Skip to content

Azure: add support for masquerading#42196

Merged
pchaigno merged 1 commit intocilium:mainfrom
DataDog:ai/azure-masquerading
Oct 28, 2025
Merged

Azure: add support for masquerading#42196
pchaigno merged 1 commit intocilium:mainfrom
DataDog:ai/azure-masquerading

Conversation

@antonipp
Copy link
Copy Markdown
Contributor

@antonipp antonipp commented Oct 15, 2025
edited
Loading

Description

This PR adds support for Masquerading when using the Azure IPAM mode.

Users can configure masquerading by using the eBPF ip-masq-agent or by setting --ipv4-native-routing-cidr. I think this should be enough to cover most use-cases to start with.

We could also implement automatic Azure VNET CIDR detection and propagation to the masquerading config (similar to what AWS has for VPC CIDRs here) but it's something that can be implemented as a second step.

Testing

Backported the PR to our 1.18.2 fork. Then deployed the Agent on Azure with the following flags:

        - --enable-ipv4-masquerade=true
        - --enable-bpf-masquerade=true
        - --enable-ip-masq-agent=true
        - --ip-masq-agent-config-path=/etc/cilium-agent-ip-masq-config/config.yaml

The config file looks like this:

# cat /etc/cilium-agent-ip-masq-config/config.yaml
nonMasqueradeCIDRs:
- 10.0.0.0/8
- 172.16.0.0/12
- 100.64.0.0/10
- 192.168.0.0/16
masqLinkLocal: false

Then deployed a pod on an Azure node, the pod's IP is 10.194.0.56. Verified that the ip rules were properly set up with proper CIDR exclusions:

# ip rule | grep 10.194.0.56
20:	from all to 10.194.0.56 lookup main
110:	from 10.194.0.56 to 10.0.0.0/8 lookup 3
110:	from 10.194.0.56 to 100.64.0.0/10 lookup 3
110:	from 10.194.0.56 to 169.254.0.0/16 lookup 3
110:	from 10.194.0.56 to 172.16.0.0/12 lookup 3
110:	from 10.194.0.56 to 192.168.0.0/16 lookup 3

Also attached a Public IP to the primary instance interface and verified that the pod's traffic was actually masqueraded with that Public IP:

anton-test-6d954ccf46-kpsv6:/# curl ifconfig.me
20.XX.XX.XX

Azure: add support for masquerading

@antonipp antonipp requested review from a team as code owners October 15, 2025 12:56
@antonipp antonipp requested a review from tommyp1ckles October 15, 2025 12:56
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 15, 2025
@antonipp antonipp requested a review from qmonnet October 15, 2025 12:56
@qmonnet qmonnet added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Oct 15, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 15, 2025
@qmonnet qmonnet added kind/enhancement This would improve or streamline existing functionality. area/azure Impacts Azure based IPAM. feature/bpf-masquerading labels Oct 15, 2025
@qmonnet
Copy link
Copy Markdown
Member

qmonnet commented Oct 15, 2025

/test

@antonipp antonipp mentioned this pull request Oct 16, 2025
Merged
4 tasks
@tamilmani1989
Copy link
Copy Markdown
Contributor

tamilmani1989 commented Oct 21, 2025

changes lgtm. should we have any e2e/unit test to validate this?

@antonipp antonipp force-pushed the ai/azure-masquerading branch from e71a30c to acbb41a Compare October 21, 2025 14:06
@antonipp
Copy link
Copy Markdown
Contributor Author

antonipp commented Oct 21, 2025

Ok, added some tests:

  • Test in pkg/ipam/crd_test.go to validate the changes in the IP allocation response
  • Test in pkg/datapath/linux/routing/routing_test.go to validate the changes in the routing logic

@antonipp
Copy link
Copy Markdown
Contributor Author

antonipp commented Oct 21, 2025

/test

tamilmani1989
tamilmani1989 reviewed Oct 22, 2025
View reviewed changes
@antonipp antonipp force-pushed the ai/azure-masquerading branch from acbb41a to 851623a Compare October 22, 2025 09:23
@antonipp
Copy link
Copy Markdown
Contributor Author

antonipp commented Oct 22, 2025

/test

qmonnet
qmonnet requested changes Oct 22, 2025
View reviewed changes
@antonipp
Azure: add support for masquerading
0c214ea 
Historically, Azure IPAM mode did not support masquerading at all.
This PR enables Azure IPAM users to use masquerading via the ip-masq-agent or
by setting --ipv4-native-routing-cidr.

Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com>
@antonipp antonipp force-pushed the ai/azure-masquerading branch from 851623a to 0c214ea Compare October 22, 2025 11:59
@antonipp
Copy link
Copy Markdown
Contributor Author

antonipp commented Oct 22, 2025

/test

qmonnet
qmonnet approved these changes Oct 22, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@pchaigno pchaigno enabled auto-merge October 24, 2025 18:04
pchaigno
pchaigno approved these changes Oct 24, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewing for sig-datapath.

@antonipp
Copy link
Copy Markdown
Contributor Author

antonipp commented Oct 28, 2025

@cilium/sig-ipam @cilium/sig-agent Could I get a review from someone please? 🙏

@pchaigno pchaigno added this pull request to the merge queue Oct 28, 2025
Merged via the queue into cilium:main with commit 3c6bda8 Oct 28, 2025
73 checks passed
@antonipp antonipp deleted the ai/azure-masquerading branch October 28, 2025 12:48
@cilium-release-bot cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tklauser tklauser tklauser approved these changes

@tamilmani1989 tamilmani1989 tamilmani1989 approved these changes

@pchaigno pchaigno pchaigno approved these changes

@qmonnet qmonnet qmonnet approved these changes

@tommyp1ckles tommyp1ckles Awaiting requested review from tommyp1ckles tommyp1ckles is a code owner automatically assigned from cilium/sig-ipam

Assignees

No one assigned

Labels

area/azure Impacts Azure based IPAM. feature/bpf-masquerading kind/enhancement This would improve or streamline existing functionality. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@antonipp @qmonnet @tamilmani1989 @tklauser @pchaigno