created new article for connecting to AKS private cluster.

AbdullahBell · AbdullahBell · commit 3d1d1ff1bf51 · 2025-07-29T14:41:46.000-04:00
diff --git a/articles/bastion/TOC.yml b/articles/bastion/TOC.yml
@@ -1,151 +1,152 @@
 - name: Bastion documentation
   href: index.yml
 - name: Overview
-  items: 
-  - name: What is Azure Bastion?
-    href: bastion-overview.md
-  - name: What's new in Bastion?
-    href: whats-new.md
+  items:
+    - name: What is Azure Bastion?
+      href: bastion-overview.md
+    - name: What's new in Bastion?
+      href: whats-new.md
 - name: Quickstarts & Tutorials
-  expanded: true
   items:
-  - name: Deploy Bastion Developer
-    href: quickstart-developer.md
-  - name: Deploy Bastion - Standard SKU
-    href: quickstart-host-portal.md
-  - name: Deploy Bastion - specify settings and SKU
-    href: tutorial-create-host-portal.md
-  - name: Deploy Bastion - ARM template
-    href: quickstart-host-arm-template.md
-  - name: Deploy Bastion - Terraform
-    href: quickstart-deploy-terraform.md
+    - name: Deploy Bastion Developer
+      href: quickstart-developer.md
+    - name: Deploy Bastion - Standard SKU
+      href: quickstart-host-portal.md
+    - name: Deploy Bastion - specify settings and SKU
+      href: tutorial-create-host-portal.md
+    - name: Deploy Bastion - ARM template
+      href: quickstart-host-arm-template.md
+    - name: Deploy Bastion - Terraform
+      href: quickstart-deploy-terraform.md
 - name: Concepts
   items:
-  - name: Work remotely
-    items:
-    - name: Support for working remotely
-      href: ../networking/working-remotely-support.md?toc=%2fazure%2fbastion%2ftoc.json
-    - name: Leverage Bastion for remote working
-      href: work-remotely-support.md
-  - name: Bastion FAQ
-    href: bastion-faq.md
-  - name: Design architecture
-    href: design-architecture.md
-  - name: Bastion configuration settings
-    href: configuration-settings.md
-  - name: VM connections and features
-    href: vm-about.md
-  - name: Bastion and VNet peering
-    href: vnet-peering.md
-  - name: Work with NSGs
-    href: bastion-nsg.md
-  - name: Reliability
-    items:
-    - name: Availability zones and disaster recovery 
-      href: ../reliability/reliability-bastion.md?toc=/azure/bastion/TOC.json
+    - name: Work remotely
+      items:
+        - name: Support for working remotely
+          href: ../networking/working-remotely-support.md?toc=%2fazure%2fbastion%2ftoc.json
+        - name: Leverage Bastion for remote working
+          href: work-remotely-support.md
+    - name: Bastion FAQ
+      href: bastion-faq.md
+    - name: Design architecture
+      href: design-architecture.md
+    - name: Bastion configuration settings
+      href: configuration-settings.md
+    - name: VM connections and features
+      href: vm-about.md
+    - name: Bastion and VNet peering
+      href: vnet-peering.md
+    - name: Work with NSGs
+      href: bastion-nsg.md
+    - name: Reliability
+      items:
+        - name: Availability zones and disaster recovery
+          href: ../reliability/reliability-bastion.md?toc=/azure/bastion/TOC.json
 - name: Security
   items:
-  - name: Security baseline
-    href: /security/benchmark/azure/baselines/bastion-security-baseline?toc=/azure/bastion/TOC.json
-  - name: Azure Security blog
-    href: https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog
+    - name: Security baseline
+      href: /security/benchmark/azure/baselines/bastion-security-baseline?toc=/azure/bastion/TOC.json
+    - name: Azure Security blog
+      href: https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog
 - name: How-to guides
   items:
-  - name: Deploy Bastion
-    items:
-    - name: Azure portal
-      href: tutorial-create-host-portal.md
-    - name: Azure PowerShell
-      href: bastion-create-host-powershell.md
-    - name: Azure CLI
-      href: create-host-cli.md
-    - name: Developer SKU
-      href: quickstart-developer-sku.md
-  - name: Deploy private-only Bastion
-    href: private-only-deployment.md
-  - name: Configure Bastion settings
-    items:
-    - name: View or upgrade SKU
-      href: upgrade-sku.md
-    - name: Configure native client support
-      href: native-client.md
-    - name: Configure host scaling
+    - name: Deploy Bastion
       items:
-      - name: Azure portal
-        href: configure-host-scaling.md
-      - name: Azure PowerShell
-        href: configure-host-scaling-powershell.md
-    - name: Configure a shareable link
-      href: shareable-link.md
-    - name: Configure Kerberos authentication
-      href: kerberos-authentication-portal.md
-    - name: Configure session recording
-      href: session-recording.md
-  - name: Connect to a virtual machine
-    items:
-    - name: Windows VM
+        - name: Azure portal
+          href: tutorial-create-host-portal.md
+        - name: Azure PowerShell
+          href: bastion-create-host-powershell.md
+        - name: Azure CLI
+          href: create-host-cli.md
+        - name: Developer SKU
+          href: quickstart-developer-sku.md
+    - name: Deploy private-only Bastion
+      href: private-only-deployment.md
+    - name: Configure Bastion settings
       items:
-      - name: RDP connection
-        href: bastion-connect-vm-rdp-windows.md
-      - name: SSH connection
-        href: bastion-connect-vm-ssh-windows.md
-    - name: Linux VM
-      items: 
-      - name: SSH connection
-        href: bastion-connect-vm-ssh-linux.md
-      - name: RDP connection
-        href: bastion-connect-vm-linux-rdp.md
-  - name: Connect to a VM - native client
-    items:
-    - name: Connect from Windows client
-      href: connect-vm-native-client-windows.md
-    - name: Connect from Linux client
-      href: connect-vm-native-client-linux.md
-  - name: Connect to a VM - IP address
-    href: connect-ip-address.md
-  - name: Connect to a VM scale set
-    href: bastion-connect-vm-scale-set.md
-  - name: Connect to DevTest Labs VMs
-    href: ../devtest-labs/enable-browser-connection-lab-virtual-machines.md?toc=%2fazure%2fbastion%2ftoc.json
-  - name: Work with a VM session
-    items:
-    - name: Copy and paste
-      href: bastion-vm-copy-paste.md
-    - name: Full screen view
-      href: bastion-vm-full-screen.md
-    - name: Transfer files - native client
-      href: vm-upload-download-native.md
-  - name: Monitoring
-    items:
-    - name: Monitor Azure Bastion
-      href: monitor-bastion.md
-    - name: Monitor and manage sessions
-      href: session-monitoring.md
-  - name: Troubleshoot
-    href: troubleshoot.md
+        - name: View or upgrade SKU
+          href: upgrade-sku.md
+        - name: Configure native client support
+          href: native-client.md
+        - name: Configure host scaling
+          items:
+            - name: Azure portal
+              href: configure-host-scaling.md
+            - name: Azure PowerShell
+              href: configure-host-scaling-powershell.md
+        - name: Configure a shareable link
+          href: shareable-link.md
+        - name: Configure Kerberos authentication
+          href: kerberos-authentication-portal.md
+        - name: Configure session recording
+          href: session-recording.md
+    - name: Connect to a virtual machine
+      items:
+        - name: Windows VM
+          items:
+            - name: RDP connection
+              href: bastion-connect-vm-rdp-windows.md
+            - name: SSH connection
+              href: bastion-connect-vm-ssh-windows.md
+        - name: Linux VM
+          items:
+            - name: SSH connection
+              href: bastion-connect-vm-ssh-linux.md
+            - name: RDP connection
+              href: bastion-connect-vm-linux-rdp.md
+    - name: Connect to a VM - native client
+      items:
+        - name: Connect from Windows client
+          href: connect-vm-native-client-windows.md
+        - name: Connect from Linux client
+          href: connect-vm-native-client-linux.md
+    - name: Connect to a VM - IP address
+      href: connect-ip-address.md
+    - name: Connect to a VM scale set
+      href: bastion-connect-vm-scale-set.md
+    - name: Connect to DevTest Labs VMs
+      href: ../devtest-labs/enable-browser-connection-lab-virtual-machines.md?toc=%2fazure%2fbastion%2ftoc.json
+    - name: Connect to an AKS cluster
+      href: bastion-connect-to-aks-private-cluster.md
+    - name: Work with a VM session
+      items:
+        - name: Copy and paste
+          href: bastion-vm-copy-paste.md
+        - name: Full screen view
+          href: bastion-vm-full-screen.md
+        - name: Transfer files - native client
+          href: vm-upload-download-native.md
+    - name: Monitoring
+      items:
+        - name: Monitor Azure Bastion
+          href: monitor-bastion.md
+        - name: Monitor and manage sessions
+          href: session-monitoring.md
+    - name: Troubleshoot
+      href: troubleshoot.md
 - name: Reference
   items:
-  - name: Azure PowerShell
-    href: /powershell/module/az.network/
-  - name: REST
-    href: /rest/api/virtualnetwork/bastion-hosts
-  - name: Azure CLI
-    href: /cli/azure/network/bastion
-  - name: Bastion monitoring data reference
-    href: monitor-bastion-reference.md
+    - name: Azure PowerShell
+      href: /powershell/module/az.network/
+    - name: REST
+      href: /rest/api/virtualnetwork/bastion-hosts
+    - name: Azure CLI
+      href: /cli/azure/network/bastion
+    - name: Bastion monitoring data reference
+      href: monitor-bastion-reference.md
 - name: Resources
   items:
-  - name: Azure Networking blog
-    href: https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog
-  - name: Microsoft Q&A question page - Azure Bastion
-    href: /answers/tags/119/azure-bastion
-  - name: Networking feedback
-    href: https://feedback.azure.com/d365community/forum/8ae9bf04-8326-ec11-b6e6-000d3a4f0789
-  - name: Pricing
-    href: https://azure.microsoft.com/pricing/details/azure-bastion/
-  - name: Subscription and service limits
-    href: ../azure-resource-manager/management/azure-subscription-service-limits.md?toc=/azure/bastion/toc.json
-  - name: SLA
-    href: https://azure.microsoft.com/support/legal/sla
-  - name: Preview SLA
-    href: https://azure.microsoft.com/support/legal/preview-supplemental-terms
+    - name: Azure Networking blog
+      href: https://techcommunity.microsoft.com/category/azure/blog/azurenetworkingblog
+    - name: Microsoft Q&A question page - Azure Bastion
+      href: /answers/tags/119/azure-bastion
+    - name: Networking feedback
+      href: https://feedback.azure.com/d365community/forum/8ae9bf04-8326-ec11-b6e6-000d3a4f0789
+    - name: Pricing
+      href: https://azure.microsoft.com/pricing/details/azure-bastion/
+    - name: Subscription and service limits
+      href: ../azure-resource-manager/management/azure-subscription-service-limits.md?toc=/azure/bastion/toc.json
+    - name: SLA
+      href: https://azure.microsoft.com/support/legal/sla
+    - name: Preview SLA
+      href: https://azure.microsoft.com/support/legal/preview-supplemental-terms
diff --git a/articles/bastion/bastion-connect-to-aks-private-cluster.md b/articles/bastion/bastion-connect-to-aks-private-cluster.md
@@ -0,0 +1,84 @@
+---
+title: 'Connect to AKS Private Cluster Using Azure Bastion (Preview)'
+titleSuffix: Azure Bastion
+description: Learn how to securely connect to Azure Kubernetes Service (AKS) private clusters using Azure Bastion's native client tunneling. Step-by-step guide with prerequisites and commands to establish secure access without exposing endpoints.
+author: abell
+ms.service: azure-bastion
+ms.topic: how-to
+ms.date: 07/29/2025
+ms.author: abell
+
+# Customer intent: "As a cloud administrator, I want to establish a secure connection to an AKS private cluster using Azure Bastion, so that I can access my Kubernetes resources without exposing them to the public internet."
+---
+
+# Connect to AKS Private Cluster Using Azure Bastion (Preview)
+
+This article shows you how to connect to Azure Kubernetes Service (AKS) private clusters securely using Azure Bastion's native client tunneling feature. You learn to establish secure connections to AKS private clusters in Azure virtual networks without exposing endpoints to the public internet, eliminating the need for additional client software or agents.
+
+Azure Bastion provides secure connectivity to all resources in the virtual network in which it's provisioned. Using Azure Bastion protects your AKS clusters from exposing endpoints to the outside world, while still providing secure access. For more information, see [What is Azure Bastion?](bastion-overview.md) For more information about AKS private clusters, see [Create a private Azure Kubernetes Service cluster](../aks/private-clusters.md).
+
+## Prerequisites
+
+Before you begin, verify that you've met the following criteria:
+
+
+* A virtual network with the Bastion host already installed.
+
+  * Make sure that you have set up an Azure Bastion host for the virtual network in which the AKS cluster is located. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any AKS private cluster in the virtual network.
+  * To set up an Azure Bastion host, see [Quickstart: Deploy Bastion with default settings](quickstart-host-portal.md).
+  * The Bastion must be Standard or Premium SKU and have native client support enabled under configuration settings.
+
+* An AKS cluster in the virtual network or any reachable virtual network.
+
+## Required roles
+
+
+* Reader role on the AKS cluster.
+* Reader role on the Azure Bastion resource.
+* Reader role on the virtual network of the target AKS cluster (if the Bastion deployment is in a peered virtual network).
+
+## Additional requirements
+
+* If you're using Bastion to connect to a public cluster with API server authorized IP ranges, you need to add the public IP address of the Bastion to the list of authorized IP ranges of your cluster.
+
+## Limitations
+
+This integration with AKS is currently in preview and doesn't support AKS clusters with public FQDN disabled.
+
+## Connect
+
+To connect to your AKS private cluster:
+
+1. Sign in to your Azure account using `az login` via CLI. If you have more than one subscription, you can view them using `az account list` and select the subscription containing your Bastion resource using:
+
+   ```pwsh
+   az account set --subscription <subscription ID>
+   ```
+
+1. Retrieve credentials to your AKS private cluster:
+
+   ```pwsh
+   az aks get-credentials --admin --name <AKSClusterName> --resource-group <ResourceGroupName>
+   ```
+
+1. Open the tunnel to your target AKS Cluster with either of the following commands:
+
+   ```pwsh
+   az aks bastion --name <aksClusterName> --resource-group <aksClusterResourceGroup> --admin --bastion <bastionResourceId>
+   ```
+
+   Or:
+
+   ```pwsh
+   az network bastion tunnel --name <BastionName> --resource-group <ResourceGroupName> --target-resource-id <AKSClusterID> --resource-port 443 --port <LocalMachinePort>
+   ```
+
+1. If you're using the az network command, open a new command line to connect to the AKS cluster via the Bastion tunnel. Otherwise, you should be all set to interact with your AKS cluster.
+
+   ```pwsh
+   kubectl get pods --server=https://localhost:<LocalMachinePort>
+   ```
+
+## Next steps
+
+Read the [Bastion FAQ](bastion-faq.md) for more connection information.
