Create an Azure Kubernetes Service cluster with API Server VNet Integration (Preview)
An Azure Kubernetes Service (AKS) cluster configured with API Server VNet Integration projects the API server endpoint directly into a delegated subnet in the VNet where AKS is deployed. API Server VNet Integration enables network communication between the API server and the cluster nodes without requiring a private link or tunnel. The API server is available behind an internal load balancer VIP in the delegated subnet, which the nodes are configured to utilize. By using API Server VNet Integration, you can ensure network traffic between your API server and your node pools remains on the private network only.
API server connectivity
The control plane or API server is in an AKS-managed Azure subscription. Your cluster or node pool is in your Azure subscription. The server and the virtual machines that make up the cluster nodes can communicate with each other through the API server VIP and pod IPs that are projected into the delegated subnet.
API Server VNet Integration is supported for public or private clusters. You can add or remove public access after cluster provisioning. Unlike non-VNet integrated clusters, the agent nodes always communicate directly with the private IP address of the API server internal load balancer (ILB) IP without using DNS. All node to API server traffic is kept on private networking, and no tunnel is required for API server to node connectivity. Out-of-cluster clients needing to communicate with the API server can do so normally if public network access is enabled. If public network access is disabled, you should follow the same private DNS setup methodology as standard private clusters.
Region availability
API Server VNet Integration is available in all global Azure regions.
Prerequisites
- Azure CLI with aks-preview extension 0.5.97 or later.
- If using ARM or the REST API, the AKS API version must be 2022-04-02-preview or later.
Install the aks-preview Azure CLI extension
Important
AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:
Install the aks-preview extension using the
az extension add
command.az extension add --name aks-preview
Update to the latest version of the extension released using the
az extension update
command.az extension update --name aks-preview
Register the 'EnableAPIServerVnetIntegrationPreview' feature flag
Register the
EnableAPIServerVnetIntegrationPreview
feature flag using theaz feature register
command.az feature register --namespace "Microsoft.ContainerService" --name "EnableAPIServerVnetIntegrationPreview"
It takes a few minutes for the status to show Registered.
Verify the registration status using the
az feature show
command:az feature show --namespace "Microsoft.ContainerService" --name "EnableAPIServerVnetIntegrationPreview"
When the status reflects Registered, refresh the registration of the Microsoft.ContainerService resource provider using the
az provider register
command.az provider register --namespace Microsoft.ContainerService
Create an AKS cluster with API Server VNet Integration using managed VNet
You can configure your AKS clusters with API Server VNet Integration in managed VNet or bring-your-own VNet mode. You can create them as public clusters (with API server access available via a public IP) or private clusters (where the API server is only accessible via private VNet connectivity). You can also toggle between a public and private state without redeploying your cluster.
Create a resource group
Create a resource group using the
az group create
command.az group create --location chinanorth3 --name <resource-group>
Deploy a public cluster
Deploy a public AKS cluster with API Server VNet integration for managed VNet using the
az aks create
command with the--enable-api-server-vnet-integration
flag.az aks create --name <cluster-name> \ --resource-group <resource-group> \ --location <location> \ --network-plugin azure \ --enable-apiserver-vnet-integration \ --generate-ssh-keys
Deploy a private cluster
Deploy a private AKS cluster with API Server VNet integration for managed VNet using the
az aks create
command with the--enable-api-server-vnet-integration
and--enable-private-cluster
flags.az aks create --name <cluster-name> \ --resource-group <resource-group> \ --location <location> \ --network-plugin azure \ --enable-private-cluster \ --enable-apiserver-vnet-integration \ --generate-ssh-keys
Create a private AKS cluster with API Server VNet Integration using bring-your-own VNet
When using bring-your-own VNet, you must create and delegate an API server subnet to Microsoft.ContainerService/managedClusters
, which grants the AKS service permissions to inject the API server pods and internal load balancer into that subnet. You can't use the subnet for any other workloads, but you can use it for multiple AKS clusters located in the same virtual network. The minimum supported API server subnet size is a /28.
The cluster identity needs permissions to both the API server subnet and the node subnet. Lack of permissions at the API server subnet can cause a provisioning failure.
Warning
An AKS cluster reserves at least 9 IPs in the subnet address space. Running out of IP addresses may prevent API server scaling and cause an API server outage.
Create a resource group
- Create a resource group using the
az group create
command.
az group create --location <location> --name <resource-group>
Create a virtual network
Create a virtual network using the
az network vnet create
command.az network vnet create --name <vnet-name> \ --resource-group <resource-group> \ --location <location> \ --address-prefixes 172.19.0.0/16
Create an API server subnet using the
az network vnet subnet create
command.az network vnet subnet create --resource-group <resource-group> \ --vnet-name <vnet-name> \ --name <apiserver-subnet-name> \ --delegations Microsoft.ContainerService/managedClusters \ --address-prefixes 172.19.0.0/28
Create a cluster subnet using the
az network vnet subnet create
command.az network vnet subnet create --resource-group <resource-group> \ --vnet-name <vnet-name> \ --name <cluster-subnet-name> \ --address-prefixes 172.19.1.0/24
Create a managed identity and give it permissions on the virtual network
Create a managed identity using the
az identity create
command.az identity create --resource-group <resource-group> --name <managed-identity-name> --location <location>
Assign the Network Contributor role to the API server subnet using the
az role assignment create
command.az role assignment create --scope <apiserver-subnet-resource-id> \ --role "Network Contributor" \ --assignee <managed-identity-client-id>
Assign the Network Contributor role to the cluster subnet using the
az role assignment create
command.az role assignment create --scope <cluster-subnet-resource-id> \ --role "Network Contributor" \ --assignee <managed-identity-client-id>
Deploy a public cluster
Deploy a public AKS cluster with API Server VNet integration using the
az aks create
command with the--enable-api-server-vnet-integration
flag.az aks create --name <cluster-name> \ --resource-group <resource-group> \ --location <location> \ --network-plugin azure \ --enable-apiserver-vnet-integration \ --vnet-subnet-id <cluster-subnet-resource-id> \ --apiserver-subnet-id <apiserver-subnet-resource-id> \ --assign-identity <managed-identity-resource-id> \ --generate-ssh-keys
Deploy a private cluster
Deploy a private AKS cluster with API Server VNet integration using the
az aks create
command with the--enable-api-server-vnet-integration
and--enable-private-cluster
flags.az aks create --name <cluster-name> \ --resource-group <resource-group> \ --location <location> \ --network-plugin azure \ --enable-private-cluster \ --enable-apiserver-vnet-integration \ --vnet-subnet-id <cluster-subnet-resource-id> \ --apiserver-subnet-id <apiserver-subnet-resource-id> \ --assign-identity <managed-identity-resource-id> \ --generate-ssh-keys
Convert an existing AKS cluster to API Server VNet Integration
You can convert existing public/private AKS clusters to API Server VNet Integration clusters by supplying an API server subnet that meets the requirements listed earlier. These requirements include: in the same VNet as the cluster nodes, permissions granted for the AKS cluster identity, not used by other resources like private endpoint, and size of at least /28. Converting your cluster is a one-way migration. Clusters can't have API Server VNet Integration disabled after it's been enabled.
This upgrade performs a node-image version upgrade on all node pools and restarts all workloads while they undergo a rolling image upgrade.
Warning
Converting a cluster to API Server VNet Integration results in a change of the API Server IP address, though the hostname remains the same. If the IP address of the API server has been configured in any firewalls or network security group rules, those rules may need to be updated.
Update your cluster to API Server VNet Integration using the
az aks update
command with the--enable-apiserver-vnet-integration
flag.az aks update --name <cluster-name> \ --resource-group <resource-group> \ --enable-apiserver-vnet-integration \ --apiserver-subnet-id <apiserver-subnet-resource-id>
Enable or disable private cluster mode on an existing cluster with API Server VNet Integration
AKS clusters configured with API Server VNet Integration can have public network access/private cluster mode enabled or disabled without redeploying the cluster. The API server hostname doesn't change, but public DNS entries are modified or removed if necessary.
Note
--disable-private-cluster
is currently in preview. For more information, see Reference and support levels.
Enable private cluster mode
Enable private cluster mode using the
az aks update
command with the--enable-private-cluster
flag.az aks update --name <cluster-name> \ --resource-group <resource-group> \ --enable-private-cluster
Disable private cluster mode
Disable private cluster mode using the
az aks update
command with the--disable-private-cluster
flag.az aks update --name <cluster-name> \ --resource-group <resource-group> \ --disable-private-cluster
Connect to cluster using kubectl
Configure
kubectl
to connect to your cluster using theaz aks get-credentials
command.az aks get-credentials --resource-group <resource-group> --name <cluster-name>
NSG security rules
All traffic within the VNet is allowed by default. But if you have added NSG rules to restrict traffic between different subnets, ensure that the NSG security rules permit the following types of communication:
Destination | Source | Protocol | Port | Use |
---|---|---|---|---|
APIServer Subnet CIDR | Cluster Subnet | TCP | 443 and 4443 | Required to enable communication between Nodes and the API server. |
APIServer Subnet CIDR | Azure Load Balancer | TCP | 9988 | Required to enable communication between Azure Load Balancer and the API server. You can also enable all communicatios between the Azure Load Balancer and the API Server Subnet CIDR. |
Next steps
For associated best practices, see Best practices for network connectivity and security in AKS.