I would like to configure Service connector between Keyvault and my private AKS cluster

Juba Saadi 0

Hello,
I'm currently facing some issue trying to configure the CSI Driver with my private Kubernetes Cluster.
The is a private cluster running inside a Vnet, and the KeyVault that I want to connect to is also registered on that Vnet.
However when I create the connection through the AKS Service connector panel, I see the Private link and Virtual Network configuration grayed out.
Naturally the KeyVault service type connection end up with a TimeOut exception when I create it.

Any help or hint would be highly appreciated.
Best
Juba

User's image

1 answer

Markapuram Sudheer Reddy 990 Reputation points Microsoft Vendor

2025-02-21T20:16:43.9433333+00:00

Hi Juba Saadi,

Thank You for reaching out to Microsoft Q&A forum.

Can you please share the steps or approach you followed for installation of an CSI driver in a aks cluster.

Ensure to disable public access in the Key Vault to ensure it only accepts traffic through the private endpoint and a private endpoint is configured in a key vault.

Ensure DNS resolution is set up correctly with the private endpoint.

Check below documentation for information regarding troubleshooting about private link integrate with key vault. https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal#troubleshooting-guide

If you find any logs or errors during setup, please share here, we will help you.
Please sign in to rate this answer.
Juba Saadi 0 Reputation points

2025-02-24T14:19:54.8533333+00:00

Dear Markapuram Sudheer Reddy
Thank you for the fast reply.
The approach that I followed was the following one.

Create a private AKS cluster (With the Control Plan only accessible through a Vnet)

I enabled the Secret Store CSI Driver plugin from the configuration

Successfully verified the Installation using the following guide

I created a Subnet in the Cluster Virtual network with a Microsoft.KeyVault Service Endpoint

I created a new Azure Key Vault

Enabled the RBAC Authorization

Created an Example Secret

Disabled all public access

Created a Private endpoint connected to the same Virtual Network as the Cluster and more precisely to the SubNet create in 2. and with a new private dns record

After these steps I get back to the private cluster configuration to establish the service connector. From there I can successfully select the created key-vault but in the Networking window I only see the option to Configure firewall rules to enable access to target service which of course will reach a timeout exception.

I'm looking forward to reading from you
Best regards

Juba SAADI

Markapuram Sudheer Reddy 990 Reputation points Microsoft Vendor

2025-02-25T12:48:53.4233333+00:00

Hi Juba Saadi,

Thank You for the response.

Ensure your VNet of your AKS cluster is linked to the private DNS zone for Key Vault and a DNS resolution is correctly set up for the private endpoint. And also ensure all are in same region.

Check AKS cluster is integrated with the correct VNet.

Try to link the private DNS zone to your VNet.

az network private-dns link vnet create --resource-group myResourceGroup --name myDNSLink --zone-name "privatelink.vaultcore.azure.net" --virtual-network myVNet --registration-enabled false

Try to use below documentation to troubleshoot private link configuration issues-https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-diagnostics

Please use below documentation for more information

https://learn.microsoft.com/en-us/azure/service-connector/how-to-integrate-key-vault?tabs=dotnet

https://learn.microsoft.com/he-il/azure/aks/csi-secrets-store-driver

If you have any queries or facing errors during configuration, please share in detail, we will help you.

Markapuram Sudheer Reddy 990 Reputation points Microsoft Vendor

2025-02-26T16:45:41.5633333+00:00

Hi Juba Saadi,

I wanted to follow up regarding above response to your query.

If you have any questions, please do let us know, we will help you.

Juba Saadi 0 Reputation points

2025-02-27T12:54:52.8466667+00:00

Dear Markapuram Sudheer Reddy,

After careful review of the resources, we haven't found anything configured against what you recommended in your reply as well as recommended in the guides.
To sum it up, we have:

A private AKS Cluster

Control plan accessible through a VNet

This part have been successfully tested by creating a VM running in the same network and Kubectl/Helm commands are running as expected

Creation of the cluster came up with a dedicated private DNS linked of course to the same Vnet as the Cluster

One record set for that Private DNS zone

A Key Vault

Private endpoint on the same Vnet as the Cluster

Consequently a new DNS private zone was created with a Virtual network link to the aks vnet & 1 record set

In the networking configuration we disabled all public access and just have one private endpoint connection

I guess that summarises the current state.

also FYI, I tested with an app deployed on the userpool of the private AKS to gain access to the KeyVault through the private endpoint and this worked as expected. I know that the Userpool and the control plan are different but that highlights that the private endpoint for the KeyVault is correctly configured.

Looking forward reading from you

Best regards

Juba

Juba Saadi 0 Reputation points

2025-02-28T11:19:52.1833333+00:00

**Ignore this comment, it was a duplicate**
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

I would like to configure Service connector between Keyvault and my private AKS cluster

1 answer

Your answer