{"results":[{"id":"aks-custom-vnet-nsg-ports-443-4443-9988","text":"Custom VNet NSG rules for AKS must allow TCP 443 and 4443 from cluster subnet to API server subnet, and TCP 9988 from Azure Load Balancer to API server subnet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-custom-vnet-nsg-required-ports","text":"Custom VNet NSGs for AKS must allow TCP 443/4443 from cluster subnet to API server subnet, and TCP 9988 from Azure Load Balancer to API server subnet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-custom-vnet-nsg-tcp-443-4443-9988","text":"Custom VNet NSG rules for AKS must allow TCP 443 and 4443 from cluster subnet to API server subnet, and TCP 9988 from Azure Load Balancer to API server subnet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-custom-vnet-zero-trust-control-plane","text":"AKS custom VNet deployments inherit the Standard Load Balancer's zero-trust default-deny posture, requiring explicit NSG allowlisting of control plane ports (TCP 443, 4443 from cluster subnet to API server, TCP 9988 from Azure LB) — making AKS custom networking a manual allowlisting exercise where missing a single rule silently breaks cluster communication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-default-outbound-access-retirement-march-2026","text":"Default outbound internet access for AKS-managed VNet clusters retires March 31, 2026 (defaultOutboundAccess=false); BYO VNet clusters are unaffected.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-overlay-vs-flat-networking","text":"AKS offers two network models: Overlay (pods get IPs from a private CIDR separate from VNet subnet) and Flat (pods get IPs from the same VNet subnet as nodes, no SNAT on egress).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-virtual-nodes-separate-subnet","text":"Virtual nodes (ACI burst) deploy into a separate subnet within the same VNet as the AKS cluster; no application modifications are required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-zero-trust-infrastructure-inheritance","text":"AKS in custom VNet inherits the full Azure zero-trust infrastructure stack: control plane NSG rules (TCP 443, 4443, 9988) operate within a dual-layer filtering model where the foundational infrastructure IP 168.63.129.16 — serving both DNS resolution and health probes — must be preserved while all other traffic defaults to deny, creating a four-layer dependency chain from infrastructure IP through network filtering to control plane access.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appgw-backend-pool-cross-vnet-requires-peering-or-vpn","text":"Application Gateway backend pool members in other VNets require VNet peering or VPN gateway for connectivity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appgw-cross-vnet-backend-requires-peering","text":"Application Gateway backend pool members in other VNets require VNet peering or VPN gateway for connectivity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appgw-cross-vnet-requires-peering-or-vpn","text":"Application Gateway backend pool members in other VNets require VNet peering or VPN gateway for connectivity; on-premises backends need ExpressRoute or VPN tunnels.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-ase-single-tenant-dedicated-vnet","text":"App Service Environment (ASE) is single-tenant, runs inside the customer's VNet, supports ILB for private IP addresses, forces TLS 1.2, and networking rules apply to all apps in the ASE subnet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-ase-single-tenant-vnet-forces-tls12","text":"App Service Environment (ASE) is single-tenant, runs inside the customer's VNet, forces TLS 1.2, and networking rules apply to all apps in the ASE subnet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-ase-single-tenant-vnet-isolation","text":"App Service Environment (ASE) is single-tenant, runs inside the customer's VNet, supports private IP addresses via ILB, and forces TLS 1.2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-gateway-vnet-integration-cross-region-windows-only","text":"Gateway-required VNet integration is the only option for cross-region connectivity without peering or classic VNet access, but is Windows-only and does not support ExpressRoute.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-gateway-vnet-integration-windows-only-cross-region","text":"Gateway-required VNet integration is legacy, Windows plans only, does not work with ExpressRoute, but can connect cross-region without peering.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-hybrid-connections-no-vnet-port-443","text":"App Service Hybrid Connections are outbound only, require port 443, use Azure Relay, and do not require a VNet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-hybrid-connections-outbound-no-vnet","text":"Hybrid Connections are outbound only, require port 443, use Azure Relay, and do not require a VNet; Hybrid Connection Manager requires Windows Server 2012+.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-hybrid-connections-outbound-port-443-no-vnet","text":"App Service Hybrid Connections are outbound only, use Azure Relay on port 443, and do not require a VNet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appservice-inbound-outbound-features-separate","text":"App Service inbound features (access restrictions, private endpoints) and outbound features (VNet integration, Hybrid Connections) are distinct — inbound features cannot solve outbound problems and vice versa.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":150,"limit":20,"offset":0}