|
| 1 | +--- |
| 2 | +title: Private Azure Kubernetes Service cluster |
| 3 | +description: Learn how to create a private Azure Kubernetes Service (AKS) cluster |
| 4 | +services: container-service |
| 5 | +author: saudas |
| 6 | +manager: saudas |
| 7 | + |
| 8 | +ms.service: container-service |
| 9 | +ms.topic: article |
| 10 | +ms.date: 12/10/2019 |
| 11 | +ms.author: saudas |
| 12 | +--- |
| 13 | + |
| 14 | +# Public Preview - Private Azure Kubernetes Service cluster |
| 15 | + |
| 16 | +In a private cluster, the Control Plane/API server will have internal IP addresses defined in [RFC1918](https://tools.ietf.org/html/rfc1918). By using a private cluster, you can ensure network traffic between your API server and your node pools remains on the private network only. |
| 17 | + |
| 18 | +The communication between the control plane/API server, which is in an AKS-managed Azure subscription, and the customers cluster/node pool, which is in a customer subscription, can communicate with each other through the private link service in the API server VNET and a private endpoint exposed in the subnet of the customer AKS cluster. |
| 19 | + |
| 20 | +> [!IMPORTANT] |
| 21 | +> AKS preview features are self-service opt-in. Previews are provided "as-is" and "as available" and are excluded from the service level agreements and limited warranty. AKS Previews are partially covered by customer support on best effort basis. As such, these features are not meant for production use. For additional infromation, please see the following support articles: |
| 22 | +> |
| 23 | +> * [AKS Support Policies](support-policies.md) |
| 24 | +> * [Azure Support FAQ](faq.md) |
| 25 | +
|
| 26 | +## Before you begin |
| 27 | + |
| 28 | +* You need the Azure CLI version 2.0.70 or later and the aks-preview 0.4.18 extension |
| 29 | + |
| 30 | +## Current supported regions |
| 31 | +* West US |
| 32 | +* West US 2 |
| 33 | +* East US 2 |
| 34 | +* Canada Central |
| 35 | +* North Europe |
| 36 | +* West Europe |
| 37 | +* Australia East |
| 38 | + |
| 39 | +## Install latest AKS CLI preview extension |
| 40 | + |
| 41 | +You need the **aks-preview 0.4.18** extension or later. |
| 42 | + |
| 43 | +```azurecli-interactive |
| 44 | +az extension update --name aks-preview |
| 45 | +az extension list |
| 46 | +``` |
| 47 | + |
| 48 | +> [!CAUTION] |
| 49 | +> When you register a feature on a subscription, you can't currently un-register that feature. After you enable some preview features, defaults may be used for all AKS clusters then created in the subscription. Don't enable preview features on production subscriptions. Use a separate subscription to test preview features and gather feedback. |
| 50 | +
|
| 51 | +```azurecli-interactive |
| 52 | +az feature register --name AKSPrivateLinkPreview --namespace Microsoft.ContainerService |
| 53 | +``` |
| 54 | + |
| 55 | +It may take several minutes for the status to show *Registered*. You can check on the registration status by using the [az feature list][az-feature-list] command: |
| 56 | + |
| 57 | +```azurecli-interactive |
| 58 | +az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKSPrivateLinkPreview')].{Name:name,State:properties.state}" |
| 59 | +``` |
| 60 | + |
| 61 | +When the state is registered, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command: |
| 62 | + |
| 63 | +```azurecli-interactive |
| 64 | +az provider register --namespace Microsoft.ContainerService |
| 65 | +az provider register --namespace Microsoft.Network |
| 66 | +``` |
| 67 | +## Create a private AKS cluster |
| 68 | + |
| 69 | +#### Default Basic Networking |
| 70 | + |
| 71 | +```azurecli-interactive |
| 72 | +az aks create -n <private-cluster-name> -g <private-cluster-resource-group> --load-balancer-sku standard --enable-private-cluster |
| 73 | +``` |
| 74 | +Where --enable-private-cluster is a mandatory flag for a private cluster |
| 75 | + |
| 76 | +#### Advanced Networking |
| 77 | +```azurecli-interactive |
| 78 | +az aks create \ |
| 79 | + --resource-group <private-cluster-resource-group>\ |
| 80 | + --name <private-cluster-name> \ |
| 81 | + --load-balancer-sku standard |
| 82 | + --enable-private-cluster |
| 83 | + --api-server-address-range 172.18.0.0/28 \ |
| 84 | + --network-plugin azure \ |
| 85 | + --vnet-subnet-id <subnet-id> \ |
| 86 | + --docker-bridge-address 172.17.0.1/16 \ |
| 87 | + --dns-service-ip 10.2.0.10 \ |
| 88 | + --service-cidr 10.2.0.0/24 \ |
| 89 | +``` |
| 90 | +Where --enable-private-cluster is a mandatory flag for a private cluster |
| 91 | + |
| 92 | +## Steps to connect to the private cluster |
| 93 | +The API server end point has no public IP address. Consequently, users will need to create an Azure virtual machine in a virtual network and connect to the API server. The steps in |
| 94 | + |
| 95 | +* Get credentials to connect to the cluster |
| 96 | + |
| 97 | +```azurecli-interactive |
| 98 | +az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup |
| 99 | +``` |
| 100 | +* Create a VM in the same VNET as the AKS cluster or create a VM in a different VNET and peer this VNET with the AKS cluster VNET |
| 101 | +* If you create a VM in a different VNET, you'll need to set up a link between this VNET and the Private DNS Zone |
| 102 | + * go to the MC_* resource group in the portal |
| 103 | + * click on the Private DNS Zone |
| 104 | + * select Virtual network link in the left pane |
| 105 | + * create a new link to add the VNET of the VM to the Private DNS Zone *(It takes a few minutes for the DNS zone link to become available)* |
| 106 | +* SSH into the VM |
| 107 | +* Install Kubectl tool and run kubectl commands |
| 108 | + |
| 109 | +## Dependencies |
| 110 | +* Standard LB Only - no support for basic load balancer |
| 111 | + |
| 112 | +## Limitations |
| 113 | +* No support for virtual nodes in a private cluster to spin private ACI instances in a private Azure VNET |
| 114 | +* No support for Azure DevOps integration out of the box with private clusters |
| 115 | +* If customers need to enable ACR to work with private AKS, then the ACR's VNET will need to be peered with the agent cluster VNET |
| 116 | +* No current support for Azure Dev Spaces |
| 117 | +* No support to convert existing AKS clusters to private clusters |
| 118 | +* Deleting or modifying the private endpoint in the customer subnet will cause the cluster to stop functioning |
| 119 | +* Azure Monitor for containers Live Data isn't currently supported |
| 120 | + |
| 121 | +<!-- LINKS - internal --> |
| 122 | +[az-provider-register]: /cli/azure/provider?view=azure-cli-latest#az-provider-register |
| 123 | +[az-feature-list]: /cli/azure/feature?view=azure-cli-latest#az-feature-list |
0 commit comments