Share via

How to Assign Unique Outbound Public IPs per Client for a Multi-Tenant SaaS on AKS

Dheerendra Mehar 20 Reputation points
2024-12-30T10:16:49.6166667+00:00

I am building a SaaS application deployed on Azure Kubernetes Service (AKS). It is a multi-tenant application where multiple clients share the same deployment. The application needs to make outbound API calls to banks, and the banks require that each client’s traffic originates from a unique public IP so they can whitelist it.

Initially, we plan to onboard ~10 clients, but the number will scale up to 200+ clients in the future. Here are some additional details about the setup:

• We have a single deployment in AKS for all clients (no separate namespaces per client).

• A subnet in Azure cannot have multiple NAT Gateways, and managing 200+ outbound rules for public IPs in a Standard Load Balancer might not scale well.

• Cost and simplicity are critical factors for us.I need a scalable solution that:

  1. Ensures each client’s outbound traffic is mapped to a unique public IP.
  2. Can handle 200+ clients efficiently.
  3. Minimizes operational complexity and cost.What would be the best way to achieve this in Azure? Are there any Azure-native services or configurations (like NAT Gateway, Load Balancer, or other networking features) that can dynamically assign unique outbound IPs per client?Any guidance, sample configurations or best practices would be greatly appreciated.
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,214 questions
0 comments
Accepted answer
  1. Sai Krishna Katakam 1,515 Reputation points Microsoft Vendor
    2024-12-30T20:47:11.7166667+00:00

    Hi Dheerendra Mehar,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    To assign unique outbound public IPs per client in a multi-tenant SaaS on AKS, use NAT Gateway as follows:

    Deploy NAT Gateways: Attach separate NAT Gateways to subnets within your AKS VNet. Each NAT Gateway supports up to 16 public IPs or a /28 IP prefix, scaling for 200+ clients.

    Zone Resiliency: Deploy NAT Gateways across availability zones for high availability.

    Routing: Use application logic to route client-specific traffic through subnets with unique NAT Gateways.

    Key considerations:

    • A subnet can have only one NAT Gateway.
    • NAT Gateways cannot span multiple virtual networks.
    • This ensures unique public IPs per client while maintaining scalability and simplicity.

    For more information, please refer to below documentation:
    NAT Gateway for AKS
    NAT gateway configurations
    Scalability

    If an answer has been helpful, please consider accept the "Answer" and "Upvote" to help increase visibility of this question for other members of the Microsoft Q&A community. 

    User's image

    You found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.