Merge pull request #221212 from schaffererin/freshness-pass-internal-load-balancer

v-regandowner · web-flow · commit 3ba601cf84dd · 2022-12-12T18:14:00.000-05:00
AKS freshness pass: Create and use an internal load balancer
diff --git a/articles/aks/internal-lb.md b/articles/aks/internal-lb.md
@@ -4,26 +4,27 @@ titleSuffix: Azure Kubernetes Service
 description: Learn how to create and use an internal load balancer to expose your services with Azure Kubernetes Service (AKS).
 services: container-service
 ms.topic: article
-ms.date: 03/04/2019
+ms.date: 12/12/2022
 
 
 #Customer intent: As a cluster operator or developer, I want to learn how to create a service in AKS that uses an internal Azure load balancer for enhanced security and without an external endpoint.
 ---
 
 # Use an internal load balancer with Azure Kubernetes Service (AKS)
 
-To restrict access to your applications in Azure Kubernetes Service (AKS), you can create and use an internal load balancer. An internal load balancer makes a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. This article shows you how to create and use an internal load balancer with Azure Kubernetes Service (AKS).
+You can create and use an internal load balancer to restrict access to your applications in Azure Kubernetes Service (AKS).
+An internal load balancer makes a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. This article shows you how to create and use an internal load balancer with AKS.
 
 > [!NOTE]
-> Azure Load Balancer is available in two SKUs - *Basic* and *Standard*. By default, the Standard SKU is used when you create an AKS cluster.  When creating a Service with type as LoadBalancer, you will get the same LB type as when you provision the cluster. For more information, see [Azure load balancer SKU comparison][azure-lb-comparison].
+> Azure Load Balancer is available in two SKUs: *Basic* and *Standard*. The *Standard* SKU is used by default when you create an AKS cluster. When you create a *LoadBalancer* service type, you'll get the same load balancer type as when you provisioned the cluster. For more information, see [Azure Load Balancer SKU comparison][azure-lb-comparison].
 
 ## Before you begin
 
-This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].
+This article assumes that you have an existing AKS cluster. If you need an AKS cluster, you can create one [using Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or [the Azure portal][aks-quickstart-portal].
 
-You also need the Azure CLI version 2.0.59 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+You also need the Azure CLI version 2.0.59 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
 
-The AKS cluster identity needs permission to manage network resources if you use an existing subnet or resource group. For information, see [Use kubenet networking with your own IP address ranges in Azure Kubernetes Service (AKS)][use-kubenet] or [Configure Azure CNI networking in Azure Kubernetes Service (AKS)][advanced-networking]. If you are configuring your load balancer to use an [IP address in a different subnet][different-subnet], ensure the AKS cluster identity also has read access to that subnet.
+If you want to use an existing subnet or resource group, the AKS cluster identity needs permission to manage network resources. For information, see [Use kubenet networking with your own IP address ranges in AKS][use-kubenet] or [Configure Azure CNI networking in AKS][advanced-networking]. If you're configuring your load balancer to use an [IP address in a different subnet][different-subnet], ensure the AKS cluster identity also has read access to that subnet.
 
 For more information on permissions, see [Delegate AKS access to other Azure resources][aks-sp].
 
@@ -46,26 +47,30 @@ spec:
     app: internal-app
 ```
 
-Deploy the internal load balancer using the [kubectl apply][kubectl-apply] and specify the name of your YAML manifest:
+Deploy the internal load balancer using [`kubectl apply`][kubectl-apply] and specify the name of your YAML manifest.
 
 ```console
 kubectl apply -f internal-lb.yaml
 ```
 
-An Azure load balancer is created in the node resource group and connected to the same virtual network as the AKS cluster.
+This command creates an Azure load balancer in the node resource group that's connected to the same virtual network as your AKS cluster.
 
-When you view the service details, the IP address of the internal load balancer is shown in the *EXTERNAL-IP* column. In this context, *External* is in relation to the external interface of the load balancer, not that it receives a public, external IP address. It may take a minute or two for the IP address to change from *\<pending\>* to an actual internal IP address, as shown in the following example:
+When you view the service details, the IP address of the internal load balancer is shown in the *EXTERNAL-IP* column. In this context, *External* refers to the external interface of the load balancer. It doesn't mean that it receives a public, external IP address.
+
+It may take a minute or two for the IP address to change from *\<pending\>* to an actual internal IP address, as shown in the following example:
 
 ```
-$ kubectl get service internal-app
+kubectl get service internal-app
 
 NAME           TYPE           CLUSTER-IP    EXTERNAL-IP   PORT(S)        AGE
 internal-app   LoadBalancer   10.0.248.59   10.240.0.7    80:30555/TCP   2m
 ```
 
 ## Specify an IP address
 
-If you would like to use a specific IP address with the internal load balancer, add the *loadBalancerIP* property to the load balancer YAML manifest. In this scenario, the specified IP address must reside in the same subnet as the AKS cluster but can't already be assigned to a resource. For example, an IP address in the range designated for the Kubernetes subnet within the AKS cluster shouldn't be used.
+If you want to use a specific IP address with the internal load balancer, add the *loadBalancerIP* property to the load balancer YAML manifest. In this scenario, the specified IP address must reside in the same subnet as the AKS cluster, but it can't already be assigned to a resource. For example, you shouldn't use an IP address in the range designated for the Kubernetes subnet within the AKS cluster.
+
+For more information on subnets, see [Add a node pool with a unique subnet][unique-subnet].
 
 ```yaml
 apiVersion: v1
@@ -83,10 +88,10 @@ spec:
     app: internal-app
 ```
 
-When deployed and you view the service details, the IP address in the *EXTERNAL-IP* column reflects your specified IP address:
+When you view the service details, the IP address in the *EXTERNAL-IP* column should reflect your specified IP address.
 
 ```
-$ kubectl get service internal-app
+kubectl get service internal-app
 
 NAME           TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
 internal-app   LoadBalancer   10.0.184.168   10.240.0.25   80:30225/TCP   4m
@@ -98,14 +103,15 @@ For more information on configuring your load balancer in a different subnet, se
 
 ### Before you begin
 
-You must have the following resource installed:
+You must have the following resources:
 
-* The Azure CLI
-* Kubernetes version 1.22.x or above
+* Azure CLI version 2.0.59 or later.
+* Kubernetes version 1.22.x or later.
+* An existing resource group with a VNet and subnet. This resource group is where you'll [create the private endpoint](#create-a-private-endpoint-to-the-private-link-service). If you don't have these resources, see [Create a virtual network and subnet][aks-vnet-subnet].
 
 ### Create a Private Link service connection
 
-To attach an Azure Private Link service to an internal load balancer, create a service manifest named `internal-lb-pls.yaml` with the service type *LoadBalancer* and the *azure-load-balancer-internal* and *azure-pls-create* annotation as shown in the example below.  For more options, refer to the [Azure Private Link Service Integration](https://kubernetes-sigs.github.io/cloud-provider-azure/topics/pls-integration/) design document
+To attach an Azure Private Link service to an internal load balancer, create a service manifest named `internal-lb-pls.yaml` with the service type *LoadBalancer* and the *azure-load-balancer-internal* and *azure-pls-create* annotation as shown in the following example. For more options, refer to the [Azure Private Link Service Integration](https://kubernetes-sigs.github.io/cloud-provider-azure/topics/pls-integration/) design document.
 
 ```yaml
 apiVersion: v1
@@ -123,27 +129,35 @@ spec:
     app: internal-app
 ```
 
-Deploy the internal load balancer using the [kubectl apply][kubectl-apply] and specify the name of your YAML manifest:
+Deploy the internal load balancer using [`kubectl apply`][kubectl-apply] and specify the name of your YAML manifest.
 
 ```console
 kubectl apply -f internal-lb-pls.yaml
 ```
 
-An Azure load balancer is created in the node resource group and connected to the same virtual network as the AKS cluster.
+This command creates an Azure load balancer in the node resource group that's connected to the same virtual network as your AKS cluster.
 
-When you view the service details, the IP address of the internal load balancer is shown in the *EXTERNAL-IP* column. In this context, *External* is in relation to the external interface of the load balancer, not that it receives a public, external IP address. It may take a minute or two for the IP address to change from *\<pending\>* to an actual internal IP address, as shown in the following example:
+When you view the service details, the IP address of the internal load balancer is shown in the *EXTERNAL-IP* column. In this context, *External* refers to the external interface of the load balancer. It doesn't mean that it receives a public, external IP address.
+
+It may take a minute or two for the IP address to change from *\<pending\>* to an actual internal IP address, as shown in the following example:
 
 ```
-$ kubectl get service internal-app
+kubectl get service internal-app
 
 NAME           TYPE           CLUSTER-IP    EXTERNAL-IP   PORT(S)        AGE
 internal-app   LoadBalancer   10.125.17.53  10.125.0.66   80:30430/TCP   64m
 ```
 
-Additionally, a Private Link Service object will also be created that connects to the Frontend IP configuration of the Load Balancer associated with the Kubernetes service. Details of the Private Link Service object can be retrieved as shown in the following example:
-```
-$ AKS_MC_RG=$(az aks show -g myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv)
-$ az network private-link-service list -g ${AKS_MC_RG} --query "[].{Name:name,Alias:alias}" -o table
+A Private Link Service object is also created. This Private Link Service object connects to the frontend IP configuration of the load balancer associated with the Kubernetes service. You can get the details of the Private Link Service object with the following sample command:
+
+```azurecli-interactive
+# Create a variable for the resource group
+
+AKS_MC_RG=$(az aks show -g myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv)
+
+# List the private link service
+
+az network private-link-service list -g $AKS_MC_RG --query "[].{Name:name,Alias:alias}" -o table
 
 Name      Alias
 --------  -------------------------------------------------------------------------
@@ -153,24 +167,31 @@ pls-xyz   pls-xyz.abc123-defg-4hij-56kl-789mnop.eastus2.azure.privatelinkservice
 
 ### Create a Private Endpoint to the Private Link service
 
-A Private Endpoint allows you to privately connect to your Kubernetes service object via the Private Link Service created above. To do so, follow the example shown below:
+A Private Endpoint allows you to privately connect to your Kubernetes service object via the Private Link Service you created. To do so, follow the sample commands.
+
+```azurecli-interactive
+# Create a variable for the private link service
+
+AKS_PLS_ID=$(az network private-link-service list -g $AKS_MC_RG --query "[].id" -o tsv)
+
+# Create the private endpoint
 
-```azurecli
-$ AKS_PLS_ID=$(az network private-link-service list -g ${AKS_MC_RG} --query "[].id" -o tsv)
 $ az network private-endpoint create \
     -g myOtherResourceGroup \
     --name myAKSServicePE \
     --vnet-name myOtherVNET \
     --subnet pe-subnet \
-    --private-connection-resource-id ${AKS_PLS_ID} \
+    --private-connection-resource-id $AKS_PLS_ID \
     --connection-name connectToMyK8sService
 ```
 
 ## Use private networks
 
-When you create your AKS cluster, you can specify advanced networking settings. This approach lets you deploy the cluster into an existing Azure virtual network and subnets. One scenario is to deploy your AKS cluster into a private network connected to your on-premises environment and run services only accessible internally. For more information, see configure your own virtual network subnets with [Kubenet][use-kubenet] or [Azure CNI][advanced-networking].
+When you create your AKS cluster, you can specify advanced networking settings. These settings allow you to deploy the cluster into an existing Azure virtual network and subnets. For example, you can deploy your AKS cluster into a private network connected to your on-premises environment and run services that are only accessible internally.
+
+For more information, see [configure your own virtual network subnets with Kubenet][use-kubenet] or [with Azure CNI][advanced-networking].
 
-No changes to the previous steps are needed to deploy an internal load balancer in an AKS cluster that uses a private network. The load balancer is created in the same resource group as your AKS cluster but connected to your private virtual network and subnet, as shown in the following example:
+You don't need to make any changes to the previous steps to deploy an internal load balancer that uses a private network in an AKS cluster. The load balancer is created in the same resource group as your AKS cluster, but it's instead connected to your private virtual network and subnet, as shown in the following example:
 
 ```
 $ kubectl get service internal-app
@@ -180,11 +201,12 @@ internal-app   LoadBalancer   10.1.15.188   10.0.0.35     80:31669/TCP   1m
 ```
 
 > [!NOTE]
-> You may need to grant the cluster identity for your AKS cluster the *Network Contributor* role to the resource group where your Azure virtual network resources are deployed. View the cluster identity with [az aks show][az-aks-show], such as `az aks show --resource-group myResourceGroup --name myAKSCluster --query "identity"`. To create a role assignment, use the [az role assignment create][az-role-assignment-create] command.
+> 
+> You may need to give the *Network Contributor* role to the resource group in which your Azure virtual network resources are deployed. You can view the cluster identity with [az aks show][az-aks-show], such as `az aks show --resource-group myResourceGroup --name myAKSCluster --query "identity"`. To create a role assignment, use the [az role assignment create][az-role-assignment-create] command.
 
 ## Specify a different subnet
 
-To specify a subnet for your load balancer, add the *azure-load-balancer-internal-subnet* annotation to your service. The subnet specified must be in the same virtual network as your AKS cluster. When deployed, the load balancer *EXTERNAL-IP* address is part of the specified subnet.
+Add the *azure-load-balancer-internal-subnet* annotation to your service to specify a subnet for your load balancer. The subnet specified must be in the same virtual network as your AKS cluster. When deployed, the load balancer *EXTERNAL-IP* address is part of the specified subnet.
 
 ```yaml
 apiVersion: v1
@@ -204,13 +226,13 @@ spec:
 
 ## Delete the load balancer
 
-When all services that use the internal load balancer are deleted, the load balancer itself is also deleted.
+The load balancer will be deleted when all of its services are deleted.
 
-You can also directly delete a service as with any Kubernetes resource, such as `kubectl delete service internal-app`, which also then deletes the underlying Azure load balancer.
+As with any Kubernetes resource, you can directly delete a service, such as `kubectl delete service internal-app`, which also deletes the underlying Azure load balancer.
 
 ## Next steps
 
-Learn more about Kubernetes services at the [Kubernetes services documentation][kubernetes-services].
+Learn more about Kubernetes services in the [Kubernetes services documentation][kubernetes-services].
 
 <!-- LINKS - External -->
 [kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply
@@ -228,3 +250,5 @@ Learn more about Kubernetes services at the [Kubernetes services documentation][
 [install-azure-cli]: /cli/azure/install-azure-cli
 [aks-sp]: kubernetes-service-principal.md#delegate-access-to-other-azure-resources
 [different-subnet]: #specify-a-different-subnet
+[aks-vnet-subnet]: /aks/configure-kubenet.md#create-a-virtual-network-and-subnet
+[unique-subnet]: /aks/use-multiple-node-pools.md#add-a-node-pool-with-a-unique-subnet
