|
1 | 1 | --- |
2 | 2 | title: Private connectivity for Arc enabled Kubernetes clusters using private link (preview) |
3 | | -ms.date: 04/08/2021 |
| 3 | +ms.date: 08/28/2021 |
4 | 4 | ms.topic: article |
5 | 5 | description: With Azure Arc, you can use a Private Link Scope model to allow multiple Kubernetes clusters to use a single private endpoint. |
6 | 6 | ms.custom: references_regions |
@@ -68,25 +68,25 @@ The rest of this document assumes you have already set up your ExpressRoute circ |
68 | 68 |
|
69 | 69 | ## Network configuration |
70 | 70 |
|
71 | | -Azure Arc-enabled Kubernetes integrates with several Azure services to bring cloud management and governance to your hybrid Kubernetes clusters. Most of these services already offer private endpoints, but you need to configure your firewall and routing rules to allow access to Azure Active Directory and Azure Resource Manager over the internet until these services offer private endpoints. You also need to allow access to Microsoft Container Registry (and Azure Front Door.First Party as a precursor for Microsoft Container Registry) to pull images & Helm charts to enable services like Azure Monitor, as well as for initial setup of Azure Arc agents on the Kubernetes clusters. |
| 71 | +Azure Arc-enabled Kubernetes integrates with several Azure services to bring cloud management and governance to your hybrid Kubernetes clusters. Most of these services already offer private endpoints, but you need to configure your firewall and routing rules to allow access to Azure Active Directory and Azure Resource Manager over the internet until these services offer private endpoints. You also need to allow access to Microsoft Container Registry (and AzureFrontDoor.FirstParty as a precursor for Microsoft Container Registry) to pull images & Helm charts to enable services like Azure Monitor, as well as for initial setup of Azure Arc agents on the Kubernetes clusters. |
72 | 72 |
|
73 | 73 | There are two ways you can achieve this: |
74 | 74 |
|
75 | | -* If your network is configured to route all internet-bound traffic through the Azure VPN or ExpressRoute circuit, you can configure the network security group (NSG) associated with your subnet in Azure to allow outbound TCP 443 (HTTPS) access to Azure AD, Azure Resource Manager, Azure Frontdoor and Microsoft Container Registry using [service tags] (/azure/virtual-network/service-tags-overview). The NSG rules should look like the following: |
| 75 | +* If your network is configured to route all internet-bound traffic through the Azure VPN or ExpressRoute circuit, you can configure the network security group (NSG) associated with your subnet in Azure to allow outbound TCP 443 (HTTPS) access to Azure AD, Azure Resource Manager, Azure Front Door and Microsoft Container Registry using [service tags](/azure/virtual-network/service-tags-overview). The NSG rules should look like the following: |
76 | 76 |
|
77 | 77 | | Setting | Azure AD rule | Azure Resource Manager rule | AzureFrontDoorFirstParty rule | Microsoft Container Registry rule | |
78 | 78 | |-------------------------|---------------------------------------------------------------|---------------------------------------------------------------|---------------------------------------------------------------|--------------------------------------------------------------- |
79 | 79 | | Source | Virtual Network | Virtual Network | Virtual Network | Virtual Network |
80 | 80 | | Source Port ranges | * | * | * | * |
81 | 81 | | Destination | Service Tag | Service Tag | Service Tag | Service Tag |
82 | | - | Destination service tag | AzureActiveDirectory | AzureResourceManager | FrontDoor.FirstParty | MicrosoftContainerRegistry |
| 82 | + | Destination service tag | AzureActiveDirectory | AzureResourceManager | AzureFrontDoor.FirstParty | MicrosoftContainerRegistry |
83 | 83 | | Destination port ranges | 443 | 443 | 443 | 443 |
84 | 84 | | Protocol | TCP | TCP | TCP | TCP |
85 | 85 | | Action | Allow | Allow | Allow (Both inbound and outbound) | Allow |
86 | 86 | | Priority | 150 (must be lower than any rules that block internet access) | 151 (must be lower than any rules that block internet access) | 152 (must be lower than any rules that block internet access) | 153 (must be lower than any rules that block internet access) | |
87 | 87 | | Name | AllowAADOutboundAccess | AllowAzOutboundAccess | AllowAzureFrontDoorFirstPartyAccess | AllowMCROutboundAccess |
88 | 88 |
|
89 | | -* Configure the firewall on your local network to allow outbound TCP 443 (HTTPS) access to Azure AD, Azure Resource Manager, and Microsoft Container Registry, and inbound & outbound access to Azure FrontDoor.FirstParty using the downloadable service tag files. The JSON file contains all the public IP address ranges used by Azure AD, Azure Resource Manager, Azure FrontDoor.FirstParty, and Microsoft Container Registry and is updated monthly to reflect any changes. Azure Active Directory's service tag is AzureActiveDirectory, Azure Resource Manager's service tag is AzureResourceManager, Microsoft Container Registry's service tag is MicrosoftContainerRegistry, and Azure Front Door's service tag is FrontDoor.FirstParty. Consult with your network administrator and network firewall vendor to learn how to configure your firewall rules. |
| 89 | +* Configure the firewall on your local network to allow outbound TCP 443 (HTTPS) access to Azure AD, Azure Resource Manager, and Microsoft Container Registry, and inbound & outbound access to AzureFrontDoor.FirstParty using the downloadable service tag files. The JSON file contains all the public IP address ranges used by Azure AD, Azure Resource Manager, AzureFrontDoor.FirstParty, and Microsoft Container Registry and is updated monthly to reflect any changes. Azure Active Directory's service tag is AzureActiveDirectory, Azure Resource Manager's service tag is AzureResourceManager, Microsoft Container Registry's service tag is MicrosoftContainerRegistry, and Azure Front Door's service tag is AzureFrontDoor.FirstParty. Consult with your network administrator and network firewall vendor to learn how to configure your firewall rules. |
90 | 90 |
|
91 | 91 | ## Create an Azure Arc Private Link Scope |
92 | 92 |
|
@@ -123,15 +123,15 @@ The Private Endpoint on your virtual network allows it to reach Azure Arc-enable |
123 | 123 | 1. On the **Configuration** page, perform the following: |
124 | 124 | 1. Choose the virtual network and subnet from which you want to connect to Azure Arc-enabled Kubernetes clusters. |
125 | 125 | 1. For **Integrate with private DNS zone**, select **Yes**. A new Private DNS Zone will be created. The actual DNS zones may be different from what is shown in the screenshot below. |
126 | | - |
| 126 | + |
127 | 127 | :::image type="content" source="media/private-link/create-private-endpoint-2.png" alt-text="Screenshot of the Configuration step to create a private endpoint in the Azure portal."::: |
128 | 128 |
|
129 | 129 | > [!NOTE] |
130 | 130 | > If you choose **No** and prefer to manage DNS records manually, first complete setting up your Private Link, including this private endpoint and the Private Scope configuration. Next, configure your DNS according to the instructions in [Azure Private Endpoint DNS configuration](/azure/private-link/private-endpoint-dns). Make sure not to create empty records as preparation for your Private Link setup. The DNS records you create can override existing settings and impact your connectivity with Arc-enabled Kubernetes clusters. |
131 | 131 | 1. Select **Review + create**. |
132 | 132 | 1. Let validation pass. |
133 | 133 | 1. Select **Create**. |
134 | | - |
| 134 | + |
135 | 135 | :::image type="content" source="media/private-link/create-private-endpoint-2.png" alt-text="Screenshot of the Configuration step to create a private endpoint in the Azure portal."::: |
136 | 136 |
|
137 | 137 | > [!NOTE] |
|
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments