We use the latest helm chart from Traefik on our AKS cluster .
the controller is set to internal by using the annotation service.beta.kubernetes.io/azure-load-balancer-internal.
This creates an internal load balancer resource in azure in the MC_xx resource group named kubernetes-internal.
This also sets up health probes for each defined port (http(s)) on the internal load balancer.
It seems however that the health probes use ephemeral ports to check the health of the service in the cluster.
In our case it uses port 317xx for http/https.
For now an extra rule has been created on our network security group to allow load balancer traffic on those ports.
As our company is focusing on least privilege approach, we wonder if there is a possibility to set the same port on the health probe as the port it needs to monitor?
As the ephemeral ports do change if you delete the installed helm chart on the cluster and reinstall it.