azure-container-networking/docs/npm.md

# Microsoft Azure Container Networking

## Azure Network Policy Manager

`azure-npm` Network Policy plugin implements the [Kubernetes Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)

The plugin is available on Linux and (preview) Windows Server 2022.

Azure-NPM serves as a distributed firewall for the Kubernetes cluster, and it can be easily controlled by `kubectl`.

## Documentation
1. [Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/en-us/azure/aks/use-network-policies)
2. [Monitor and Visualize Network Configurations with Azure NPM](https://learn.microsoft.com/en-us/azure/virtual-network/kubernetes-network-policies#monitor-and-visualize-network-configurations-with-azure-npm)

## Install
Specify `--network-policy=azure` when creating an AKS cluster. For more information, see the [Microsoft Docs](https://learn.microsoft.com/en-us/azure/aks/use-network-policies#create-an-aks-cluster-and-enable-network-policy).

### Manual Installation
Running the command below will bring up one azure-npm instance on each Kubernetes node.
```
# linux
kubectl apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/azure-npm.yaml
# windows
kubectl apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/examples/windows/azure-npm.yaml
```
Now you can secure your Kubernetes cluster with Azure-NPM by applying Kubernetes network policies.

## Build
### Linux
`azure-npm` can be built directly from the source code in this repository.
```
make azure-npm
make npm-image
make azure-npm-archive
```
The first command builds the `azure-npm` executable. 
The second command builds the `azure-npm` docker image.
The third command builds the `azure-npm` binary and place it in a tar archive. 
The binaries are placed in the `output` directory.

### Windows
```
$env:ACN_PACKAGE_PATH = "github.com/Azure/azure-container-networking"
$env:NPM_AI_PATH = "$env:ACN_PACKAGE_PATH/npm.aiMetadata"
$env:NPM_AI_ID = "1234abcd-1234-abcd-1234-12345678abcd"
$env:VERSION = "0.0.0"
$env:REPO = "mcr.microsoft.com/azure-npm:" # include colon at end
$env:IMAGE = "$env:REPO$env:VERSION"
docker build `
	-f npm/windows.Dockerfile `
	-t $env:IMAGE `
	--build-arg VERSION=$env:VERSION `
	--build-arg NPM_AI_PATH=$env:NPM_AI_PATH `
	--build-arg NPM_AI_ID=$env:NPM_AI_ID `
	.
docker push $env:IMAGE
echo $env:IMAGE
```

## Usage
[Microsoft Docs](https://learn.microsoft.com/en-us/azure/aks/use-network-policies#verify-network-policy-setup) has a detailed step by step example on how to use Kubernetes network policy.

## Troubleshooting
When `azure-npm` isn't working as expected, try to **delete all networkpolicies and apply them again**.
Also, a good practice is to merge all network policies targeting the same set of pods/labels into one yaml file.
This way, operators can keep the minimum number of network policies and makes it easier for operators to troubleshoot.

### Linux
NPM adds firewall rules via `iptables` and `ipset`. You can examine the configuration on a given node with:
- `kubectl exec -it -n kube-system $npmPod -- iptables -vnL`
- `kubectl exec -it -n kube-system $npmPod -- ipset -L`

### Windows
NPM adds firewall rules via HNS. You can examine the configuration on a given node with:
- ACLs applied on Pod Endpoints: `kubectl exec -n kube-system $npmWinPod -- Get-HNSEndpoint`
- SetPolicies are like ipsets: `(Get-HNSNetwork | ? Name -Like Azure).Policies`
Add azure-npm documentation (#329) * add azure-npm documentation * address comment 2019-04-11 22:38:53 +03:00			`# Microsoft Azure Container Networking`

			`## Azure Network Policy Manager`

			`azure-npm` Network Policy plugin implements the [Kubernetes Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)

docs: [NPM] add windows documentation and update links to MSDocs (#1805) * add windows and update doc links * update main README to say NPM supports Windows * update preview wording to be clearer --------- Co-authored-by: Vamsi Kalapala <vakr@microsoft.com> 2023-02-17 00:12:22 +03:00			`The plugin is available on Linux and (preview) Windows Server 2022.`
Add azure-npm documentation (#329) * add azure-npm documentation * address comment 2019-04-11 22:38:53 +03:00
			Azure-NPM serves as a distributed firewall for the Kubernetes cluster, and it can be easily controlled by `kubectl`.

docs: [NPM] add windows documentation and update links to MSDocs (#1805) * add windows and update doc links * update main README to say NPM supports Windows * update preview wording to be clearer --------- Co-authored-by: Vamsi Kalapala <vakr@microsoft.com> 2023-02-17 00:12:22 +03:00			`## Documentation`
			`1. [Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/en-us/azure/aks/use-network-policies)`
			`2. [Monitor and Visualize Network Configurations with Azure NPM](https://learn.microsoft.com/en-us/azure/virtual-network/kubernetes-network-policies#monitor-and-visualize-network-configurations-with-azure-npm)`

Add azure-npm documentation (#329) * add azure-npm documentation * address comment 2019-04-11 22:38:53 +03:00			`## Install`
docs: [NPM] add windows documentation and update links to MSDocs (#1805) * add windows and update doc links * update main README to say NPM supports Windows * update preview wording to be clearer --------- Co-authored-by: Vamsi Kalapala <vakr@microsoft.com> 2023-02-17 00:12:22 +03:00			Specify `--network-policy=azure` when creating an AKS cluster. For more information, see the [Microsoft Docs](https://learn.microsoft.com/en-us/azure/aks/use-network-policies#create-an-aks-cluster-and-enable-network-policy).
Add azure-npm documentation (#329) * add azure-npm documentation * address comment 2019-04-11 22:38:53 +03:00
docs: [NPM] add windows documentation and update links to MSDocs (#1805) * add windows and update doc links * update main README to say NPM supports Windows * update preview wording to be clearer --------- Co-authored-by: Vamsi Kalapala <vakr@microsoft.com> 2023-02-17 00:12:22 +03:00			`### Manual Installation`
Add azure-npm documentation (#329) * add azure-npm documentation * address comment 2019-04-11 22:38:53 +03:00			`Running the command below will bring up one azure-npm instance on each Kubernetes node.`
			```
docs: [NPM] add windows documentation and update links to MSDocs (#1805) * add windows and update doc links * update main README to say NPM supports Windows * update preview wording to be clearer --------- Co-authored-by: Vamsi Kalapala <vakr@microsoft.com> 2023-02-17 00:12:22 +03:00			`# linux`
Update npm.md (#1911) we have to use same URL with [Official doc](https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/virtual-network/kubernetes-network-policies.md) Also, the old URL uses older container image version. 2023-04-12 19:54:15 +03:00			`kubectl apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/azure-npm.yaml`
docs: [NPM] add windows documentation and update links to MSDocs (#1805) * add windows and update doc links * update main README to say NPM supports Windows * update preview wording to be clearer --------- Co-authored-by: Vamsi Kalapala <vakr@microsoft.com> 2023-02-17 00:12:22 +03:00			`# windows`
			`kubectl apply -f https://raw.githubusercontent.com/Azure/azure-container-networking/master/npm/examples/windows/azure-npm.yaml`
Add azure-npm documentation (#329) * add azure-npm documentation * address comment 2019-04-11 22:38:53 +03:00			```
			`Now you can secure your Kubernetes cluster with Azure-NPM by applying Kubernetes network policies.`

			`## Build`
docs: [NPM] add windows documentation and update links to MSDocs (#1805) * add windows and update doc links * update main README to say NPM supports Windows * update preview wording to be clearer --------- Co-authored-by: Vamsi Kalapala <vakr@microsoft.com> 2023-02-17 00:12:22 +03:00			`### Linux`
Add azure-npm documentation (#329) * add azure-npm documentation * address comment 2019-04-11 22:38:53 +03:00			`azure-npm` can be built directly from the source code in this repository.
			```
			`make azure-npm`
update cyclonus workflow (#1246) Signed-off-by: Evan Baker <rbtr@users.noreply.github.com> 2022-02-16 23:30:17 +03:00			`make npm-image`
Add azure-npm documentation (#329) * add azure-npm documentation * address comment 2019-04-11 22:38:53 +03:00			`make azure-npm-archive`
			```
			The first command builds the `azure-npm` executable.
			The second command builds the `azure-npm` docker image.
			The third command builds the `azure-npm` binary and place it in a tar archive.
			The binaries are placed in the `output` directory.

docs: [NPM] add windows documentation and update links to MSDocs (#1805) * add windows and update doc links * update main README to say NPM supports Windows * update preview wording to be clearer --------- Co-authored-by: Vamsi Kalapala <vakr@microsoft.com> 2023-02-17 00:12:22 +03:00			`### Windows`
			```
			`$env:ACN_PACKAGE_PATH = "github.com/Azure/azure-container-networking"`
			`$env:NPM_AI_PATH = "$env:ACN_PACKAGE_PATH/npm.aiMetadata"`
			`$env:NPM_AI_ID = "1234abcd-1234-abcd-1234-12345678abcd"`
			`$env:VERSION = "0.0.0"`
			`$env:REPO = "mcr.microsoft.com/azure-npm:" # include colon at end`
			`$env:IMAGE = "$env:REPO$env:VERSION"`
			docker build `
			-f npm/windows.Dockerfile `
			-t $env:IMAGE `
			--build-arg VERSION=$env:VERSION `
			--build-arg NPM_AI_PATH=$env:NPM_AI_PATH `
			--build-arg NPM_AI_ID=$env:NPM_AI_ID `
			`.`
			`docker push $env:IMAGE`
			`echo $env:IMAGE`
			```
Add azure-npm documentation (#329) * add azure-npm documentation * address comment 2019-04-11 22:38:53 +03:00
docs: [NPM] add windows documentation and update links to MSDocs (#1805) * add windows and update doc links * update main README to say NPM supports Windows * update preview wording to be clearer --------- Co-authored-by: Vamsi Kalapala <vakr@microsoft.com> 2023-02-17 00:12:22 +03:00			`## Usage`
			`[Microsoft Docs](https://learn.microsoft.com/en-us/azure/aks/use-network-policies#verify-network-policy-setup) has a detailed step by step example on how to use Kubernetes network policy.`
Add azure-npm documentation (#329) * add azure-npm documentation * address comment 2019-04-11 22:38:53 +03:00
			`## Troubleshooting`
			When `azure-npm` isn't working as expected, try to delete all networkpolicies and apply them again.
			`Also, a good practice is to merge all network policies targeting the same set of pods/labels into one yaml file.`
update cyclonus workflow (#1246) Signed-off-by: Evan Baker <rbtr@users.noreply.github.com> 2022-02-16 23:30:17 +03:00			`This way, operators can keep the minimum number of network policies and makes it easier for operators to troubleshoot.`
docs: [NPM] add windows documentation and update links to MSDocs (#1805) * add windows and update doc links * update main README to say NPM supports Windows * update preview wording to be clearer --------- Co-authored-by: Vamsi Kalapala <vakr@microsoft.com> 2023-02-17 00:12:22 +03:00
			`### Linux`
			NPM adds firewall rules via `iptables` and `ipset`. You can examine the configuration on a given node with:
			- `kubectl exec -it -n kube-system $npmPod -- iptables -vnL`
			- `kubectl exec -it -n kube-system $npmPod -- ipset -L`

			`### Windows`
			`NPM adds firewall rules via HNS. You can examine the configuration on a given node with:`
			- ACLs applied on Pod Endpoints: `kubectl exec -n kube-system $npmWinPod -- Get-HNSEndpoint`
			- SetPolicies are like ipsets: `(Get-HNSNetwork \| ? Name -Like Azure).Policies`