I have some pods that have an associated NodePort service that I would like to expose to the world. However, I am not in control of setting the value of the NodePort, so I need to open up the full range of 30000-32767 in Azure's Network Security Group (NSG).
Manually, I have successfuly created a rule in the NSG, with a destination of the target Node's internal IP of 10.240.0.4. This then allows connection using the Node's external IP on the given NodePort. So I know it is feasible.
However, I am a little stuck on how to automate the creation of the NSG rule. Typically, you could define a LoadBalancer service type, which would cause Azure to create the rule in the NSG and expose it. However this does also mean a different IP is given to the LoadBalancer, and in this case, I can't create a LoadBalancer for all the NodePorts as I am not in control of this deployment.
I've looked at Terraform, and it seems possible to configure an NSG rule; but I can't seem to locate if it's possible to get the target Node's (there are multiple, only one has an external IP) internal IP. This would also not be an ideal solution if we have automatic scaling on the nodes, as new rules would need to be defined.
Am I missing something obvious, where I can instruct the NSG to open any created NodePort for a Node that is public/is marked as having enable_node_public_ip? The Microsoft documentation doesn't add anything further to the public IP information.
