Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you learn control plane networking options for Azure Kubernetes Service (AKS). We first pose a question to help guide your planning, and then provide options, recommendations, and best practices.
How do you want to access your API server?
The Azure-managed AKS control plane consists of several components that help manage the cluster, including the API server. You need to configure networking so that nodes and end users can access the API server for things like updates and cluster management.
Control plane networking options
When setting up control plane networking, you can choose a public cluster or a private cluster:
| Control plane networking option | Diagram of networking components | Features & functionality |
|---|---|---|
| Public cluster |
|
• API server accessible via a public IP address, allowing users and nodes to connect without any extra configuration. • You can restrict access to certain source IP ranges. • Uses konnectivity tunnel for node and pod access. • Supports API Server VNet Integration. |
| Private cluster |
|
• API server accessible via internal IP address, with Azure Private DNS used for API server hostname. • Uses Azure Private Link to securely connect to the API server. • Uses konnectivity tunnel for node and pod access. • Supports API Server VNet Integration. |
API Server VNet Integration (preview)
API Server VNet Integration is supported for public or private clusters. API Server VNet Integration enables network communication between the API server and the cluster nodes without requiring a private link or tunnel. The API server is available behind an internal load balancer VIP in the delegated subnet, which the nodes are configured to utilize.
With API Server VNet Integration:
- API server provisions into a delegated subnet within your virtual network (VNet).
- Can use a konnectivity tunnel for pod access in Overlay or BYO CNI clusters.
- Can add or remove API server public access at any time without cluster disruption.
Recommendations
Our general recommendation is to use a public cluster, as it simplifies the networking setup and allows for easier access to the API server. However, if you have specific security or compliance requirements, a private cluster might be more appropriate.
Once generally available (GA), we recommend enabling API Server VNet Integration for both public and private clusters to enhance security and simplify network management.