Join Log in
Score:0
Wadjet avatar Server

Restrict access to a Prometheus server in AKS can only be achieved with nginx-ingress?

gm flag
Wadjet

Prometheus server with its respective Loadbalancer in AKS.

I wanted to secure the access to /metrics through network rules...but it doesn't work. I can still acess to the endpoint with any device.

  az network nsg rule create \
    --resource-group $AKS_RESOURCE_GROUP \
    --nsg-name $AKS_NSG \
    --name DenyAcess \
    --access Deny \
    --protocol Tcp \
    --direction Inbound \
    --priority 521 \
    --source-address-prefix "*" \
    --source-port-range "*" \
    --destination-port-range 9090

  az network nsg rule create \
    --resource-group $AKS_RESOURCE_GROUP \
    --nsg-name $AKS_NSG \
    --name AllowSpecificIP \
    --access Allow \
    --protocol Tcp \
    --direction Inbound \
    --priority 522 \
    --source-address-prefix $MY_CERTAIN_IP \
    --source-port-range "*" \
    --destination-port-range 9090

I was trying to avoid installing any ingress like haproxy or nginx-ingress...it's the only way to restrict access to the Prometheus endpoint?

Extra: Basic authorization with Prometheus in Helm doesn't work either, it could be useful too :(

13
0 + 1
aks
ng flag
Sam Cogan
Just to clarify, this is running Prometheus as a container on AKS? Not the managed prometheus service?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.