Hi,
I’m trying to understand the following scenario:
- I have a private AKS cluster, with Azure CNI and UDR mode, with Consul Mesh enabled
- deny-all service intention is in effect
- individual service intentions permit traffic between individual services
- pods connect to backend storage running in Azure (storage account(s) etc)
- backend connectivity is enabled via private-endpoints, public endpoints are blocked
How do I configure consul in order to achieve this sort of connectivity?
Without the consul mesh, a service queries the DNS for the hostname of the storage account instance, and the Azure DNS resolver returns the private-endpoint’s IP address. What needs to be done in order to properly configure consul to permit outbound connectivity to the said backends?