azure-container-networking icon indicating copy to clipboard operation
azure-container-networking copied to clipboard

Published 20 hours ago verified publisher icon Azure

Windows container TCP Port not accessible over vnet

Open MostefaKamalLala opened this issue 2 years ago • 0 comments

What happened: Cannot establish a TCP connection (port 2228) with the windows container's endpoint from another subnet (ping works). But the same communication can be established with a Linux container endpoint (port 3306).

What you expected to happen:
Being able to establish a TCP connection with a windows container anywhere from the vnet, peered vnet or vpn.

How to reproduce it:
Create the following pod in AKS

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: win-webserver
  name: win-webserver
  namespace: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: win-webserver
  template:
    metadata:
      labels:
        app: win-webserver
      name: win-webserver
    spec:
      containers:
        - name: windowswebserver
          ports:
            - containerPort: 2228
          image: mcr.microsoft.com/windows/servercore:ltsc2019
          command:
            - powershell.exe
            - -command
            - "<#code used from https://gist.github.com/19WAS85/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:2228/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:2228/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ;  ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='<html><body><H1>Windows Container Web Server</H1>' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='<p>IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='</body></html>' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus)  } ; "
      nodeSelector:
        kubernetes.io/os: windows

Find the container's endpoint (ip address) and test the TCP connection from a machine in a different subnet, a peered vnet or vpn. You will see that the ping succeeds but the TCP connection fails.

Orchestrator and Version (e.g. Kubernetes, Docker):
I have tried it with AKS version 1.21.9 and 1.22.6 Currently:

VERSION     CONTAINER-RUNTIME
v1.22.6    containerd://1.6.1+azure

Operating System (Linux/Windows):

NODE:

OS-IMAGE                         KERNEL-VERSION
Windows Server 2019 Datacenter   10.0.17763.3046

Container: 10.0.17763.1971 (WinBuild.160101.0800)

Anything else we need to know?:

If I create a Node Port service or an Internal Load Balancer I can establish indirectly the TCP connection with the windows container. The TCP connection can also be established from another container within the cluster subnet.

aks-win

MostefaKamalLala avatar Jun 22 '22 16:06 MostefaKamalLala