This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 45%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENK%3C/text%3E%3C/svg%3E)
Hi,
Could you please help me out with the network policy configuration for Windows Server 2022 pods in AKS?
I followed the guide and all the steps listed here to no avail. https://zcusa.951200.xyz/en-us/azure/aks/use-network-policies#create-an-aks-cluster-with-azure-network-policy-manager-enabled---windows-server-2022-preview
The network policy that I used:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-instance-metadata
namespace: default
spec:
podSelector:
matchLabels: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0 #Allow all other traffic
except:
- 169.254.169.254/32 #Block metadata API
It works great on Linux pods but I struggle to make it work on Windows.
No matter what I tried so far I still can run
kubectl exec -it <windows-server-2022-pod> -n default -- powershell
and then get a successful response with all the data from this one
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64
What could be the issue here?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 38%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi Nikita Krivets ,
Thanks for reaching out to Microsoft Q&A forum.
Based on your query stated above, you are using Azure Network Policy Manager for both Windows and Linux. Both platforms support ingress and egress policies, but the lack of certain features in Windows can lead to discrepancies.
In Linux : Azure NPM uses Linux Iptables to enforce network policies. This allows for a rich set of features, including complex rule definitions for both ingress and egress traffic.
In Windows : Azure Network Policy Manager(NPM) for Windows uses Host Network Service (HNS) ACL Policies. But, the limitations of HNS is as it does not support using CIDR blocks with exceptions (e.g., specifying a range of IPs while excluding certain addresses).
In Windows, below are the limitations of Azure NPM:
https://zcusa.951200.xyz/en-us/azure/aks/use-network-policies
To enforce egress network policy for Windows Server 2022 pods:
Define egress policies by using pod selectors instead of relying on CIDR ranges, particularly for Windows Server 2022 pods in Azure Kubernetes Service (AKS) with Azure Network Policy Manager (NPM) and HNS ACLs.
https://kubernetes.io/docs/concepts/services-networking/network-policies/
If the information is helpful, please consider by clicking the "Upvote".
If you have any further queries, please let us know we are glad to help you.