Establish network connectivity to a private Azure Kubernetes Service (AKS) cluster

In private AKS clusters, the API server endpoint has no public IP address. To manage the API server, you need to use a virtual machine (VM) or container that has access to the virtual network (VNet) of the AKS cluster. There are several options for establishing network connectivity to the private cluster:

Use Azure Bastion's native client tunneling feature (preview).
Use a VM in a separate network and set up virtual network peering.
Use a private endpoint connection.
Create a VM in the same VNet as the AKS cluster using the az vm create command with the --vnet-name flag.
Use an Express Route or VPN connection.
Use the AKS command invoke feature.

Connect using Azure Bastion (preview)

Azure Bastion is a fully managed PaaS service that you provision to securely connect to private resources via private IP addresses. To use Bastion's native client tunneling feature, see Connect to AKS private cluster using Azure Bastion.

Connect using virtual network (VNet) peering

To use VNet peering, you need to set up a link between the VNet and the private DNS zone. You can set up VNet peering using either the Azure portal or the Azure CLI.

Use the Azure portal

In the Azure portal, navigate to your node resource group and select your private DNS zone resource.
In the service menu, under DNS Management, select Virtual Network Links > Add.
On the Add Virtual Network Link page, configure the following settings:
- Link name: Enter a name for the virtual network link.
- Virtual Network: Select the virtual network that contains the VM.
Select Create to create the virtual network link.
Navigate to the resource group that contains the virtual network of your AKS cluster and select your virtual network resource.
In the service menu, under Settings, select Peerings > Add.
On the Add peering page, configure the following settings:
- Peering link name: Enter a name for the peering link.
- Virtual network: Select the virtual network of the VM.
Select Add to create the peering link.

For more information, see Virtual network peering.

Use the Azure CLI

Create a new link to add the virtual network of the VM to the private DNS zone using the az network private-dns link vnet create command.

az network private-dns link vnet create \
    --name <new-link-name> \
    --resource-group <node-resource-group-name> \
    --zone-name <private-dns-zone-name> \
    --virtual-network <vm-virtual-network-resource-id> \
    --registration-enabled false

Create a peering between the virtual network of the VM and the virtual network of the node resource group using the az network vnet peering create command.

az network vnet peering create \
    --name <new-peering-name-1> \
    --resource-group <vm-virtual-network-resource-group-name> \
    --vnet-name <vm-virtual-network-name> \
    --remote-vnet <node-resource-group-virtual-network-resource-id> \
    --allow-vnet-access

Create a second peering between the virtual network of the node resource group and the virtual network of the VM using the az network vnet peering create command.

az network vnet peering create \
    --name <new-peering-name-2> \
    --resource-group <node-resource-group-name> \
    --vnet-name <node-resource-group-virtual-network-name> \
    --remote-vnet <vm-virtual-network-resource-id> \
    --allow-vnet-access

List the virtual network peerings you created using the az network vnet peering list command.

az network vnet peering list \
    --resource-group <node-resource-group-name> \
    --vnet-name <private-dns-zone-name>

Use a private endpoint connection

You can set up a private endpoint so that a VNet doesn't need to be peered to communicate with the private cluster. To set up a private endpoint connection, you first create a new private endpoint in the virtual network containing the consuming resources, and then create a link between your virtual network and a new private DNS zone in the same network.

Important

If the virtual network is configured with custom DNS servers, you need to set up private DNS appropriately for the environment. For more information, see the Virtual network name resolution documentation.

Create a private endpoint resource

From the Azure portal home page, select Create a resource.
Search for Private Endpoint and select Create > Private Endpoint.
Select Create.
On the Basics tab, configure the following settings:
- Project details
  - Subscription: Select the subscription where your private cluster is located.
  - Resource group: Select the resource group that contains your virtual network.
- Instance details
  - Name: Enter a name for your private endpoint, such as myPrivateEndpoint.
  - Region: Select the same region as your virtual network.
Select Next: Resource and configure the following settings:
- Connection method: Select Connect to an Azure resource in my directory.
- Subscription: Select the subscription where your private cluster is located.
- Resource type: Select Microsoft.ContainerService/managedClusters.
- Resource: Select your private cluster.
- Target sub-resource: Select management.
Select Next: Virtual Network and configure the following settings:
- Networking
  - Virtual network: Select your virtual network.
  - Subnet: Select your subnet.
Select Next: DNS > Next: Tags and (optionally) set up key-values as needed.
Select Next: Review + create > Create.

Once the resource is created, record the private IP address of the private endpoint for future use.

Create a private DNS zone

Once you create the private endpoint, create a new private DNS zone with the same name as the private DNS zone created by the private cluster. Remember to create this DNS zone in the VNet containing the consuming resources.

In the Azure portal, navigate to your node resource group and select your private DNS zone resource.
In the service menu, under DNS Management, select Recordsets and note the following:
- The name of the private DNS zone, which follows the pattern *.privatelink.<region>.cx.prod.service.azk8s.cn.
- The name of the A record (excluding the private DNS name).
- The time-to-live (TTL).
From the Azure portal home page, select Create a resource.
Search for Private DNS zone and select Create > Private DNS zone.
On the Basics tab, configure the following settings:
- Project details
  - Select your Subscription.
  - Select the Resource group where you created the private endpoint.
- Instance details
  - Name: Enter the name of the DNS zone retrieved from previous steps.
  - Region: Defaults to the location of your resource group.
Select Review + create > Create.

Create an `A` record

Once the private DNS zone is created, create an A record, which associates the private endpoint to the private cluster.

Navigate to your private DNS zone resource.
In the service menu, under DNS Management, select Recordsets > Add.
On the Add record set page, configure the following settings:
- Name: Enter the name retrieved from the A record in the private cluster's DNS zone.
- Type: Select A - Address record.
- TTL: Enter the number from the A record in the private cluster's DNS zone.
- TTL unit: Change the dropdown value to match the one in the A record from the private cluster's DNS zone.
- IP address: Enter the IP address of the private endpoint you created.
Select Add to create the A record.

Important

When creating the A record, only use the name and not the fully qualified domain name (FQDN).

Link the private DNS zone to the virtual network

Once the A record is created, link the private DNS zone to the virtual network that will access the private cluster.

Navigate to your private DNS zone resource.
In the service menu, under DNS Management, select Virtual Network Links > Add.
On the Add Virtual Network Link page, configure the following settings:
- Link name: Enter a name for your virtual network link.
- Subscription: Select the subscription where your private cluster is located.
- Virtual Network: Select the virtual network of your private cluster.
Select Create to create the link.

It might take a few minutes for the operation to complete. Once the virtual network link is created, you can access it from the Virtual Network Links tab you used in step 2.

Warning

If the private cluster is stopped and restarted, the private cluster's original private link service is removed and recreated, which breaks the connection between your private endpoint and the private cluster. To resolve this issue, delete and recreate any user-created private endpoints linked to the private cluster. If the recreated private endpoints have new IP addresses, you also need to update DNS records.
If you update the DNS records in the private DNS zone, ensure the host that you're trying to connect from is using the updated DNS records. You can verify this using the nslookup command. If you notice the updates aren't reflected in the output, you might need to flush the DNS cache on your machine and try again.

Create a VM in the same virtual network

To create a VM in the same VNet as your private AKS cluster, use the az vm create command with the --vnet-name flag to specify the VNet.

az vm create \
    --resource-group <resource-group-name> \
    --name <vm-name> \
    --image <image-name> \
    --vnet-name <vm-virtual-network-name> \
    --subnet <subnet-name> \
    --admin-username <admin-username> \
    --admin-password <admin-password>

Use an Express Route or VPN connection

To use an Express Route or VPN connection, see About ExpressRoute virtual network gateways.

Use the AKS `command invoke` feature

To use the AKS command invoke feature to connect to a private cluster, see Access a private cluster using command invoke.

For more information about private clusters in AKS, see Create a private Azure Kubernetes Service (AKS) cluster.

Last updated on 2025-12-31