Share via

Private AKS with public internet egress access

Blair, Robert 0 Reputation points
2025-02-21T20:59:03.4466667+00:00

I created a private AKS cluster and using private vnet address space. I need the pods on this cluster the ability to access the internet for monitoring purposes. Some of the documents I am reading this setup by default, after doing a traceroute I am not 100% sure this happening. Is there anything else needs to be defined for the pods to access the internet ?

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,281 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. LISBOA 75 Reputation points Microsoft Employee
    2025-02-22T08:16:18.5333333+00:00

    Hello Blair, Robert

    By using a private cluster, you ensure network traffic between your API server and your node pools remains on the private network only.

    All the networking features for publishing applications hosted on the AKS cluster are not impacted. You can check in details our documentation to the Service Types available here.

    For making the services public , check also the option below:

    -Load Balancer Service with Azure Basic or Standard (default) load balancers [Reference]

    -Ingress with Azure Load Balancer [Reference]

    -Application Gateway Ingress Controller [Reference]

    Please be aware, the API server endpoint has no public IP address.

    To manage the API server, you will need to use a VM (jumphost) that has access to the AKS cluster- VNet.

    There are several options for establishing network connectivity to the private cluster.

    • Create a VM in the same Azure Virtual Network (VNet) as the AKS cluster.
    • Use a VM in a separate network and set up Virtual network peering. See the section below for more information on this option.
    • Use an Express Route or VPN connection.
    • Use the AKS Run Command feature.
    • Creating a VM in the same VNET as the AKS cluster is the easiest option. Express Route and VPNs add costs and require additional networking complexity. Virtual network peering requires you to plan your network CIDR ranges to ensure there are no overlapping ranges.
    • IP authorized ranges can't be applied to the private api server endpoint, they only apply to the public API server
    • Azure Private Link service limitations apply to private clusters.

    For more information please check this article.

    Hope this helps.

    Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

    Thank you

    Lisboa

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.