How to expose services in private AKS cluster?
I've created a private cluster on AKS and deployed some workloads to it, but I'm not sure how to connect to the services. They are all NodePort services, both TCP & UDP.
Initially, I thought that the endpoint AKS provides could be used to interact with the cluster as a whole, but this isn't the case -- this only exposes the Kubernetes API (probably why they call it the API endpoint)
I also tried using the VMSS public IP but that didn't work either. Using the instance IP works, but the IPs would change over time, right?
Ultimately I decided to use an ingress controller and proxy the traffic, but because I'm using mixed protocols I would need two. Not to mention this seems too complex to be the reasonable solution to this problem.
How to expose services on a private AKS cluster? This should be a pretty common problem, I think, but I haven't found a clear solution
Solution 1:
If anyone ever finds themselves in this situation, we ended up using ExternalDNS and a private zone, since we're using NodePorts anyways.
This gives us a stable endpoint which will be automatically updated if one of the node's IPs ever changes.
Something to note is that the documentation implies no role assignment over the subscription is needed (By default, create-for-rbac grants Contributor
on the subscription to the service principal which --skip-assignment avoids) but this didn't work for me, ExternalDNS got permission denied when trying to read the private zones.
I tried some different combinations but ended up giving Private DNS Zone Contributor
on the subscription and skipping any assignments to the zone and resource group.
Also want to point out a gotcha, there are two providers for Azure, azure
for public DNS and azure-private-dns
for private DNS, and they differ slightly in configuration.