Merge pull request #250359 from schaffererin/aks-command-invoke

Updating command invoke access doc to include Azure portal run command

Author: v-dirichards

.openpublishing.redirection.json

@@ -24481,6 +24481,11 @@
             "source_path_from_root": "/articles/private-link/tutorial-private-endpoint-cosmosdb-portal.md",
             "redirect_url": "/azure/cosmos-db/how-to-configure-private-endpoints",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/aks/command-invoke.md",
+            "redirect_url": "/azure/aks/access-private-cluster",
+            "redirect_document_id": false
         }
     ]
 }

articles/aks/TOC.yml

@@ -223,7 +223,7 @@
            - name: Create a private cluster
              href: private-clusters.md
            - name: Access a private cluster remotely
-             href: command-invoke.md
+             href: access-private-cluster.md
         - name: Integration
           items:      
             - name: Integrate ACR with an AKS cluster

articles/aks/command-invoke.md renamed to articles/aks/access-private-cluster.md

@@ -1,13 +1,15 @@
 ---
-title: Use `command invoke` to access a private Azure Kubernetes Service (AKS) cluster
-description: Learn how to use `command invoke` to access a private Azure Kubernetes Service (AKS) cluster
+title: Access a private Azure Kubernetes Service (AKS) cluster
+description: Learn how to access a private Azure Kubernetes Service (AKS) cluster using the Azure CLI or Azure portal.
 ms.topic: article
-ms.date: 05/03/2023
+ms.date: 09/15/2023
 ---
 
-# Use `command invoke` to access a private Azure Kubernetes Service (AKS) cluster
+# Access a private Azure Kubernetes Service (AKS) cluster
 
-When you access a private AKS cluster, you must connect to the cluster from the cluster virtual network, from a peered network, or via a configured private endpoint. These approaches require configuring a VPN, Express Route, deploying a *jumpbox* within the cluster virtual network, or creating a private endpoint inside of another virtual network. You can also use `command invoke` to access private clusters without the need to configure a VPN or Express Route. `command invoke` allows you to remotely invoke commands, like `kubectl` and `helm`, on your private cluster through the Azure API without directly connecting to the cluster. The `Microsoft.ContainerService/managedClusters/runcommand/action` and `Microsoft.ContainerService/managedclusters/commandResults/read` actions control the permissions for using `command invoke`.
+When you access a private AKS cluster, you must connect to the cluster from the cluster virtual network, from a peered network, or via a configured private endpoint. These approaches require configuring a VPN, Express Route, deploying a *jumpbox* within the cluster virtual network, or creating a private endpoint inside of another virtual network.
+
+With the Azure CLI, you can use `command invoke` to access private clusters without the need to configure a VPN or Express Route. `command invoke` allows you to remotely invoke commands, like `kubectl` and `helm`, on your private cluster through the Azure API without directly connecting to the cluster. The `Microsoft.ContainerService/managedClusters/runcommand/action` and `Microsoft.ContainerService/managedclusters/commandResults/read` actions control the permissions for using `command invoke`. With the Azure portal, you can use the `Run command` feature to run commands on your private cluster. The `Run command` feature uses the same `command invoke` functionality to run commands on your cluster.
 
 ## Prerequisites
 
@@ -21,7 +23,11 @@ The pod created by the `run` command provides `helm` and the latest compatible v
 
 `command invoke` runs the commands from your cluster, so any commands run in this manner are subject to your configured networking restrictions and any other configured restrictions. Make sure there are enough nodes and resources in your cluster to schedule this command pod.
 
-## Use `command invoke` to run a single command
+## Run commands on your AKS cluster
+
+### [Azure CLI - `command invoke`](#tab/azure-cli)
+
+### Use `command invoke` to run a single command
 
 * Run a command on your cluster using the `az aks command invoke --command` command. The following example command runs the `kubectl get pods -n kube-system` command on the *myPrivateCluster* cluster in *myResourceGroup*.
 
@@ -32,7 +38,7 @@ The pod created by the `run` command provides `helm` and the latest compatible v
       --command "kubectl get pods -n kube-system"
     ```
 
-## Use `command invoke` to run multiple commands
+### Use `command invoke` to run multiple commands
 
 * Run multiple commands on your cluster using the `az aks command invoke --command` command. The following example command runs three `helm` commands on the *myPrivateCluster* cluster in *myResourceGroup*.
 
@@ -43,7 +49,7 @@ The pod created by the `run` command provides `helm` and the latest compatible v
       --command "helm repo add bitnami https://charts.bitnami.com/bitnami && helm repo update && helm install my-release bitnami/nginx"
     ```
 
-## Use `command invoke` to run commands with an attached file or directory
+### Use `command invoke` to run commands with an attached file or directory
 
 * Run commands with an attached file or directory using the `az aks command invoke --command` command with the `--file` parameter. The following example command runs `kubectl apply -f deployment.yaml -n default` on the *myPrivateCluster* cluster in *myResourceGroup*. The `deployment.yaml` file is attached from the current directory on the development computer where `az aks command invoke` was run.
 
@@ -55,7 +61,7 @@ The pod created by the `run` command provides `helm` and the latest compatible v
       --file deployment.yaml
     ```
 
-### Use `command invoke` to run commands with all files in the current directory attached
+#### Use `command invoke` to run commands with all files in the current directory attached
 
 * Run commands with all files in the current directory attached using the `az aks command invoke --command` command with the `--file` parameter. The following example command runs  `kubectl apply -f deployment.yaml configmap.yaml -n default` on the *myPrivateCluster* cluster in *myResourceGroup*. The `deployment.yaml` and `configmap.yaml` files are part of the current directory on the development computer where `az aks command invoke` was run.
 
@@ -67,13 +73,51 @@ The pod created by the `run` command provides `helm` and the latest compatible v
       --file .
     ```
 
+### [Azure portal - `Run command`](#tab/azure-portal)
+
+To get started with `Run command`, navigate to your private cluster in the Azure portal. Under the **Kubernetes resources** section, select **Run command**.
+
+:::image type="content" source="media/access-private-cluster/azure-portal-run-command.png" alt-text="Screenshot of browsing to the Azure portal Run command feature.":::
+
+### `Run command` commands
+
+You can use the following kubectl commands with the `Run command` feature:
+
+* `kubectl get nodes`
+* `kubectl get deployments`
+* `kubectl get pods`
+* `kubectl describe nodes`
+* `kubectl describe pod <pod-name>`
+* `kubectl describe deployment <deployment-name>`
+* `kubectl apply -f <file-name`
+
+### Use `Run command` to run a single command
+
+1. In the Azure portal, navigate to your private cluster.
+2. Under the **Kubernetes resources** section, select **Run command**.
+3. Enter the command you want to run and select **Run**.
+
+### Use `Run command` to run commands with attached files
+
+1. In the Azure portal, navigate to your private cluster.
+2. Under the **Kubernetes resources** section, select **Run command**.
+3. Select **Attach files**.
+4. Select **Browse for files**.
+
+    :::image type="content" source="media/access-private-cluster/azure-portal-run-command-attach-files.png" alt-text="Screenshot of attaching files to the Azure portal Run command.":::
+
+5. Select the file(s) you want to attach and then select **Attach**.
+6. Enter the command you want to run and select **Run**.
+
+--
+
 ## Troubleshooting
 
 For information on the most common issues with `az aks command invoke` and how to fix them, see [Resolve `az aks command invoke` failures][command-invoke-troubleshoot].
 
 ## Next steps
 
-In this article, you learned how to use `command invoke` to access a private cluster and run commands on that cluster. For more information on AKS clusters, see the following articles:
+In this article, you learned how to access a private cluster and run commands on that cluster. For more information on AKS clusters, see the following articles:
 
 * [Use a private endpoint connection in AKS](./private-clusters.md#use-a-private-endpoint-connection)
 * [Virtual networking peering in AKS](./private-clusters.md#virtual-network-peering)

articles/aks/media/access-private-cluster/azure-portal-run-command-attach-files.png

@@ -335,7 +335,7 @@ For associated best practices, see [Best practices for network connectivity and
 [private-endpoint-service]: ../private-link/private-endpoint-overview.md
 [virtual-network-peering]: ../virtual-network/virtual-network-peering-overview.md
 [express-route-or-vpn]: ../expressroute/expressroute-about-virtual-network-gateways.md
-[command-invoke]: command-invoke.md
+[command-invoke]: ./access-private-cluster.md
 [container-registry-private-link]: ../container-registry/container-registry-private-link.md
 [virtual-networks-name-resolution]: ../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server
 [virtual-networks-168.63.129.16]: ../virtual-network/what-is-ip-address-168-63-129-16.md

articles/aks/media/access-private-cluster/azure-portal-run-command.png

@@ -23,7 +23,7 @@ Chaos Studio uses [Chaos Mesh](https://chaos-mesh.org/), a free, open-source cha
 
 ## Limitations
 
-* You can use Chaos Mesh faults with private clusters by configuring [VNet Injection in Chaos Studio](chaos-studio-private-networking.md). Any commands issued to the private cluster, including the steps in this article to set up Chaos Mesh, need to follow the [private cluster guidance](../aks/private-clusters.md). Recommended methods include connecting from a VM in the same virtual network or using the [AKS command invoke](../aks/command-invoke.md) feature.
+* You can use Chaos Mesh faults with private clusters by configuring [VNet Injection in Chaos Studio](chaos-studio-private-networking.md). Any commands issued to the private cluster, including the steps in this article to set up Chaos Mesh, need to follow the [private cluster guidance](../aks/private-clusters.md). Recommended methods include connecting from a VM in the same virtual network or using the [AKS command invoke](../aks/access-private-cluster.md) feature.
 * AKS Chaos Mesh faults are only supported on Linux node pools.
 * Currently, Chaos Mesh faults don't work if the AKS cluster has [local accounts disabled](../aks/manage-local-accounts-managed-azure-ad.md).
 * If your AKS cluster is configured to only allow authorized IP ranges, you need to allow Chaos Studio's IP ranges. You can find them by querying the `ChaosStudio` [service tag with the Service Tag Discovery API or downloadable JSON files](../virtual-network/service-tags-overview.md). 

articles/aks/private-clusters.md

@@ -22,7 +22,7 @@ Chaos Studio uses [Chaos Mesh](https://chaos-mesh.org/), a free, open-source cha
 
 ## Limitations
 
-* You can use Chaos Mesh faults with private clusters by configuring [VNet Injection in Chaos Studio](chaos-studio-private-networking.md). Any commands issued to the private cluster, including the steps in this article to set up Chaos Mesh, need to follow the [private cluster guidance](../aks/private-clusters.md). Recommended methods include connecting from a VM in the same virtual network or using the [AKS command invoke](../aks/command-invoke.md) feature.
+* You can use Chaos Mesh faults with private clusters by configuring [VNet Injection in Chaos Studio](chaos-studio-private-networking.md). Any commands issued to the private cluster, including the steps in this article to set up Chaos Mesh, need to follow the [private cluster guidance](../aks/private-clusters.md). Recommended methods include connecting from a VM in the same virtual network or using the [AKS command invoke](../aks/access-private-cluster.md) feature.
 * AKS Chaos Mesh faults are only supported on Linux node pools.
 * Currently, Chaos Mesh faults don't work if the AKS cluster has [local accounts disabled](../aks/manage-local-accounts-managed-azure-ad.md).
 * If your AKS cluster is configured to only allow authorized IP ranges, you need to allow Chaos Studio's IP ranges. You can find them by querying the `ChaosStudio` [service tag with the Service Tag Discovery API or downloadable JSON files](../virtual-network/service-tags-overview.md).