Accessing Your Private AKS Cluster over VPN with az aks get-credentials

Published by Pixel Robots. on

Reading Time: 2 minutes

If you deploy your Azure Kubernetes Service (AKS) cluster in a private virtual network (VNET) to enhance security, management of the cluster becomes more complex. But with security this is something we expect. By default, when you use the az aks get-credentials command to configure access to your AKS cluster, it retrieves the private DNS name for the Kubernetes API server. However, if you need to access your private AKS cluster over a VPN, you can leverage the --public-fqdn switch to obtain the public Fully Qualified Domain Name (FQDN) of the API server instead. This is because, by default, AKS also creates a public FQDN with an A record for your private API server address in the Azure public DNS. In this blog post, we’ll explore how to use the az aks get-credentials command with the --public-fqdn switch and how it plays a crucial role when accessing a private AKS cluster over a VPN.

Understanding the az aks get-credentials command

Before diving into the details of using the --public-fqdn switch, let’s briefly review the az aks get-credentials command’s primary purpose. This command is a part of the Azure CLI (Command-Line Interface) tool and is used to configure access to an existing AKS cluster from the command line. By running this command, you download the necessary Kubernetes configuration file, often referred to as kubeconfig, and store it locally. This kubeconfig file contains the credentials and connection details required to interact with the AKS cluster’s Kubernetes API server.

Accessing Private AKS Cluster over VPN

When you deploy an AKS cluster in a private VNET, it does not have a public IP address associated with the Kubernetes API server by default. Instead, the API server is accessible only within the VNET.  To access your AKS cluster over a VPN, you need to use the public FQDN of the API server, which is provided by Azure when you enable the --public-fqdn switch with the az aks get-credentials command.

To access your private AKS cluster When connected to your VPN, follow these steps:

  1. Open your command-line interface or terminal.
  2. Ensure that you have the Azure CLI installed and updated to the latest version.
  3. Log in to your Azure account using the az login command.

Now, let’s use the az aks get-credentials command with the --public-fqdn switch:

Replace YOUR_RESOURCE_GROUP_NAME and YOUR_AKS_CLUSTER_NAME with the appropriate values for your AKS cluster.

VPN Routing Considerations

While using the --public-fqdn switch is essential for accessing a private AKS cluster over a VPN, it’s crucial to understand that VPN connectivity to your AKS cluster’s VNET depends on proper routing configurations. To access the API server through the public FQDN, the VPN client must have the correct routes to the VNET that hosts the AKS cluster. Ensure that your VPN setup includes the necessary routing rules to establish a successful connection to your AKS cluster.

Conclusion

In conclusion, using the az aks get-credentials command with the --public-fqdn switch is vital when accessing a private AKS cluster over a VPN. It allows you to obtain the public FQDN of the Kubernetes API server, enabling secure and controlled access from outside the VNET. However, it’s equally essential to configure your VPN with the appropriate routes to the AKS cluster’s VNET to ensure seamless connectivity. With the correct setup and proper usage of the --public-fqdn switch, you can confidently access your private AKS cluster over a VPN while maintaining the highest level of security and control.

Categories: AKSAzureKubernetes
Tags:

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

AKS

Setting Up Distributed Tracing with Tempo on AKS: Azure Blob Storage Backend and Private Link Connectivity

Reading Time: 5 minutesRecently, I was tasked with implementing distributed tracing for a microservices platform running on Azure Kubernetes Service (AKS). The requirements were clear: use Grafana Tempo for trace storage, Azure Blob Storage as the backend for Read more

AKS

Connecting to a Private AKS Cluster with Azure Bastion – No Jump Box Needed!

Reading Time: 3 minutesIf you have been following me for a while, you will know I am a big fan of Private AKS clusters. Keeping your API server off the public internet is one of the easiest wins Read more

AKS

Tracking AKS Docs and Releases – My New Tool

Reading Time: 2 minutesIf you have been following my blog for a while you will know I like to keep up to date with all things AKS. Over the years I have built up a routine of checking Read more