In this post I will show you an example whose goal is to create an infrastructure that not only allows you to create an AKS, a Kubernetes managed on the Azure cloud provider, but also to access it completely privately, creating everything necessary for this via a dedicated P2S VPN.
Furthermore, the AKS will be able to use not only a system node pool, but also a node pool of Linux machines and another of Windows machines.
Let’s now describe the cloud architecture that will be created with this Terraform project example.
As we can see from the diagram, we have a resource group that contains all our resources. Aside from the AKS node pools which will have their own dedicated resource group.
Note that the AKS node pools will be three: one system pool, of the Linux type, one dedicated to workloads on Linux machines and one dedicated to workloads on Windows machines.
To privately reach the AKS, a VNet is created with dedicated subnets: one for the AKS and its node pools, one for the P2S VPN, and one for the endpoint to resolve the private DNS and thus reach the Kubernetes cluster APIs.
Let’s now see where to find the project, how to use it, and what points to pay attention to.
Obviously, this assumes that you already have Terraform and the Azure CLI configured on your local machine, as well as having an Azure subscription to use to create the necessary services.
First of all, you can view the project and make a git clone using the following repository on GitHub: https://github.com/robertobandini/azure-aks-vpn-linux-windows-nodepools
At this point, simply indicate the subscription ID of the subscription to be used in the providers.tf file.
All other settings should be indicated in the locals.tf file.
On line 17 of the locals.tf file we see what leads us to talk about the only “boring” part of this project.
As you can see, you’ll need to specify the root certificate you’ll use to create the P2S VPN on Azure.
You can then use it, for example, via a file for OpenVPN.
If you’re unfamiliar with creating and using the necessary certificates, you can find guides in the official Azure documentation:
https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
One final note is that the node pools AKS can use for workloads—one Linux and one Windows—can both scale automatically thanks to autoscaling enabled.
In this case, Azure automatically manages the cluster autoscaler for these node groups.
But this isn’t the only solution; for example, you can also use Karpenter for Azure on AKS, a possibility I’ll discuss in another post in the future.
Of course, this is just an example, but it can be useful for you if you have the requirement to only reach your AKS via VPN or need to make a POC based on this need.
Of course, there are other ways to access an AKS, and we could discuss more details.
If you have any questions, please don’t hesitate to contact me.