diff --git a/pkg/cloudprovider/providers/azure/azure.go b/pkg/cloudprovider/providers/azure/azure.go index 49ca15bff3..e1cd9bbfa2 100644 --- a/pkg/cloudprovider/providers/azure/azure.go +++ b/pkg/cloudprovider/providers/azure/azure.go @@ -73,6 +73,8 @@ const ( var ( // Master nodes are not added to standard load balancer by default. defaultExcludeMasterFromStandardLB = true + // Outbound SNAT is enabled by default. + defaultDisableOutboundSNAT = false ) // Config holds the configuration parsed from the --cloud-config flag @@ -145,6 +147,9 @@ type Config struct { // ExcludeMasterFromStandardLB excludes master nodes from standard load balancer. // If not set, it will be default to true. ExcludeMasterFromStandardLB *bool `json:"excludeMasterFromStandardLB" yaml:"excludeMasterFromStandardLB"` + // DisableOutboundSNAT disables the outbound SNAT for public load balancer rules. + // It should only be set when loadBalancerSku is standard. If not set, it will be default to false. + DisableOutboundSNAT *bool `json:"disableOutboundSNAT" yaml:"disableOutboundSNAT"` // Maximum allowed LoadBalancer Rule Count is the limit enforced by Azure Load balancer MaximumLoadBalancerRuleCount int `json:"maximumLoadBalancerRuleCount" yaml:"maximumLoadBalancerRuleCount"` @@ -321,9 +326,20 @@ func NewCloud(configReader io.Reader) (cloudprovider.Interface, error) { config.CloudProviderBackoffDuration = backoffDurationDefault } - // Do not add master nodes to standard LB by default. - if config.ExcludeMasterFromStandardLB == nil { - config.ExcludeMasterFromStandardLB = &defaultExcludeMasterFromStandardLB + if strings.EqualFold(config.LoadBalancerSku, loadBalancerSkuStandard) { + // Do not add master nodes to standard LB by default. + if config.ExcludeMasterFromStandardLB == nil { + config.ExcludeMasterFromStandardLB = &defaultExcludeMasterFromStandardLB + } + + // Enable outbound SNAT by default. + if config.DisableOutboundSNAT == nil { + config.DisableOutboundSNAT = &defaultDisableOutboundSNAT + } + } else { + if config.DisableOutboundSNAT != nil && *config.DisableOutboundSNAT { + return nil, fmt.Errorf("disableOutboundSNAT should only set when loadBalancerSku is standard") + } } azClientConfig := &azClientConfig{ diff --git a/pkg/cloudprovider/providers/azure/azure_loadbalancer.go b/pkg/cloudprovider/providers/azure/azure_loadbalancer.go index 9a114d5ec0..cf9bab1433 100644 --- a/pkg/cloudprovider/providers/azure/azure_loadbalancer.go +++ b/pkg/cloudprovider/providers/azure/azure_loadbalancer.go @@ -959,10 +959,11 @@ func (az *Cloud) reconcileLoadBalancerRule( BackendAddressPool: &network.SubResource{ ID: to.StringPtr(lbBackendPoolID), }, - LoadDistribution: loadDistribution, - FrontendPort: to.Int32Ptr(port.Port), - BackendPort: to.Int32Ptr(port.Port), - EnableFloatingIP: to.BoolPtr(true), + LoadDistribution: loadDistribution, + FrontendPort: to.Int32Ptr(port.Port), + BackendPort: to.Int32Ptr(port.Port), + EnableFloatingIP: to.BoolPtr(true), + DisableOutboundSnat: to.BoolPtr(az.disableLoadBalancerOutboundSNAT()), }, } if protocol == v1.ProtocolTCP { diff --git a/pkg/cloudprovider/providers/azure/azure_wrap.go b/pkg/cloudprovider/providers/azure/azure_wrap.go index 277c6debbd..47b2f54fc6 100644 --- a/pkg/cloudprovider/providers/azure/azure_wrap.go +++ b/pkg/cloudprovider/providers/azure/azure_wrap.go @@ -300,6 +300,14 @@ func (az *Cloud) excludeMasterNodesFromStandardLB() bool { return az.ExcludeMasterFromStandardLB != nil && *az.ExcludeMasterFromStandardLB } +func (az *Cloud) disableLoadBalancerOutboundSNAT() bool { + if !az.useStandardLoadBalancer() || az.DisableOutboundSNAT == nil { + return false + } + + return *az.DisableOutboundSNAT +} + // IsNodeUnmanaged returns true if the node is not managed by Azure cloud provider. // Those nodes includes on-prem or VMs from other clouds. They will not be added to load balancer // backends. Azure routes and managed disks are also not supported for them.