Azure AKS access only from internal lan












0















I have a question and couldn't really find an answer or a google query to start with looking..



I have Azure managed K8s (Azure AKS) and it is accessible via internet https://somek8scluster.azureregion.azmk8s.io and I want/need to be able access to it from specific subnet. For all other stuff I am doing this with NSG, but how to "attach" NSG to this Azure AKS object? I can block access to nodes and other resources Azure AKS is creating in it's dummy RG, but the cluster itself is accessible from the Internet :)



I have tried with Application Gateway but it doesn't really work, because Azure AKS "doesn't have" a subnet, I can choose Nodes subnets etc.



I hope I wrote it clearly, if you have any questions for details, please ask. Looking for any guidance, lead where to search for solution.










share|improve this question



























    0















    I have a question and couldn't really find an answer or a google query to start with looking..



    I have Azure managed K8s (Azure AKS) and it is accessible via internet https://somek8scluster.azureregion.azmk8s.io and I want/need to be able access to it from specific subnet. For all other stuff I am doing this with NSG, but how to "attach" NSG to this Azure AKS object? I can block access to nodes and other resources Azure AKS is creating in it's dummy RG, but the cluster itself is accessible from the Internet :)



    I have tried with Application Gateway but it doesn't really work, because Azure AKS "doesn't have" a subnet, I can choose Nodes subnets etc.



    I hope I wrote it clearly, if you have any questions for details, please ask. Looking for any guidance, lead where to search for solution.










    share|improve this question

























      0












      0








      0








      I have a question and couldn't really find an answer or a google query to start with looking..



      I have Azure managed K8s (Azure AKS) and it is accessible via internet https://somek8scluster.azureregion.azmk8s.io and I want/need to be able access to it from specific subnet. For all other stuff I am doing this with NSG, but how to "attach" NSG to this Azure AKS object? I can block access to nodes and other resources Azure AKS is creating in it's dummy RG, but the cluster itself is accessible from the Internet :)



      I have tried with Application Gateway but it doesn't really work, because Azure AKS "doesn't have" a subnet, I can choose Nodes subnets etc.



      I hope I wrote it clearly, if you have any questions for details, please ask. Looking for any guidance, lead where to search for solution.










      share|improve this question














      I have a question and couldn't really find an answer or a google query to start with looking..



      I have Azure managed K8s (Azure AKS) and it is accessible via internet https://somek8scluster.azureregion.azmk8s.io and I want/need to be able access to it from specific subnet. For all other stuff I am doing this with NSG, but how to "attach" NSG to this Azure AKS object? I can block access to nodes and other resources Azure AKS is creating in it's dummy RG, but the cluster itself is accessible from the Internet :)



      I have tried with Application Gateway but it doesn't really work, because Azure AKS "doesn't have" a subnet, I can choose Nodes subnets etc.



      I hope I wrote it clearly, if you have any questions for details, please ask. Looking for any guidance, lead where to search for solution.







      networking azure






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 11 at 7:46









      SmeedooSmeedoo

      1




      1






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Actually, if you want to do something with the Vnet associated with the AKS, you should use the advanced network for AKS when you create it.



          Of curse, you can use the Application Gateway for the AKS and block the access with the NSG. For more details about the steps, see Internal Loadbalancers with Application Gateway (AKS).



          And you also can access the application in it from a specific subnet if you create the application with an internal load balancer.



          Hope this will help you.






          share|improve this answer
























          • It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

            – Smeedoo
            Jan 15 at 7:07











          • But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

            – Charles Xu - MSFT
            Jan 15 at 7:16











          • I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

            – Smeedoo
            Jan 15 at 10:58











          • If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

            – Charles Xu - MSFT
            Jan 15 at 11:25











          • Azure AKS is far less support and headache :)

            – Smeedoo
            Jan 15 at 11:40











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393062%2fazure-aks-access-only-from-internal-lan%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Actually, if you want to do something with the Vnet associated with the AKS, you should use the advanced network for AKS when you create it.



          Of curse, you can use the Application Gateway for the AKS and block the access with the NSG. For more details about the steps, see Internal Loadbalancers with Application Gateway (AKS).



          And you also can access the application in it from a specific subnet if you create the application with an internal load balancer.



          Hope this will help you.






          share|improve this answer
























          • It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

            – Smeedoo
            Jan 15 at 7:07











          • But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

            – Charles Xu - MSFT
            Jan 15 at 7:16











          • I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

            – Smeedoo
            Jan 15 at 10:58











          • If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

            – Charles Xu - MSFT
            Jan 15 at 11:25











          • Azure AKS is far less support and headache :)

            – Smeedoo
            Jan 15 at 11:40
















          0














          Actually, if you want to do something with the Vnet associated with the AKS, you should use the advanced network for AKS when you create it.



          Of curse, you can use the Application Gateway for the AKS and block the access with the NSG. For more details about the steps, see Internal Loadbalancers with Application Gateway (AKS).



          And you also can access the application in it from a specific subnet if you create the application with an internal load balancer.



          Hope this will help you.






          share|improve this answer
























          • It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

            – Smeedoo
            Jan 15 at 7:07











          • But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

            – Charles Xu - MSFT
            Jan 15 at 7:16











          • I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

            – Smeedoo
            Jan 15 at 10:58











          • If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

            – Charles Xu - MSFT
            Jan 15 at 11:25











          • Azure AKS is far less support and headache :)

            – Smeedoo
            Jan 15 at 11:40














          0












          0








          0







          Actually, if you want to do something with the Vnet associated with the AKS, you should use the advanced network for AKS when you create it.



          Of curse, you can use the Application Gateway for the AKS and block the access with the NSG. For more details about the steps, see Internal Loadbalancers with Application Gateway (AKS).



          And you also can access the application in it from a specific subnet if you create the application with an internal load balancer.



          Hope this will help you.






          share|improve this answer













          Actually, if you want to do something with the Vnet associated with the AKS, you should use the advanced network for AKS when you create it.



          Of curse, you can use the Application Gateway for the AKS and block the access with the NSG. For more details about the steps, see Internal Loadbalancers with Application Gateway (AKS).



          And you also can access the application in it from a specific subnet if you create the application with an internal load balancer.



          Hope this will help you.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 14 at 6:13









          Charles Xu - MSFTCharles Xu - MSFT

          2584




          2584













          • It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

            – Smeedoo
            Jan 15 at 7:07











          • But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

            – Charles Xu - MSFT
            Jan 15 at 7:16











          • I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

            – Smeedoo
            Jan 15 at 10:58











          • If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

            – Charles Xu - MSFT
            Jan 15 at 11:25











          • Azure AKS is far less support and headache :)

            – Smeedoo
            Jan 15 at 11:40



















          • It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

            – Smeedoo
            Jan 15 at 7:07











          • But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

            – Charles Xu - MSFT
            Jan 15 at 7:16











          • I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

            – Smeedoo
            Jan 15 at 10:58











          • If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

            – Charles Xu - MSFT
            Jan 15 at 11:25











          • Azure AKS is far less support and headache :)

            – Smeedoo
            Jan 15 at 11:40

















          It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

          – Smeedoo
          Jan 15 at 7:07





          It's enough to create services with Internal type in Azure to protect your services from Internet, but your provided links do not solve my issue, I want to protect my cluster itself, if you look at kube config for Azure AKS it's a public dns name provided by Azure and everyone can access it. Of course it's protected with RBAC and etc, but if we run into some Auth exploit it can be vulnerable..

          – Smeedoo
          Jan 15 at 7:07













          But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

          – Charles Xu - MSFT
          Jan 15 at 7:16





          But if the AKS cluster cannot access from the internet, how do you manage it? For AKS cluster, there is just the master node has the public IP while agent nodes don't have.

          – Charles Xu - MSFT
          Jan 15 at 7:16













          I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

          – Smeedoo
          Jan 15 at 10:58





          I wa t to be able to manage it only from my internal lan/vpn. Services also will not be exposed to the internet.

          – Smeedoo
          Jan 15 at 10:58













          If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

          – Charles Xu - MSFT
          Jan 15 at 11:25





          If you just want to use the Kubernetes cluster in a private network, maybe AKS cannot suitable to you. I suggest you can just create the Kubernetes cluster with Azure VMs.

          – Charles Xu - MSFT
          Jan 15 at 11:25













          Azure AKS is far less support and headache :)

          – Smeedoo
          Jan 15 at 11:40





          Azure AKS is far less support and headache :)

          – Smeedoo
          Jan 15 at 11:40


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393062%2fazure-aks-access-only-from-internal-lan%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Сан-Квентин

          8-я гвардейская общевойсковая армия

          Алькесар