Why should we create AKS cluster as private?

Pratim Das, Partha C 306 Reputation points
2020-11-26T05:49:24.883+00:00

I went through different documents available on Microsoft site, created one private AKS cluster on my own. Still I'm not clear why private cluster? What is the benefit of making API server of AKS cluster private? Even for private AKS cluster, the load balancer created has public endpoint and can be accessed over the internet. Then how it became a private cluster and why is it assumed to be more secure?

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,896 questions
0 comments No comments
{count} vote

Accepted answer
  1. Sam Cogan 10,322 Reputation points MVP
    2020-11-26T10:41:28.11+00:00

    The API server is the way that you can control and access your Kubernetes control plane, and so is a tempting attack surface for anyone wanting to breach your cluster. If someone gains access to the Kubernetes API they can do pretty much anything with your cluster. By using a private cluster this API is only accessible from your virtual network and traffic only goes over the virtual network and does not traverse the internet. This provides a few benefits:

    1. The API server is not accessible over the internet at all, blocking any would be attacker from having a endpoint they can try and attack
    2. The traffic to the API server is not traversing the internet, removing the risk of a man in the middle or other interception type attack

    For some people this may not be required, and your happy with the security of the public API server, in which case you don't need this. However there are many scenarios where this is not an acceptable level of security and they need a private API server to be able to use AKS.

    2 people found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. vipullag-MSFT 25,041 Reputation points
    2020-11-26T07:48:53.113+00:00

    @Pratim Das, Partha C

    As per the Private AKS Cluster Document, by using a private cluster it will ensure that network traffic between your API server and your node pools remains on the private network only.

    The Public IP for the Load Balancer is part of the current design for Private AKS Clusters. As the newer CLI versions will by default create Standard Load Balancer which required a Public IP and Load Balancer for egress. By default AKS still uses a public IP for egress traffic from nodes/pods to outside world, even in private AKS instances.

    As this default setup may not meet the requirements of all scenarios if public IPs are disallowed or additional hops are required for egress, to avoid pubic IPs altogether you can Customize cluster egress with a User-Defined Route. Please check this article for more details.

    Just for your reference, similar issue raised for getting this cluster egress with a UDR to GA.

    Please 'Accept as answer' if the provided information is helpful, so that it can help others in the community looking for help on similar topics.

    4 people found this answer helpful.