Hello Tobias Babin
From the above diagram, only AzureDevOps agent IP are needed for authorized IP ranges. All others are using the internal IP to access the cluster.
Hope this helps.
For an AKS cluster with API Server VNet Integration (Preview) enabled and access to the API server via a VPN Gateway established, using the feature API server using authorized IP address ranges breaks any access coming through the VPN Gateway.
We have an AKS cluster configured with API Server VNet Integration (Preview). Cluster mode is set to "public".
We would like to provide access to the API server to admin users via a P2S VPN Gateway using the API server internal VIP and peering the VPN Gateway VNet and the cluster VNet. This works great.
Now to reduce the attack surface, we would also like to limit access from the internet down to to Azure DevOps agents (Microsoft-hosted) where we are running our pipelines. Once we start entering authorized IP ranges, access to the API server internal VIP via the VPN Gateway breaks. We added
to the authorized IP ranges, but still cannot connect.
What IP range(s) do we need to authorize in this setup? Is this combination of features designed to work together?
Thank you for any insights.
(N.B. We are aware of Azure DevOps self-hosted agents as a possible solution, but one we would like to avoid for now to keep operational complexity low.)