Microsoft quite recently announced private AKS clusters. A private AKS cluster basicly means that the API server is not exposed to public internet but rather has an internal IP. This is quite a good thing from a security perspective as it substantially decreases your clusters attack surface.
Setting up a cluster like that is very easy but unfortunately, if you are like me and already have existing clusters – you have to re-create them from scratch to make them private. At least at the time of writing this article.
The first thing you need to do then is to actually deploy your private cluster, it is as simple as this. Basicly your regular way of creating the AKS but remember to provide the switch --enable-private-cluster You can get the credentials for your fresh cluster the regular way by simply running az aks get-credentials but remember that the cluster is now exactly that, private so in order to access it you need to be on the internal network. Time to hit that VPN.
The other thing is the resolution of your private address. If you look in the resource group containing the nodes of your AKS cluster there is a resource there, private DNS zone. To access the cluster you need to add the IP address of the A record on it together with the DNS into your host -file.
After confirming that you’re on the internal network and that you’re able to resolve the private dns zone you can hit the API server as with any cluster. If you need to utilize a DNS server on your internal network you need to specify the forwarding through CoreDNS configuration. For example like so (where x.x.x.x is your internal DNS’s IP):
Another cool thing you can now leverage are private endpoints essentially giving services like Azure Container Registry, KeyVaults, Cosmos DBs or Azure Service Buses a private IP on your cluster vnet so that you can access them without going through internet making the setup even more secure. I'll write an article about these at an upcoming time.