paolosalvatori/private-aks-cluster paolosalvatori/private-aks-cluster

  • Stars
    star
    99
  • Rank 343,315 (Top 7 %)
  • Language
    Shell
  • Created over 4 years ago
  • Updated 12 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
paolosalvatori/private-aks-cluster
github

paolosalvatori

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
services author
aks, app-service, container-registry, azure-monitor, storage, virtual-network, virtual-machines, private-link, templates
paolosalvatori

Create a private Azure Kubernetes Service cluster

This ARM template includes all the latest features like private AKS clusters, new simplified AKS-managed AAD integration, the brand new Azure RBAC for Kubernetes Authorization, actually in preview, and the use of managed identity in place of a service principal, and more.

The API server endpoint has no public IP address. To manage the API server, you will need to use a virtual machine that has access to the AKS cluster's Azure Virtual Network (VNet). Therefore, the ARM template deploys a Jumpbox in the same virtual network that hosts the private AKS cluster. There are several options for establishing network connectivity to the private cluster.

  • Create a virtual machine in the same Azure Virtual Network (VNet) as the AKS cluster.
  • Use a virtual machine in a separate network and set up Virtual network peering. See the section below for more information on this option.
  • Use an Express Route or VPN connection.

Creating a virtual machine in the same virtual network as the AKS cluster is the easiest option. Express Route and VPNs add costs and require additional networking complexity. Virtual network peering requires you to plan your network CIDR ranges to ensure there are no overlapping ranges. For more information, see Create a private Azure Kubernetes Service cluster. For more information on Azure Private Links, see What is Azure Private Link?.

Note
If you want to deploy a private AKS cluster using a public DNS zone to simplify the DNS resolution of the API Server to the private IP address of the private endpoint, you can use this project under my GitHub account or on Azure Quickstart Templates.

Architecture

This sample provides two distinct ARM templates to deploy two different topologies with one or two node pools.

Two Node Pools

Architecture

The ARM template deploys:

  • A new virtual network with three subnets, one for the AKS cluster, one for Azure Bastion and one for a Jumpbox virtual machine used to connect to the private AKS cluster.
  • The private AKS cluster uses a user-defined managed identity to create additional resources like load balancers and managed disks in Azure.
  • The private AKS cluster is composed of a:
    • System node pool hosting only critical system pods and services. The worker nodes have node taint which prevents application pods from beings scheduled on this node pool.
    • User node pool hosting user workloads and artifacts.
  • An AKS cluster with a private endpoint to the control plane / API server hosted by an AKS-managed Azure subscription. The cluster can communicate with the API server exposed via a Private Link Service using a private endpoint.
  • An Azure Bastion resource that provides secure and seamless SSH connectivity to the Jumpbox virtual machine directly in the Azure portal over SSL
  • An Azure Container Registry (ACR) to build, store, and manage container images and artifacts in a private registry for all types of container deployments.
  • When the ACR sku is equal to Premium, a Private Endpoint is created to allow the private AKS cluster to access ACR via a private IP address. For more information, see Connect privately to an Azure container registry using Azure Private Link.
  • A Private Endpoint in the same subnet of the AKS cluster.
  • A Network Interface associated to the private endpoint.
  • A Private DNS Zone for the name resolution of the private endpoint.
  • Two A records in the Private DNS Zone to let the cluster resolve the FQDN of the AKS cluster to the private IP address of its control plane.
  • A Virtual Network Link between the virtual network hosting the cluster and the Private DNS Zone to let the cluster to use the CNAME and A records defined by the Private DNS Zone for the name resolution of the API server of the cluster.
  • A jumpbox virtual machine to manage the private AKS cluster.
  • A private endpoint to the storage account hosting the boot diagnostics logs of the jumpbox virtual machine.
  • A Log Analytics workspace to collect the diagnostics logs and metrics of both the AKS cluster and Jumpbox virtual machine.

One Node Pool

Architecture

The ARM template deploys:

  • A new virtual network with three subnets, one for the AKS cluster, one for Azure Bastion and one for a Jumpbox virtual machine used to connect to the private AKS cluster.
  • The private AKS cluster uses a system-assigned managed identity to create additional resources like load balancers and managed disks in Azure.
  • The private AKS cluster has a single system node pool hosting both critical system pods and user pods.
  • An AKS cluster with a private endpoint to the control plane / API server hosted by an AKS-managed Azure subscription. The cluster can communicate with the API server exposed via a Private Link Service using a private endpoint.
  • An Azure Bastion resource that provides secure and seamless SSH connectivity to the Jumpbox virtual machine directly in the Azure portal over SSL
  • A Private Endpoint in the same subnet of the AKS cluster.
  • A Network Interface associated to the private endpoint.
  • A Private DNS Zone for the name resolution of the private endpoint.
  • Two A records in the Private DNS Zone to let the cluster resolve the FQDN of the AKS cluster to the private IP address of its control plane.
  • A Virtual Network Link between the virtual network hosting the cluster and the Private DNS Zone to let the cluster to use the CNAME and A records defined by the Private DNS Zone for the name resolution of the API server of the cluster.
  • A jumpbox virtual machine to manage the private AKS cluster.
  • A private endpoint to the storage account hosting the boot diagnostics logs of the jumpbox virtual machine.
  • A Log Analytics workspace to collect the diagnostics logs and metrics of both the AKS cluster and Jumpbox virtual machine.

Deployment

You can use the deploy-two-node-pools.sh Bash script to deploy the topology with two node pools and ACR, while you can use the deploy-one-node-pool.sh Bash script to deploy the topology with one node pool and no ACR. The following picture shows the resources deployed by the ARM template in the target resource group.

Resource Group

The following picture shows the resources deployed by the ARM template in the MC resource group associated to the AKS cluster:

MC Resource Group

Visio

In the visio folder you can find the Visio document which contains the above diagrams.

Testing

If you open an ssh session to the Linux virtual machine and manually run the nslookup command using the FQND of the API server as a parameter, you should see an output like the the following:

Architecture

In order to connect the AKS cluster, you can run th following Bash script on the Jumpbox virtual machine:

#!/bin/bash
name="<name of the AKS cluster>"
resourceGroup="<name of the AKS resource group>"

# Install Azure CLI on Ubuntu
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

# Login with your Azure account
az login

# Install Kubectl
sudo az aks install-cli

# Use the following command to configure kubectl to connect to the new Kubernetes cluster
echo "Getting access credentials configure kubectl to connect to the ["$aksName"] AKS cluster..."
az aks get-credentials --name $name --resource-group $resourceGroup

More Repositories

1

ServiceBusExplorer

The Service Bus Explorer allows users to connect to a Service Bus namespace and administer messaging entities in an easy manner. The tool provides advanced features like import/export functionality or the ability to test topic, queues, subscriptions, relay services, notification hubs and events hubs.
C#
1,930
star
2

service-fabric-acs-kubernetes-multi-container-app

This sample demonstrates how create a multi-container application using ASP.NET Core and deploy it on an Azure Service Fabric Linux cluster with the DNS service or Azure Container Service Kubernetes cluster on Azure.
C#
135
star
3

private-endpoints-topologies

The goal of this article is to define a solution for the management of Azure Private Endpoints and Private DNS Zones in a complex hub-and-spoke network topology.
100
star
4

private-aks-cluster-terraform-devops

This sample shows how to create a private AKS cluster using Terraform and Azure DevOps
HCL
74
star
5

front-door-apim

This sample demonstrates how to use Azure Front Door as global load balancer in front of Azure API Management.
Shell
49
star
6

aks-agic

This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault.
Shell
37
star
7

blob-event-grid-function-app

This sample demonstrates how to create a serverless application with Azure Functions to receive and process events via an Azure Event Grid Subscription any time a blob is created, updated or deleted in a given container inside an Azure storage account.
Shell
32
star
8

servicefabricasynchronouscomputingactors

This sample demonstrates how to create a stateful actor service that supports long running, asynchronous computations in Service Fabric.
C#
32
star
9

aks-multi-tenant-agic

This sample shows how to use the Application Gateway Ingress Controller in a multi-tenant AKS cluster to expose multiple instances of the same application, one for each tenant.
Shell
31
star
10

servicefabricobserver

This project contains a framework that provides a publisher-subscriber implementation using the Observer design pattern for Service Fabric stateful services and actors.
C#
25
star
11

private-cluster-with-public-dns-zone

This sample shows how to deploy a private AKS cluster with a public DNS zone for the name resolution of the API server name to the private IP address of its private endpoint.
Shell
22
star
12

azure-firewall-dns-proxy-in-hub-and-spoke

This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Shell
21
star
13

servicefabriceventhubdemo

This sample demonstrates how to create a simple IoT application using Service Fabric.
C#
16
star
14

azure-function-premium-plan

This sample shows how to use Azure Private Endpoints and NAT Gateway from an Azure Functions app deployed to an Azure Functions Premium Plan with Regional VNET Integration.
C#
16
star
15

file-share-private-endpoint

This sample demonstrates how to create a Linux Virtual Machine in a virtual network that privately accesses an Azure File Share using an Azure Private Endpoint.
Shell
14
star
16

aks-gpu

This project shows how to add a GPU-enabled node pool to an existing AKS cluster and how to autoscale and monitor GPU-enabled worker nodes
Shell
14
star
17

jmeter-distributed-test-harness

A quick and dirty project that allows to deploy an Apache JMeter distributed test harness composed of multiple virtual machines spread across multiple Azure regions.
PowerShell
13
star
18

ServiceBusExtensions

This library contains some extensions to Microsoft.ServiceBus.dll library
C#
12
star
19

container-apps-openai

This sample shows how to create two Azure Container Apps that use OpenAI, LangChain, ChromaDB, and Chainlit using Terraform.
HCL
11
star
20

aks-nat-agic

This sample shows how to create an AKS cluster that uses a NAT Gateway for outbound connections and Application Gateway Ingress Controller.
Shell
10
star
21

azure-private-link-service

This sample shows how to use Bicep to create an Azure Private Link Service that can be accessed by a third party via an Azure Private Endpoint. Bicep modules deploy all the Azure resources in the same resource group in the same Azure subscription.
Bicep
10
star
22

multi-az-ase

This sample shows how to use an Application Gateway V2 and 3 zonal ILB App Service Environments to build an intra-region resilient architecture for hosting Web Apps in an Azure region.
C#
9
star
23

azure-ad-workload-identity

This project shows how to use Azure AD workload identity for Kubernetes in a .NET Standard application running on Azure Kubernetes Service. It leverages the public preview capability of Azure AD workload identity federation.
Bicep
9
star
24

aks-automatic-bicep

This repository contains Bicep to deploy an AKS Automatic cluster with a Log Analytics workspace, Azure Managed Prometheus workspace, and Azure Managed Grafana.
Bicep
9
star
25

web-app-redis-sql-db

This sample shows how to configure an Azure App Service to access Azure Cache for Redis and Azure SQL Database via regional VET integration and Private Endpoints
JavaScript
8
star
26

ServiceFabricLeaderElection

This demo demonstrates how to implement the Leader Election pattern using a Service Fabric Actor service.
C#
8
star
27

azure-functions-private-endpoint-http-trigger

This sample shows how to call a HTTP-triggered Azure Function hosted in an Azure Functions Premium Plan with Regional VNET Integration using a private endpoint. In addition, the sample shows how the Azure Functions app can use a NAT Gateway for outbound connections and private endpoints to access managed resources.
C#
8
star
28

shared-azure-openai-tpm

This example shows how a multitenant service can distribute requests evenly among multiple Azure OpenAI Service instances and manage tokens per minute (TPM) for multiple tenants.
C#
7
star
29

servicefabriciothubdemo

This sample demonstrates how to create a simple IoT application using Service Fabric, OWIN, IoT Hub and Event Hubs.
C#
6
star
30

handle-private-endopints-events-with-event-grid

This sample demonstrates how to handle Azure Private Endpoints provisioning and deprovisioning events with Azure Event Grid
C#
6
star
31

aks-openai-chainlit-terraform

This sample shows how to create two AKS-hosted chat applications that use OpenAI, LangChain, ChromaDB, and Chainlit using Python and deploy them to an AKS environment built in Terraform.
HCL
6
star
32

aks-managed-prometheus-and-grafana-bicep

This sample shows how to install an AKS cluster with Azure Managed Prometheus and Azure Managed Grafana via Bicep.
Bicep
6
star
33

aks-kaito-terraform

This project demonstrates the process of deploying Kaito on AKS using Terraform, creating a Falcon 7B Instruct model hosted on AKS using Kaito, and utilizing Chainlit to develop a chat interface that interacts with the model's inference endpoint.
HCL
6
star
34

servicefabricclickanalytics

This demo demonstrates how to use Service Fabric and Event Hubs to build a highly scalable, highly reliable ingestion pipeline for a click analytics system that receives events sent by a client-side script running in a web page and persists them to an Append Blob, one for each user session.
C#
6
star
35

aks-application-gateway-for-containers-bicep

This sample shows how to install an AKS cluster with Azure Application Gateway for Containers via Bicep
Bicep
5
star
36

aad-enabled-aks-cluster

This bash script can be used to create an Azure Kubernetes Service (AKS) cluster configured to use Azure Active Directory (AD) for user authentication.
Shell
5
star
37

disable-local-auth

This repository contains bash scripts to quickly disable the local authentication for Azure resources in the current subscription.
Shell
5
star
38

event-hubs-private-endpoint

This sample shows how to use configure a virtual network and Private DNS Zone to access a Event Hubs namespace via a Private Endpoint.
Shell
5
star
39

key-vault-private-endpoint

This sample shows how to use configure a virtual network and Private DNS Zone to access a Key Vault resource via a Private Endpoint.
Shell
4
star
40

aks-crossplane-terraform

This sample deploys and AKS cluster with Terraform and installs Crossplane to the cluster via Helm along with the Azure provider,
HCL
4
star
41

aks-openai-terraform

This sample shows how to deploy an Azure Kubernetes Service(AKS) cluster and Azure OpenAI Service via Terraform and how to deploy a Terraform chatbot that authenticates against Azure OpenAI using Azure AD workload identity and calls the Chat Completion API of a ChatGPT model.
HCL
4
star
42

aad-provisioning-events-processing

This sample shows how to process Azure Active Directory provisioning events stored in Activity Logs from an Event Hub using an Azure Function or Stream Analytics job.
C#
4
star
43

standard-load-balancer

This template deploys a Standard Load Balancer with multiple Backend Pools, one for TCP load balancing rules, and one for UDP load balancing rules.
Shell
3
star
44

azure-ad-workload-identity-mi

This project shows how to use Azure AD workload identity with a user-assigned managed identity in a .NET Standard application running on Azure Kubernetes Service.
Bicep
3
star
45

blob-private-endpoint

This sample demonstrates how to create a Linux Virtual Machine in a virtual network that privately accesses a blob storage account using an Azure Private Endpoint.
Shell
3
star
46

WorkerRoleJsonSqlDb

This sample shows how to use the EventProcessorHost to retrieve events from an Event Hub and store them in a batch mode to an Azure SQL Database using the OPENJSON function.
C#
3
star
47

aks-openai-bicep

This article shows how to deploy an Azure Kubernetes Service(AKS) cluster and Azure OpenAI Service via Bicep and how to deploy a Python chatbot that authenticates against Azure OpenAI using Azure AD workload identity and calls the Chat Completion API of a ChatGPT model.
Bicep
3
star
48

azure-policy-delete-test

This sample is used to test if the evaluation of a DeployIfNotExists Azure policy is triggered by a CREATE and DELETE resource operation.
Shell
3
star
49

burstable-managed-csi-premium

This sample shows how to create a custom storage class that uses Azure Premium LRS to create a burstable managed disk.
Shell
3
star
50

servicebus-private-endpoint

This sample shows how to use configure a virtual network and private DNS zone to access a Service Bus namespace via private endpoint.
Shell
3
star
51

paolosalvatori

3
star
52

StreamAnalyticsAzureDataLakeStore

This sample shows how to use the Azure Data Lake Store output to store the results produced by an Azure Stream Analytics job that processes telemetry data generated by remote devicesand how to use the Azure Data Lake Store .NET SDK to build a client app that allows a user to navigate and read data from an Azure Data Lake Store account.
C#
3
star
53

ofn-azure-install

ARM templates and scripts for provisioning and deploying Open Food Network to Azure
Shell
2
star
54

container-apps-jobs

This sample shows how to create Azure Container Apps Jobs via Azure CLI and Bicep and how to start and monitor these components.
Bicep
2
star
55

from-monolithic-app-to-microservices

This repository contains the slide deck of the Breaking down the monolith in your SaaS application presentation delivered during the SaaS Academy event on 27th October 2021
2
star
56

aks-agic-private-link

This sample shows how to communicate with an AKS-hosted workload via Private Link, Application Gateway, and AGIC.
Bicep
2
star
57

voting

This is a multi-container application built using ASP.NET Core.
JavaScript
2
star
58

aks-api-server-vnet-integration-bicep

This sample shows how to deploy an AKS cluster with API server VNET integration using Bicep.
Bicep
2
star
59

aks-front-door-private-link-service

This sample shows how Azure Front Door Premium can be set to use a Private Link Service to expose an AKS-hosted workload via NGINX Ingress Controller configured to use a private IP address on the internal load balancer.
Bicep
2
star
60

helm-charts

Helm Chart Repository
Smarty
2
star
61

monolithic-applications

This is a draft of the monolithic applications in the container services guidance
2
star
62

aks-front-door-end-to-end-tls

This project demonstrates how to set up end-to-end TLS encryption using Azure Front Door Premium and AKS. It utilizes an Azure Private Link Service to expose a workload hosted on AKS, with the NGINX Ingress Controller configured to utilize a private IP address on the internal load balancer.
Bicep
2
star
63

tuscany

1
star
64

aro-azapi-terraform

This sample shows how to deploy an Azure Red Hat OpenShift cluster using Terraform with the AzAPI Provider.
HCL
1
star
65

cka

This repository contains bookmarks to YAML templates for the Certified Kubernetes Administrator exam.
HTML
1
star
66

my-ts-app

This sample shows how to publish a React app as a static website to an Azure storage account and expose via a custom domain using the Azure CDN
Shell
1
star
67

zone-redundant-aks-and-storage

This sample explains how you can create a zone redundant AKS cluster and the implications of each approach on the deployment strategy and configuration of the persistent volumes used by the workloads.
Shell
1
star
68

container-apps-azapi-terraform

This sample shows how to deploy a Dapr application to Azure Container Apps using Terraform with the AzAPI Provider.
HCL
1
star
69

aca-azure-policy

This repository contains custom Azure Policies for Azure Container Apps.
Bicep
1
star
70

github-actions-for-azure

This repository contains some samples on how to use GitHub Actions for Azure
Shell
1
star
71

my-first-static-web-app

Azure Static Web App Tutorial: Building your first static site using the Azure CLI and React
HTML
1
star
72

private-endpoint-policies

This repository contains policies to audit resources that do not have private endpoints
Shell
1
star
73

aks-istio-addon-bicep

This sample shows how to install an AKS cluster with the Istio service mesh add-on via Bicep.
Bicep
1
star
74

hello-github-actions

Dockerfile
1
star
75

github-actions-for-ci

JavaScript
1
star
76

use-harbor-with-aks-and-acr

This article provides a comprehensive guide on utilizing Harbor as a container registry in a multi-region and multi-cloud setup with Azure Kubernetes Service (AKS) and Azure Container Registry (ACR).
Shell
1
star
77

ServiceFabricJsonSqlDb

This sample shows how to use a Service Fabric service hosting an EventProcessorHost listener to retrieve events from an Event Hub and store them in a batch mode to an Azure SQL Database using the OPENJSON function.
C#
1
star
78

ghost-blog

This is a Helm chart used for demos
Smarty
1
star
79

testapi-flux-demo

This is a Flux demo that uses a single Helm chart from my Helm chart repository.
1
star
80

azure-file-csi-driver-test

This repository contains a simple test with the Azure File CSI Driver
Shell
1
star
81

event-grid-to-service-bus

This sample shows how to use an Azure Event Grid Custom Topic as a message broker in a multitenant scenario to send messages to multiple Azure Service Bus queues in different namespaces, one for each tenant.
Shell
1
star