Implement AKS egress via private endpoint

Question

Hello,

We have a private AKS cluster with ingress connected to the corporate virtual network via a private link service. This works wonderfully and is well-supported by Azure, allowing communication with services in the cluster from the corporate network. However, we have the problem that it is not so simple to create egress in AKS that allows communication from the cluster back to the corporate network via a private link service or similar.

Azure's proposed solutions include a NAT gateway or firewall, enabling communication via a public IP and VPN tunnel, or connecting the AKS VNet with the corporate VNet through network peering. However, both of these are not feasible options: the first is cumbersome and expensive, and the second consumes the cluster's IP address space within the corporate network, which is actually unnecessary as it only needs to output information from the cluster to the corporate network.

Are there any other possibilities for connecting services in AKS with services in the corporate VNet?

This is the current state, where the ingress is connected via a private link service in the middle. On the right is the egress part for which we still lack a solution.

Answer 1

Hello Alexander Redmann

Welcome to Microsoft Q&A Platform, thanks for posting your query here.

PrivateLink is just a egress to the API server. The Egress only happens through the options you defined already.

With Egress, you would need the egress taking care of SNAT, which the PE will not do and other things (I could think of only SNAT at the moment).

For egress, could you check this https://github.com/Azure/kube-egress-gateway
https://learn.microsoft.com/en-us/azure/aks/egress-outboundtype

I checked with internal team on this and team is working on the managed solution for this project, and it could be deployed into AKS cluster already before that.

Hope this helps.