Skip to content

Commit 8d8afe3

Browse files
author
Kandarp Thakar
committed
Tunnel Connectivity Documentation Updates
1 parent 94826bc commit 8d8afe3

1 file changed

Lines changed: 23 additions & 40 deletions

File tree

support/azure/azure-kubernetes/connectivity/tunnel-connectivity-issues.md

Lines changed: 23 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,3 @@
1-
---
2-
title: Tunnel connectivity issues
3-
description: Resolve communication issues that are related to tunnel connectivity in an Azure Kubernetes Service (AKS) cluster.
4-
ms.date: 09/26/2024
5-
ms.reviewer: chiragpa, andbar, v-leedennis, v-weizhu
6-
ms.service: azure-kubernetes-service
7-
keywords: Azure Kubernetes Service, AKS cluster, Kubernetes cluster, tunnels, connectivity, tunnel-front, aks-link
8-
#Customer intent: As an Azure Kubernetes user, I want to avoid tunnel connectivity issues so that I can use an Azure Kubernetes Service (AKS) cluster successfully.
9-
ms.custom: sap:Connectivity
10-
---
111
# Tunnel connectivity issues
122

133
Microsoft Azure Kubernetes Service (AKS) uses a specific component for tunneled, secure communication between the nodes and the control plane. The tunnel consists of a server on the control plane side and a client on the cluster nodes side. This article discusses how to troubleshoot and resolve issues that relate to tunnel connectivity in AKS.
@@ -36,11 +26,8 @@ The Kubernetes API server uses port 10250 to connect to a node's kubelet to retr
3626
Because the tunnel components or the connectivity between the server and client can't be established, functionality such as the following won't work as expected:
3727

3828
- Admission controller webhooks
39-
4029
- Ability of log retrieval (using the [kubectl logs](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs) command)
41-
4230
- Running a command in a container or getting inside a container (using the [kubectl exec](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#exec) command)
43-
4431
- Forwarding one or more local ports of a pod (using the [kubectl port-forward](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#port-forward) command)
4532

4633
## Cause 1: A network security group (NSG) is blocking port 10250
@@ -71,8 +58,8 @@ If you use an NSG, and you have specific restrictions, make sure that you add a
7158
If you want to be more restrictive, you can allow access to port 10250 at the subnet level only.
7259

7360
> [!NOTE]
74-
> - The **Priority** field must be adjusted accordingly. For example, if you have a rule that denies multiple ports (including port 10250), the rule that's shown in the image should have a lower priority number (lower numbers have higher priority). For more information about **Priority**, see [Security rules](/azure/virtual-network/network-security-groups-overview#security-rules).
7561
>
62+
> - The **Priority** field must be adjusted accordingly. For example, if you have a rule that denies multiple ports (including port 10250), the rule that's shown in the image should have a lower priority number (lower numbers have higher priority). For more information about **Priority**, see [Security rules](/azure/virtual-network/network-security-groups-overview#security-rules).
7663
> - If you don't see any behavioral change after you apply this solution, you can re-create the tunnel component pods. Deleting these pods causes them to be re-created.
7764
7865
## Cause 2: The Uncomplicated Firewall (UFW) tool is blocking port 10250
@@ -201,22 +188,14 @@ You can view the SNAT ports from either the AKS load balancer metrics or the ser
201188
To use AKS load balancer metrics to view the SNAT ports, follow these steps:
202189

203190
1. In the [Azure portal](https://portal.azure.com), search for and select **Kubernetes services**.
204-
205-
1. In the list of Kubernetes services, select the name of your cluster.
206-
207-
1. In the menu pane of the cluster, find the **Settings** heading, and then select **Properties**.
208-
209-
1. Select the name that's listed under **Infrastructure resource group**.
210-
211-
1. Select the **kubernetes** load balancer.
212-
213-
1. In the menu pane of the load balancer, find the **Monitoring** heading, and then select **Metrics**.
214-
215-
1. For the metric type, select **SNAT Connection Count**.
216-
217-
1. Select **Apply splitting**.
218-
219-
1. Set **Split by** to **Connection State**.
191+
2. In the list of Kubernetes services, select the name of your cluster.
192+
3. In the menu pane of the cluster, find the **Settings** heading, and then select **Properties**.
193+
4. Select the name that's listed under **Infrastructure resource group**.
194+
5. Select the **kubernetes** load balancer.
195+
6. In the menu pane of the load balancer, find the **Monitoring** heading, and then select **Metrics**.
196+
7. For the metric type, select **SNAT Connection Count**.
197+
8. Select **Apply splitting**.
198+
9. Set **Split by** to **Connection State**.
220199

221200
</details>
222201

@@ -226,16 +205,11 @@ To use AKS load balancer metrics to view the SNAT ports, follow these steps:
226205
To use service diagnostics to view the SNAT ports, follow these steps:
227206

228207
1. In the [Azure portal](https://portal.azure.com), search for and select **Kubernetes services**.
229-
230-
1. In the list of Kubernetes services, select the name of your cluster.
231-
232-
1. In the menu pane of the cluster, select **Diagnose and solve problems**.
233-
234-
1. Select **Connectivity Issues**.
235-
236-
1. Under **SNAT Connection and Port Allocation**, select **View details**.
237-
238-
1. If necessary, use the **Time Range** button to customize the time frame.
208+
2. In the list of Kubernetes services, select the name of your cluster.
209+
3. In the menu pane of the cluster, select **Diagnose and solve problems**.
210+
4. Select **Connectivity Issues**.
211+
5. Under **SNAT Connection and Port Allocation**, select **View details**.
212+
6. If necessary, use the **Time Range** button to customize the time frame.
239213

240214
</details>
241215

@@ -254,3 +228,12 @@ You can set up a new cluster to use a Managed Network Address Translation (NAT)
254228
[!INCLUDE [Third-party contact disclaimer](../../../includes/third-party-contact-disclaimer.md)]
255229

256230
[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
231+
232+
## Cause 6: Konnectivity Agents performance challenges with Cluster Growth
233+
234+
> [!NOTE]
235+
> This cause applies to only the `Konnectivity-agent` pods.
236+
237+
### Solution 6: Cluster Proportional Autoscaler (CPA) for Konnectivity Agent
238+
239+
To address scalability challenges in large clusters, we have implemented the Cluster Proportional Autoscaler (CPA) for our Konnectivity Agents. This approach aligns with industry standards and best practices, ensuring optimal resource usage and enhanced performance. Previously, the Konnectivity agent had a fixed replica count, which created a bottleneck as the cluster grew. With this change, the replica count will now dynamically adjust based on node-scaling rules, providing best-in-class performance.

0 commit comments

Comments
 (0)