Internet access to private AKS cluster using application gateway

CHANEMOUGAM, RAAMACHANTHIRAN 26 Reputation points
2021-07-26T04:07:03.917+00:00

Hi Team,

Am looking for options to access certain APIs deployed to private AKS from public internet. Currently, i have internal ingress load balancer with private ip and private end point created to this LB. I can access this endpoint over secure VPN. I have another use case where certain API need to be accessed over public internet.

Please let me know what options are available for private aks services to be accessed from internet as well.

Thanks
Raam

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,070 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,115 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SRIJIT-BOSE-MSFT 4,336 Reputation points Microsoft Employee
    2021-07-26T13:17:58.877+00:00

    @CHANEMOUGAM, RAAMACHANTHIRAN , Thank you for your question.

    In a private cluster, the control plane or API server ( kube-apiserver ) has internal IP addresses that are defined in the RFC1918 - Address Allocation for Private Internet document. By using a private cluster, you can ensure network traffic between your API server and your node pools remains on the private network only.

    Thus, all the networking features for publishing applications (or in your case, APIs) hosted on the AKS cluster are not impacted. You can check out all the Service Types available here.

    For making the services publicly available, you can use:

    • Load Balancer Service with Azure Basic or Standard (default) sku load balancers [Reference]
    • Ingress with Azure Load Balancer [Reference]
    • Application Gateway Ingress Controller [Reference]

    However, the API server endpoint has no public IP address. To manage the API server, you'll need to use a VM that has access to the AKS cluster's Azure Virtual Network (VNet). There are several options for establishing network connectivity to the private cluster.

    • Create a VM in the same Azure Virtual Network (VNet) as the AKS cluster.
    • Use a VM in a separate network and set up Virtual network peering. See the section below for more information on this option.
    • Use an Express Route or VPN connection.
    • Use the AKS Run Command feature.
    • Creating a VM in the same VNET as the AKS cluster is the easiest option. Express Route and VPNs add costs and require additional networking complexity. Virtual network peering requires you to plan your network CIDR ranges to ensure there are no overlapping ranges.

    Note:

    AKS Run Command (Preview)

    Today when you need to access a private cluster, you must do so within the cluster virtual network or a peered network or client machine. This usually requires your machine to be connected via VPN or Express Route to the cluster virtual network or a jumpbox to be created in the cluster virtual network. AKS run command allows you to remotely invoke commands in an AKS cluster through the AKS API. This feature provides an API that allows you to, for example, execute just-in-time commands from a remote laptop for a private cluster. This can greatly assist with quick just-in-time access to a private cluster when the client machine is not on the cluster private network while still retaining and enforcing the same RBAC controls and private API server.

    For more information please check this article.


    Hope this helps.

    Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.