What changes when I add an empty nsg to a subnet?
When I create an AKS cluster using Azure Portal, it creates a VNET with a single subnet in it. The subnet does not have any NSG associated to it as shown below:
To my understanding, having a subnet without any NSG is a bit unusual. I wanted to add a plain empty NSG to the subnet. As soon as I add any NSG to the above subnet, the AKS is not functional anymore until I remove the NSG.
I was expecting that adding a plain minimal NSG to above subnet should not block anything.
What is the differences between a subnet without any NSG and with a default empty nsg?
While you create an NSG, Azure creates some default rules. Please refer the docs here https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
A network security group filters traffic for VMs like the AKS nodes. As you create Services, such as a LoadBalancer, the Azure platform automatically configures any necessary network security group rules.
You don't need to manually configure network security group rules to filter traffic for pods in an AKS cluster. Simply define any required ports and forwarding as part of your Kubernetes Service manifests. Let the Azure platform create or update the appropriate rules.
You can also use network policies to automatically apply traffic filter rules to pods.