Hey everyone! Today, I’m excited to share a new feature that’s just hit preview in Azure Kubernetes Service (AKS). If you’ve ever wrestled with managing IP addresses for API server access, you’re going to love this. Azure has introduced the ability to use Service Tags for API Server authorized IP ranges, and it’s a game-changer.
Why This Feature is Awesome
If you’ve been running AKS clusters for a while, you know how tricky it can be to manage IP address ranges for the API server. It’s like trying to keep track of a moving target, especially when you’re dealing with multiple services that need access. Enter Service Tags—these handy tools let you specify a whole group of IP addresses with just one tag. No more manually updating IP ranges when Azure services change their addresses!
For example, let’s say you want all Azure services to access your AKS API server. With this new feature, you can simply use the AzureCloud
Service Tag. It’s quick, it’s easy, and it reduces the chance of making mistakes.
Limitations and Where It’s Available
Before you get too excited, there are a few things you need to know:
– Not Compatible with API Server VNet Integration: Unfortunately, this feature doesn’t play well with API Server VNet Integration. So, if you’re using that, you’ll need to stick with traditional IP ranges for now.
– Only in Certain Regions: As of now, this feature is only available in the following regions:
- eastus2euap
- centraluseuap
- westcentralus
- eastasia
- uksouth
- eastus
It’s also worth mentioning that this feature is still in preview. That means it’s provided “as is,” and it’s not recommended for production use. Support is best-effort, and there’s no service-level agreement (SLA) backing it up just yet.
What Are Service Tags Anyway?
In case you’re new to Service Tags, let me give you a quick rundown. Service Tags are basically predefined groups of IP addresses used by Azure services. Microsoft keeps these up-to-date for you, so you don’t have to worry about manually maintaining your network security rules. If you’re interested in seeing all the available Service Tags, check out the official documentation here.
How to Get Started
If you’re ready to give this a spin, here’s how you can enable and use this feature:
1. Install the AKS Preview Extension: First things first, you’ll need the AKS preview extension in your Azure CLI. Here’s how to get it:
1 |
az extension add --name aks-preview |
And don’t forget to keep it updated:
1 |
az extension update --name aks-preview |
2. Register the Feature Flag: Next, you need to register the feature flag that enables Service Tags for API server authorized IP ranges.
1 |
az feature register --namespace "Microsoft.ContainerService" --name "EnableServiceTagAuthorizedIPPreview" |
Give it a few minutes to complete, and then verify the registration:
1 |
az feature show --namespace "Microsoft.ContainerService" --name "EnableServiceTagAuthorizedIPPreview" |
3. Create Your AKS Cluster: Once everything’s set up, you can create a new AKS cluster with the Service Tag authorized IP range like this:
1 |
az aks create --resource-group myResourceGroup --name myAKSCluster --api-server-authorized-ip-ranges AzureCloud,20.20.20.20 |
With this command, you’re allowing all Azure services (via the AzureCloud
Service Tag) and a specific IP address (20.20.20.20
) to access your AKS API server.
Final Thoughts
I’m really excited about the potential of this feature. It’s a small change, but it makes managing AKS clusters that much easier. By using Service Tags, you can reduce complexity and make sure your AKS clusters are accessible to the right Azure services without all the hassle.
As always, if you give this a try, I’d love to hear how it works for you. Drop a comment or reach out on Twitter!
0 Comments