@CHANEMOUGAM, RAAMACHANTHIRAN , Thank you for your question.
In a private cluster, the control plane or API server ( kube-apiserver
) has internal IP addresses that are defined in the RFC1918 - Address Allocation for Private Internet document. By using a private cluster, you can ensure network traffic between your API server and your node pools remains on the private network only.
Thus, all the networking features for publishing applications (or in your case, APIs) hosted on the AKS cluster are not impacted. You can check out all the Service Types available here.
For making the services publicly available, you can use:
- Load Balancer Service with Azure Basic or Standard (default) sku load balancers [Reference]
- Ingress with Azure Load Balancer [Reference]
- Application Gateway Ingress Controller [Reference]
However, the API server endpoint has no public IP address. To manage the API server, you'll need to use a VM that has access to the AKS cluster's Azure Virtual Network (VNet). There are several options for establishing network connectivity to the private cluster.
- Create a VM in the same Azure Virtual Network (VNet) as the AKS cluster.
- Use a VM in a separate network and set up Virtual network peering. See the section below for more information on this option.
- Use an Express Route or VPN connection.
- Use the AKS Run Command feature.
- Creating a VM in the same VNET as the AKS cluster is the easiest option. Express Route and VPNs add costs and require additional networking complexity. Virtual network peering requires you to plan your network CIDR ranges to ensure there are no overlapping ranges.
Note:
- IP authorized ranges can't be applied to the private api server endpoint, they only apply to the public API server
- Azure Private Link service limitations apply to private clusters.
AKS Run Command (Preview)
Today when you need to access a private cluster, you must do so within the cluster virtual network or a peered network or client machine. This usually requires your machine to be connected via VPN or Express Route to the cluster virtual network or a jumpbox to be created in the cluster virtual network. AKS run command allows you to remotely invoke commands in an AKS cluster through the AKS API. This feature provides an API that allows you to, for example, execute just-in-time commands from a remote laptop for a private cluster. This can greatly assist with quick just-in-time access to a private cluster when the client machine is not on the cluster private network while still retaining and enforcing the same RBAC controls and private API server.
For more information please check this article.
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.