NSG inbound and outbound rules for private AKS cluster and Blob with Private Endpoint

[xiayanx]

This question is about NSG rules between a private AKS cluster and Blob with private endpoint.

Our AKS is a private cluster using Kubenet. And our blob storage account uses private endpoints. Both resources are located in two subnets of a VNet, eg. subnet-A for AKS and subnet-B for Blob.
(1) There is one outbound rule on subnet-A that allows all traffic to subnet-B.
(2) There is one inbound rule on subnet-B that allows all traffic from subnet-A
With the NSG above, pods can mount Blob, but hangs on commands like "ls", "cat", etc. It works only after we add an outbound NSG rule on Subnet-A that allows all outbound traffic.

We would like to narrow down the outbound traffic. Please advise what exact IP and port should be opened.

BTW, all the above NSG rules are not required when we use the AKS CSI driver for fileShares.

Thanks,
Ralph

[andyzhangx]

I think it's related to outbound traffic of the private end point, could you try get the public ip of the private endpoint?

[xiayanx]

Hi Andy, after we enable the private endpoint on the blob, there is no public IP any more. Thanks.