AKS icon indicating copy to clipboard operation
AKS copied to clipboard
verified publisher icon Azure

[Feature] Support setting custom node network security group name

Open jarrettprosser opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe. I am attempting to deploy an AKS cluster to a subscription with a strict Azure Policy enforced which dictates that network security groups are required to start with nsg-*. AKS is trying to create an NSG with the name aks-agentpool-22205363-nsg and so the deployment is stopped.

As a side note, I am deploying with Terraform, there is a historic issue in which the azurerm provider developers suggested AKS API support was a prerequisite for support in the provider.

Describe the solution you'd like Azure API support for setting the NSG name, which could then be utilised by downstream tools like the terraform provider.

Describe alternatives you've considered I'll request an exemption on the policy from the security team managing the subscription.

Additional context The linked issue seems to have been referenced in https://github.com/Azure/AKS/issues/983, but I can't see the later discussion.

jarrettprosser avatar May 07 '24 12:05 jarrettprosser

This is an important and blocking issue. We need a way to control the name of the AKS created resources or a way to provide our already pre-created resources. The exemption path is not the right solution IMO. Plus, we can't put an exemption on a resource group which is not already existing, and AKS won't accept a pre-created resource group for its managed resources. The issue apply to all AKS created resources, not only NSG.

psddp avatar Oct 10 '24 21:10 psddp

This is a major issue for us as well.

In our case we have a firewall setup where we peer our vnet to the firewal vnet and we need to configure the node pool NSG to be able to next hop to the firewall. The problem we're having is that there is no way to get the id of the nsg so we end up having to create a shell_script resource which uses the azure cli to do the configuration. This is janky and awful and doesn't account for cases where the nsg gets altered leaving us down in prod for hours while we try to figure out whats going on.

So please, can we elevate this issue? Its been a problem for years and we knew our solution was risky and it finally bit us hard.

justinmchase avatar Feb 05 '25 17:02 justinmchase

I would love to be able to provide the NSG for AKS to use instead, as well. That would be even better. But we would settle for a name we can count on at the very least.

justinmchase avatar Mar 28 '25 19:03 justinmchase

Any update on this? This is still a major bug.

I'm not sure if youre aware of this but this causes some major issues which cannot be resolved in terraform cleanly. It causes the NSG association on the subnet to get destroyed everytime when attmpeting to use terraform and the script required for this is ugly.

Additionally if you re-use the subnet it requires a re-association on every single deploy instead of just setting up the NSG once. Very unfortunately.

justinmchase avatar Sep 30 '25 22:09 justinmchase