This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 68%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Team,
If we add these authorized range in our AKS then to what level does it impacts our system.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 75%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVN%3C/text%3E%3C/svg%3E)
Hi @Tanul , By default, the API server of AKS is assigned a public IP address which is accessible over the Internet. You can limit access to authorized IP ranges as per the link you provided https://learn.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges
Answering your questions -
1)Do we always have to enable the organization's VPN to connect with AKS and custom applications running inside pods?
> No, in this scenario, you do not need VPN to connect to API Server (Control Plane) of AKS or custom services that are publicly exposed inside pods. Both can be accessed over Internet. To secure your AKS API server, you can deploy AKS private cluster which can be accessed only via VPN https://learn.microsoft.com/en-us/azure/aks/private-clusters
2) how to expose any specific web application(running inside pod) publicly, over internet, in such case .
> Irrespective of how your AKS control plane is secured, you can always expose your custom applications/services publicly over Internet by deploying the K8 Service as LoadBalancer Type. Details are here https://learn.microsoft.com/en-us/azure/aks/concepts-network#services
@Vidya Narasimhan , If everything is accessible over internet then what is the purpose of authorized IP ranges. I need to disable the accessibility to AKS over public internet. If I add my company's ip ranges in authorized IP ranges then how can AKS still allows accessibility over internet. Don't you think after adding this I have to be in office network or on vpn to access AKS.
Or because we have a default standard load balancer in front of AKS it will always receive a request from Loadbalancer due to which authorized IP ranges will not work as desired. Please suggest. Thank you
@Tanul The purpose of authorized API ranges is to enhance cluster security and minimize attacks, the API server with Public IP would only be accessible from a limited set of IP address ranges over the Internet. These IP ranges allow defined IP address ranges to communicate with the API server. A request made to the API server from an IP address that is not part of these authorized IP ranges is blocked.
In this case, you can only add your company's public ip range, not private ip range. If you want to further secure AKS API server with a private IP accessible only via VPN with your company's datacenter, then that can be also achieved via private AKS cluster https://learn.microsoft.com/en-us/azure/aks/private-clusters
Please note that the authorized ip ranges is only for API server which is a control plane used for cluster operations like creating resources or scaling nodes.
Your custom application services on AKS pods can be deployed with private ip irrespective of how API server is configured. The authorized ip ranges do not apply to them.
@Vidya Narasimhan , Thank you. That is what I was looking. Need to disable API server accessibility over internet. Just one more thing.. Is it possible to do same using NSG?
If yes, please let me know. Thanks.
@Tanul nsg will not help here. You will need to enable the option --enable-private-cluster while creating the cluster as described in the private cluster link.
Please accept as an answer if this helped you so that it helps others with similar doubts
@Vidya Narasimhan , Please correct me if I'm wrong.. So you're saying if I use authorized IP ranges feature then AKS will only be accessible if I'm working from office.
If we are working from home then VPN connectivity can't help. Am I correct?
If yes, then could you please share any document which can help in enabling this API server accessibility feature only in these 2 situations
@Tanul As mentioned earlier, once you use a private AKS cluster, you do not need the authorized ip ranges feature as the cluster api is only available via VPN/ExpressRoute/any peered network.
Office
If you have S2S VPN connectivity established between your office datacenter and Azure VNet, then you can connect to this private cluster via VPN. Here are details about options for connecting to private cluster https://learn.microsoft.com/en-us/azure/aks/private-clusters#options-for-connecting-to-the-private-cluster
Home
You can use P2S VPN setup from your device to Azure Vnet Or use a Jump Server/Bastion in the VNet to connect privately from home/outside-office https://azure.microsoft.com/en-in/services/azure-bastion/
@Vidya Narasimhan , So best practice is to setup both P2S and S2S for easy connectivity from office and home. Am I correct?
Or anyone of these approaches can suffice both the places.
One more question, our Azure VM already on S2S connections. Can we reuse same S2S connection for AKS. Sorry, I'm not a networking savvy hence, unaware of these details.
Yes you can create AKS in the same or peered Vnet. That way you can use the same vpn connection