Connect to a private AKS control plane through a P2S VPN connection to a virtual hub

João Madureira 21

I have a private AKS cluster deployed on a VNET with a BYO private DNS zone. In order to connect to the control plane I need to be able to resolve the *.privatelink.<region>.azmk8s.io domain name. In order to do that I need to create a virtual network link to the VNET I'm connecting from.

But when I create a virtual hub and configure a P2S VPN connection I can only change the address space and do not have access to the underlying network that gets created hence I cannot create any virtual network link.

So the question here is how can I connect to an internal AKS control plane from a P2S VPN connection to a virtual hub.

We can also generalize this problem: how can I resolve private DNS names from a PS2 VPN connection to a virtual hub?

Thanks in advance

SRIJIT-BOSE-MSFT 4,331 Reputation points Microsoft Employee

2021-06-29T12:17:34.643+00:00

@João Madureira , Can you please explain But when I create a virtual hub and configure a P2S VPN connection I can only change the address space and do not have access to the underlying network that gets created hence I cannot create any virtual network link.

If you are following an article can you please share a link to the same?

In the meanwhile, here are all the options for connecting to a private AKS cluster

Typically if your approach is a Hub and Spoke model it would look like the following:

For more information please check this article.
SRIJIT-BOSE-MSFT 4,331 Reputation points Microsoft Employee

2021-06-29T12:19:40.167+00:00

If you are following this document then you can use the steps detailed here to connect the Vnet to the hub.
João Madureira 21 Reputation points

2021-06-29T12:40:53.497+00:00
Yes I'm following the steps described on both articles and can successfully deploy the virtual hub, P2S connections, vnets, hub connections, etc.

Also since I'm creating a virtual hub I'm using the hub/spoke architecture.

The problem here is that the image you provided doesn't quite reflect the topology I'm creating:

This is a P2S VPN connection so there's no on-premise network upon which I can configure a DNS server with conditional forwarding (and asking everyone to install a DNS server on their machines is not really an option)

The private DNS zone listed on the image has a VNET link to both the hub VNET and the spoke VNET (points 5 and 3 respectively). You cannot create a VNET link to a virtual hub (at least not that I'm aware of).

Hope this makes it clearer.

Accepted answer

TravisCragg-MSFT 5,681 Reputation points Microsoft Employee

2021-06-30T01:21:36.3+00:00

Unfortunately you cannot resolve Private DNS Zones by default using a P2S VPN. This is indirectly inferred here in this doc about DNS resolution in Azure, but not directly stated. You can try editing the hosts.txt for the DNS entry (cname record) of the computer you are connecting via the P2S VPN, but this still might have issues if the AKS cluster does not expect the request to come from that address range.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Connect to a private AKS control plane through a P2S VPN connection to a virtual hub

0 additional answers