Azure AKS access only from internal lan












0















I have a question and couldn't really find an answer or a google query to start with looking..



I have Azure managed K8s (Azure AKS) and it is accessible via internet https://somek8scluster.azureregion.azmk8s.io and I want/need to be able access to it from specific subnet. For all other stuff I am doing this with NSG, but how to "attach" NSG to this Azure AKS object? I can block access to nodes and other resources Azure AKS is creating in it's dummy RG, but the cluster itself is accessible from the Internet :)



I have tried with Application Gateway but it doesn't really work, because Azure AKS "doesn't have" a subnet, I can choose Nodes subnets etc.



I hope I wrote it clearly, if you have any questions for details, please ask. Looking for any guidance, lead where to search for solution.






networking azure







share|improve this question



























    0















    I have a question and couldn't really find an answer or a google query to start with looking..



    I have Azure managed K8s (Azure AKS) and it is accessible via internet https://somek8scluster.azureregion.azmk8s.io and I want/need to be able access to it from specific subnet. For all other stuff I am doing this with NSG, but how to "attach" NSG to this Azure AKS object? I can block access to nodes and other resources Azure AKS is creating in it's dummy RG, but the cluster itself is accessible from the Internet :)



    I have tried with Application Gateway but it doesn't really work, because Azure AKS "doesn't have" a subnet, I can choose Nodes subnets etc.



    I hope I wrote it clearly, if you have any questions for details, please ask. Looking for any guidance, lead where to search for solution.






    networking azure







    share|improve this question

























      0












      0








      0








      I have a question and couldn't really find an answer or a google query to start with looking..



      I have Azure managed K8s (Azure AKS) and it is accessible via internet https://somek8scluster.azureregion.azmk8s.io and I want/need to be able access to it from specific subnet. For all other stuff I am doing this with NSG, but how to "attach" NSG to this Azure AKS object? I can block access to nodes and other resources Azure AKS is creating in it's dummy RG, but the cluster itself is accessible from the Internet :)



      I have tried with Application Gateway but it doesn't really work, because Azure AKS "doesn't have" a subnet, I can choose Nodes subnets etc.



      I hope I wrote it clearly, if you have any questions for details, please ask. Looking for any guidance, lead where to search for solution.






      networking azure







      share|improve this question














      I have a question and couldn't really find an answer or a google query to start with looking..



      I have Azure managed K8s (Azure AKS) and it is accessible via internet https://somek8scluster.azureregion.azmk8s.io and I want/need to be able access to it from specific subnet. For all other stuff I am doing this with NSG, but how to "attach" NSG to this Azure AKS object? I can block access to nodes and other resources Azure AKS is creating in it's dummy RG, but the cluster itself is accessible from the Internet :)



      I have tried with Application Gateway but it doesn't really work, because Azure AKS "doesn't have" a subnet, I can choose Nodes subnets etc.



      I hope I wrote it clearly, if you have any questions for details, please ask. Looking for any guidance, lead where to search for solution.






      networking azure




      networking azure






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 11 at 7:46









      SmeedooSmeedoo

      1




      1






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Actually, if you want to do something with the Vnet associated with the AKS, you should use the advanced network for AKS when you create it.



          Of curse, you can use the Application Gateway for the AKS and block the access with the NSG. For more details about the steps, see Internal Loadbalancers with Application Gateway (AKS).



          And you also can access the application in it from a specific subnet if you create the application with an internal load balancer.



          Hope this will help you.






          share|improve this answer
























          • It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

            – Smeedoo
            Jan 15 at 7:07











          • But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

            – Charles Xu - MSFT
            Jan 15 at 7:16











          • I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

            – Smeedoo
            Jan 15 at 10:58











          • If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

            – Charles Xu - MSFT
            Jan 15 at 11:25











          • Azure AKS is far less support and headache :)

            – Smeedoo
            Jan 15 at 11:40











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393062%2fazure-aks-access-only-from-internal-lan%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Actually, if you want to do something with the Vnet associated with the AKS, you should use the advanced network for AKS when you create it.



          Of curse, you can use the Application Gateway for the AKS and block the access with the NSG. For more details about the steps, see Internal Loadbalancers with Application Gateway (AKS).



          And you also can access the application in it from a specific subnet if you create the application with an internal load balancer.



          Hope this will help you.






          share|improve this answer
























          • It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

            – Smeedoo
            Jan 15 at 7:07











          • But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

            – Charles Xu - MSFT
            Jan 15 at 7:16











          • I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

            – Smeedoo
            Jan 15 at 10:58











          • If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

            – Charles Xu - MSFT
            Jan 15 at 11:25











          • Azure AKS is far less support and headache :)

            – Smeedoo
            Jan 15 at 11:40
















          0














          Actually, if you want to do something with the Vnet associated with the AKS, you should use the advanced network for AKS when you create it.



          Of curse, you can use the Application Gateway for the AKS and block the access with the NSG. For more details about the steps, see Internal Loadbalancers with Application Gateway (AKS).



          And you also can access the application in it from a specific subnet if you create the application with an internal load balancer.



          Hope this will help you.






          share|improve this answer
























          • It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

            – Smeedoo
            Jan 15 at 7:07











          • But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

            – Charles Xu - MSFT
            Jan 15 at 7:16











          • I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

            – Smeedoo
            Jan 15 at 10:58











          • If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

            – Charles Xu - MSFT
            Jan 15 at 11:25











          • Azure AKS is far less support and headache :)

            – Smeedoo
            Jan 15 at 11:40














          0












          0








          0







          Actually, if you want to do something with the Vnet associated with the AKS, you should use the advanced network for AKS when you create it.



          Of curse, you can use the Application Gateway for the AKS and block the access with the NSG. For more details about the steps, see Internal Loadbalancers with Application Gateway (AKS).



          And you also can access the application in it from a specific subnet if you create the application with an internal load balancer.



          Hope this will help you.






          share|improve this answer













          Actually, if you want to do something with the Vnet associated with the AKS, you should use the advanced network for AKS when you create it.



          Of curse, you can use the Application Gateway for the AKS and block the access with the NSG. For more details about the steps, see Internal Loadbalancers with Application Gateway (AKS).



          And you also can access the application in it from a specific subnet if you create the application with an internal load balancer.



          Hope this will help you.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 14 at 6:13









          Charles Xu - MSFTCharles Xu - MSFT

          2584




          2584













          • It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

            – Smeedoo
            Jan 15 at 7:07











          • But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

            – Charles Xu - MSFT
            Jan 15 at 7:16











          • I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

            – Smeedoo
            Jan 15 at 10:58











          • If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

            – Charles Xu - MSFT
            Jan 15 at 11:25











          • Azure AKS is far less support and headache :)

            – Smeedoo
            Jan 15 at 11:40



















          • It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

            – Smeedoo
            Jan 15 at 7:07











          • But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

            – Charles Xu - MSFT
            Jan 15 at 7:16











          • I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

            – Smeedoo
            Jan 15 at 10:58











          • If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

            – Charles Xu - MSFT
            Jan 15 at 11:25











          • Azure AKS is far less support and headache :)

            – Smeedoo
            Jan 15 at 11:40

















          It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

          – Smeedoo
          Jan 15 at 7:07





          It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

          – Smeedoo
          Jan 15 at 7:07













          But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

          – Charles Xu - MSFT
          Jan 15 at 7:16





          But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

          – Charles Xu - MSFT
          Jan 15 at 7:16













          I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

          – Smeedoo
          Jan 15 at 10:58





          I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

          – Smeedoo
          Jan 15 at 10:58













          If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

          – Charles Xu - MSFT
          Jan 15 at 11:25





          If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

          – Charles Xu - MSFT
          Jan 15 at 11:25













          Azure AKS is far less support and headache :)

          – Smeedoo
          Jan 15 at 11:40





          Azure AKS is far less support and headache :)

          – Smeedoo
          Jan 15 at 11:40


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393062%2fazure-aks-access-only-from-internal-lan%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Сан-Квентин

          Image
          Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но
          Read more

          Алькесар

          Image
          Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове
          Read more

          Josef Freinademetz

          Image
          San Ujöp (Giuseppe/Josef) Freinademetz Josef Freinademetz in abiti cinesi   Religioso e missionario   Nascita 15 aprile 1852 Morte 28 gennaio 1908 Venerato da Chiesa cattolica Beatificazione 1975 Canonizzazione 5 ottobre 2003 Ricorrenza 28 gennaio Manuale Ujöp Freinademetz noto anche come Giuseppe o Josef Freinademetz (Oies, 15 aprile 1852 – Taikia, 28 gennaio 1908) è stato un presbitero austriaco, membro della Società del Verbo Divino, fu missionario in Cina; è venerato come santo dalla Chiesa cattolica. .mw-parser-output .citazione-table{margin-bottom:.5em;font-size:95%}.mw-parser-output .citazione-table td{padding:0 1.2em 0 2.4em}.mw-parser-output .citazione-lang{vertical-align:top}.mw-parser-output .citazione-lang td{width:50%}.mw-parser-output .citazione-lang td:first-child{padding:0 0 0 2.4em}.mw-parser-output .citazione-lang td:nth-child(2){padding:0 1.2em} «Io amo la Cina e i cinesi; voglio morire in mezzo a loro, e tra loro
          Read more