admin管理员组文章数量:1355600
I am currently working on deploying a fully private Azure Kubernetes Service cluster (AKS, with the option --enable-private-cluster ) within my Azure subscription. However, I am facing challenges in ensuring that no public IPs are assigned at any level, including NSGs, VM nodes, firewalls or other underlying components.
Context & Issue: My subscription have a tenant policy definition which does not allow using any public IP. Thus, when deploying a private AKS cluster, some components (such as NSGs or VMs) that require a public IP will fail due to this policy.
I would like to know if it is possible to deploy a fully private AKS cluster in Azure without any public IPs under these constraints. If yes, then what approaches and configuration that does not require having an exception to the policy can achieve this? I would appreciate any documentation or technical recommendations regarding this matter.
I am currently working on deploying a fully private Azure Kubernetes Service cluster (AKS, with the option --enable-private-cluster ) within my Azure subscription. However, I am facing challenges in ensuring that no public IPs are assigned at any level, including NSGs, VM nodes, firewalls or other underlying components.
Context & Issue: My subscription have a tenant policy definition which does not allow using any public IP. Thus, when deploying a private AKS cluster, some components (such as NSGs or VMs) that require a public IP will fail due to this policy.
I would like to know if it is possible to deploy a fully private AKS cluster in Azure without any public IPs under these constraints. If yes, then what approaches and configuration that does not require having an exception to the policy can achieve this? I would appreciate any documentation or technical recommendations regarding this matter.
Share Improve this question asked Mar 31 at 12:36 user9513505user9513505 471 gold badge2 silver badges7 bronze badges 1 |1 Answer
Reset to default 0Deploy fully private AKS when subscription does not allow any public IP.
Creating the fully private AKS cluster without public IPs is achievable, especially when we have limitations over tenant policies which blocks public IP can be achieved using the following setup configuration
Create a private VNet and subnet
az network vnet create --resource-group vinay-rg --name vk-vnet --address-prefix 10.0.0.0/16 --subnet-name vk-subnet --subnet-prefix 10.0.0.0/24
Once this provision is done, create an AKS cluster using command mentioned below
az aks create --resource-group vinay-rg --name vks-cluster --enable-private-cluster --vnet-subnet-id "/subscriptions/sub_ID/resourceGroups/vinay-rg/providers/Microsoft.Network/virtualNetworks/vk-vnet/subnets/vk-subnet" --no-ssh-key --node-vm-size Standard_DS2_v2 --service-cidr "10.1.0.0/16"
Once AKS cluster has been successfully deployed with private API server and private nodes, ensuring that no public IPs are used for the API server.
Now create a private DNS zone using the command mentioned
az network private-dns zone create --resource-group vinay-rg --name "privatelink.eastus.azmk8s.io"
Once the private DNS zone created you need to attach this DNS zone with vnet using the command mentioned.
az network private-dns link vnet create --resource-group "vinay-rg" --vnet-name "vk-vnet" --name "PrivateDNSLink" --zone-name "privatelink.eastus.azmk8s.io" --registration-enabled false --virtual-network "/subscriptions/Sub_ID/resourceGroups/vinay-rg/providers/Microsoft.Network/virtualNetworks/vk-vnet"
Now, as linking was done,In order to have to interact with the AKS cluster via kubectl, you need to configure the kubeconfig file to use the private API server endpoint. Since the API server is private, it should be accessible only within your VNet.
az aks get-credentials --resource-group vinay-rg --name vks-cluster --admin
This will download the kubeconfig file and set up kubectl to access your AKS cluster.
Once you've updated the kubeconfig, test the connection to the AKS cluster:
kubectl get nodes
This should list the nodes in your AKS cluster if everything is set up correctly if you're accessing using the Vnet or VPN or Azure Bastion.
Refer:
https://learn.microsoft/en-us/azure/aks/automatic/quick-automatic-private-custom-network?pivots=azure-cli
https://learn.microsoft/en-us/cli/azure/network/private-dns/link/vnet?view=azure-cli-latest#az-network-private-dns-link-vnet-create
本文标签: azureHow to deploy fully private AKS when subscription does not allow any public IPStack Overflow
版权声明:本文标题:azure - How to deploy fully private AKS when subscription does not allow any public IP? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1743947533a2566682.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
az aks command invoke *, docs learn.microsoft/en-us/azure/aks/… – wenbo Commented Apr 1 at 3:32