The API server is the way that you can control and access your Kubernetes control plane, and so is a tempting attack surface for anyone wanting to breach your cluster. If someone gains access to the Kubernetes API they can do pretty much anything with your cluster. By using a private cluster this API is only accessible from your virtual network and traffic only goes over the virtual network and does not traverse the internet. This provides a few benefits:
- The API server is not accessible over the internet at all, blocking any would be attacker from having a endpoint they can try and attack
- The traffic to the API server is not traversing the internet, removing the risk of a man in the middle or other interception type attack
For some people this may not be required, and your happy with the security of the public API server, in which case you don't need this. However there are many scenarios where this is not an acceptable level of security and they need a private API server to be able to use AKS.