391bbe8d0b0b3c54ceb00b32cb605f175fa351d-2846x1232.png"},{"_createdAt":"2024-09-30T11:20:30Z","_id":"cdfd9b86-ad41-dde3-2ffa-879cef58cdeb","_key":"c82962f1-01e6-4d64-8805-df73063e6a81","_ref":"cdfd9b86-ad41-dde3-2ffa-879cef58cdeb","_rev":"be3C7ysj1QqQyrHso4aWo6","_type":"codeBlock","_updatedAt":"2024-10-01T10:50:47Z","code":"kubectl -n kube-system exec ds/cilium -- cilium identity get 6\n\nDefaulted container \"cilium-agent\" out of: cilium-agent, config (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), wait-for-node-init (init), clean-cilium-state (init), install-cni-binaries (init)\nID LABELS\n6 reserved:remote-node","language":"bash","title":"bash - \"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)\" Code Block"},{"_key":"36d4f2a6d2d8","_type":"block","children":[{"_key":"9cfca0491db8","_type":"span","marks":["strong"],"text":"How can you check the learned routes in the Azure Route Server?"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"2b6189845024","_type":"block","children":[{"_key":"aa6acb616cbf","_type":"span","marks":[],"text":"Using Azure CLI, you can check the routes that the Azure Route server has learned."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:43:44Z","_id":"db27d765-1509-414a-8d8b-6f8551014d3f","_key":"250f15cdb5ea","_ref":"db27d765-1509-414a-8d8b-6f8551014d3f","_rev":"PCAo7lqnhsEmi6r6qhmRk1","_type":"codeBlock","_updatedAt":"2025-05-30T23:44:52Z","code":"$26","lineNumbers":"hide","lineRestriction":7,"restrictHeight":true,"title":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS). -code snippet 20"},{"_key":"bb3db3bd6360","_type":"block","children":[{"_key":"92c7389aaac7","_type":"span","marks":["strong"],"text":"How can you check the routes advertised by the Azure Route Server?"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"b847961ad3c2","_type":"block","children":[{"_key":"579fd9085d8e","_type":"span","marks":[],"text":"You can use Azure CLI to check the routes that the Azure Route server has advertised (including the application VM in the subnet "},{"_key":"6ba5246831d0","_type":"span","marks":["code"],"text":"192.168.40.0/22"},{"_key":"7ba5e8e7b31c","_type":"span","marks":[],"text":")."}],"level":2,"listItem":"bullet","markDefs":[],"style":"normal"},{"_createdAt":"2025-05-30T23:45:16Z","_id":"d3da50ed-1070-49b9-baec-378ab4c5cd82","_key":"74cc871ec5ff","_ref":"d3da50ed-1070-49b9-baec-378ab4c5cd82","_rev":"e9qWp8BVYg77bOSczeM0QT","_type":"codeBlock","_updatedAt":"2025-05-30T23:45:30Z","code":"$27","lineNumbers":"hide","lineRestriction":7,"restrictHeight":true,"title":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS) - code snipped 21"},{"_key":"23e33753-af5d-4215-a62b-5bd36a328f93","_type":"block","children":[{"_key":"54a9771f-145b-4f1c-b057-37b09eba32a2","_type":"span","marks":[],"text":"Conclusion"}],"markDefs":[],"style":"h2"},{"_key":"38936617-18b5-4765-9ca6-66a7967beafe","_type":"block","children":[{"_key":"4baa0cb0-d61f-4a20-9bc9-3506bc43ab1f","_type":"span","marks":[],"text":"Hopefully, this post gave you a good overview of deploying Cilium and Egress Gateway in AKS (Azure Kubernetes Service) using BYOCNI as the network plugin. If you have any feedback on the solution, please share it with us. Talk to us, and let's see how Isovalent can help with your use case."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-05-22T20:06:22Z","_id":"e89f368a-76ae-4a96-9c5d-fb566eaf19ee","_key":"f668e69e2d86","_ref":"e89f368a-76ae-4a96-9c5d-fb566eaf19ee","_rev":"b0RJHRIC6NUGWwdjsdcGkK","_type":"cta","_updatedAt":"2025-06-05T14:09:21Z","isLink":false,"label":{"en":"Schedule a demo with our experts"},"languages":["en"],"openInNewTab":false,"title":"Blog - button - Schedule a demo with our experts","url":"/request-demo/","variant":"primary"},{"_key":"fde4873c-b3de-40c7-b55a-d8ac5461ac4b","_type":"block","children":[{"_key":"2cd029ce-1f79-49fc-9fa7-fd1a1a4724ee","_type":"span","marks":[],"text":"Try it out"}],"markDefs":[],"style":"h2"},{"_key":"e6a75b27-2073-4604-bef0-743d0805f74a","_type":"block","children":[{"_key":"c027ced8-7c87-421e-8f46-1869ceab5f11","_type":"span","marks":[],"text":"Start with the "},{"_key":"5524fedb8696","_type":"span","marks":["d8982673d043"],"text":"Egress Gateway lab"},{"_key":"605c352c049a","_type":"span","marks":[],"text":" and explore Egress Gateway in action."}],"markDefs":[{"_key":"d8982673d043","_type":"link","href":"/labs/cilium-egress-gateway/","isLink":false,"openInNewTab":false}],"style":"normal"},{"_key":"6f120199-e56c-4841-8452-1a4ef8fc3ffc","_type":"block","children":[{"_key":"32262214-4414-4429-9345-b1dfde47b834","_type":"span","marks":[],"text":"Further Reading"}],"markDefs":[],"style":"h2"},{"_key":"9f245ecd-c51b-4f47-9da9-972782ac6958","_type":"block","children":[{"_key":"86512c96-bdf5-48eb-b396-b29294201425","_type":"span","marks":[],"text":"To dive deeper into the topic of Egress Gateway, check out these two videos:"}],"markDefs":[],"style":"normal"},{"_key":"fe12ab9b1022","_type":"block","children":[{"_key":"06f08f6e61d8","_type":"span","marks":["f378323bc897"],"text":"Cilium Tech talk series, Egress Gateway"}],"level":1,"listItem":"bullet","markDefs":[{"_key":"f378323bc897","_type":"link","href":"https://youtu.be/vaA6wPFxZ4Q"}],"style":"normal"},{"_key":"5e9728ebfe58","_type":"block","children":[{"_key":"9de298564988","_type":"span","marks":["3f0ee980eae0"],"text":"Egress Gateway HA: concept, requirements, demo"}],"level":1,"listItem":"bullet","markDefs":[{"_key":"3f0ee980eae0","_type":"link","href":"https://youtu.be/Js-uqErsp0c"}],"style":"normal"}],"featuredImage":["$","$L19",null,{"src":"https://cdn.sanity.io/images/xinsvxfu/production/24098a792e3fa188e6a0d6af9ee08eca96e34e88-2800x1417.png?auto=format&q=80&fit=clip&w=1080","alt":"ogimage-10.png","className":"mx-auto mb-10 w-full max-w-[72.75]","placeholder":"blur","blurDataURL":"data:image/svg+xml;base64,CiAgICA8c3ZnIHdpZHRoPSIxMDgwIiBoZWlnaHQ9IjEwODAiIHZlcnNpb249IjEuMSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KICAgICAgICA8ZGVmcz4KICAgICAgICAgICAgPGxpbmVhckdyYWRpZW50IGlkPSJnIj4KICAgICAgICAgICAgPHN0b3Agc3RvcC1jb2xvcj0iI0Y2RjhGRSIgb2Zmc2V0PSIyMCUiIC8+CiAgICAgICAgICAgIDxzdG9wIHN0b3AtY29sb3I9IiNFRkY1RkYiIG9mZnNldD0iNTAlIiAvPgogICAgICAgICAgICA8c3RvcCBzdG9wLWNvbG9yPSIjRjZGOEZFIiBvZmZzZXQ9IjcwJSIgLz4KICAgICAgICAgICAgPC9saW5lYXJHcmFkaWVudD4KICAgICAgICA8L2RlZnM+CiAgICAgICAgPHJlY3Qgd2lkdGg9IjEwODAiIGhlaWdodD0iMTA4MCIgZmlsbD0iI0Y2RjhGRSIgLz4KICAgICAgICA8cmVjdCBpZD0iciIgd2lkdGg9IjEwODAiIGhlaWdodD0iMTA4MCIgZmlsbD0idXJsKCNnKSIgLz4KICAgICAgICA8YW5pbWF0ZSBocmVmPSIjciIgYXR0cmlidXRlTmFtZT0ieCIgZnJvbT0iLTEwODAiIHRvPSIxMDgwIiBkdXI9IjFzIiByZXBlYXRDb3VudD0iaW5kZWZpbml0ZSIgIC8+CiAgICA8L3N2Zz4=","width":1080,"height":1080,"priority":true}],"articleData":{"title":"How to Deploy Cilium and Egress Gateway in Azure Kubernetes Service (AKS)","description":"This blog post will walk you through deploying Cilium and Egress Gateway in AKS (Azure Kubernetes Service) using BYOCNI as the network plugin.","url":"https://isovalent.com/blog/post/cilium-egress-gateway-aks","download":"$undefined","authors":[{"_createdAt":"2024-09-27T10:02:48Z","_id":"ff5e2eda-05bb-ade9-8831-4dddc66e927d","_rev":"VO3Rz3CKgO8VZQnLmkJbUp","_type":"person","_updatedAt":"2024-09-27T12:06:31Z","bio":{"en":[{"_key":"1995ca31-02b1-49c0-a862-dfc8df0297ff","_type":"block","children":[{"_key":"c78e0e11-f4b0-4342-a5fc-a02e085947fa","_type":"span","marks":[],"text":"Amit Gupta is a senior technical marketing engineer at Isovalent, powering eBPF cloud-native networking and security. Amit has 21+ years of experience in Networking, Telecommunications, Cloud, Security, and Open-Source. He has previously worked with Motorola, Juniper, Avi Networks (acquired by VMware), and Prosimo. He is keen to learn and try out new technologies that aid in solving day-to-day problems for operators and customers.\n\nHe has worked in the Indian start-up ecosystem for a long time and helps new folks in that area outside of work. Amit is an avid runner and cyclist and also spends considerable time helping kids in orphanages."}],"markDefs":[],"style":"normal"}]},"company":{"_ref":"35073912-4894-4a13-89f6-caa5d58ff52d","_type":"reference"},"firstName":{"en":"Amit"},"fullName":{"en":"Amit Gupta"},"headshot":{"_type":"image","asset":{"_ref":"image-19b2e7212433d6c85f9a7cbb62beb590d8044fa0-528x1009-jpg","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"image":"https://cdn.sanity.io/images/xinsvxfu/production/19b2e7212433d6c85f9a7cbb62beb590d8044fa0-528x1009.jpg","languages":["en"],"lastName":{"en":"Gupta"},"title":{"en":"Senior Technical Marketing Engineer"}}]}}]}]}]}],"$undefined"]}]]