This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 45%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENK%3C/text%3E%3C/svg%3E)
Hi,
Could you please help me out with the network policy configuration for Windows Server 2022 pods in AKS?
I followed the guide and all the steps listed here to no avail. https://learn.microsoft.com/en-us/azure/aks/use-network-policies#create-an-aks-cluster-with-azure-network-policy-manager-enabled---windows-server-2022-preview
The network policy that I used:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-instance-metadata
namespace: default
spec:
podSelector:
matchLabels: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0 #Allow all other traffic
except:
- 169.254.169.254/32 #Block metadata API
It works great on Linux pods but I struggle to make it work on Windows.
No matter what I tried so far I still can run
kubectl exec -it <windows-server-2022-pod> -n default -- powershell
and then get a successful response with all the data from this one
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64
What could be the issue here?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 38%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Could you please take a moment to review my comment . Please let us know if you need any further details or clarification regarding the information I provided, please let me know, we are glad to help you.
If you found the information useful, please click "Upvote"
Thanks.
Hi Nikita Krivets ,
Could you please take a moment to review my comment and let me know if it was helpful.
If you found the information useful, please click "Upvote"
Thank You
Hi Nikita Krivets ,
Thanks for reaching out to Microsoft Q&A forum.
Based on your query stated above, you are using Azure Network Policy Manager for both Windows and Linux. Both platforms support ingress and egress policies, but the lack of certain features in Windows can lead to discrepancies.
In Linux : Azure NPM uses Linux Iptables to enforce network policies. This allows for a rich set of features, including complex rule definitions for both ingress and egress traffic.
In Windows : Azure Network Policy Manager(NPM) for Windows uses Host Network Service (HNS) ACL Policies. But, the limitations of HNS is as it does not support using CIDR blocks with exceptions (e.g., specifying a range of IPs while excluding certain addresses).
In Windows, below are the limitations of Azure NPM:
https://learn.microsoft.com/en-us/azure/aks/use-network-policies
To enforce egress network policy for Windows Server 2022 pods:
Define egress policies by using pod selectors instead of relying on CIDR ranges, particularly for Windows Server 2022 pods in Azure Kubernetes Service (AKS) with Azure Network Policy Manager (NPM) and HNS ACLs.
https://kubernetes.io/docs/concepts/services-networking/network-policies/
If the information is helpful, please consider by clicking the "Upvote".
If you have any further queries, please let us know we are glad to help you.
So essentially a solution would be to calculate all CIDR without a single IP and put them in the egress policy.
Hi Nikita Krivets ,
yes, based on what you had mentioned, in the above answer, previously i had recommended that Azure NPM in Windows environment, CIDR with exceptions is not supported which means if you define any CIDR block, you cannot specify an exceptions within that block.
If the information is helpful, please consider by clicking the "Upvote".
If you have any further queries, please let us know we are glad to help you.
Hi Nikita Krivets ,
I hope the information shared above is helpful. If it is useful, please click on "upvote"
If you have any further queries, please let us know we are glad to help you.
Hi Nikita Krivets ,
I hope the information shared above is helpful. If it is useful, please click on "upvote"
If you have any further queries, please let us know we are glad to help you.