Introduction
Building a private AKS cluster offers enhanced network security and complete control over ingress and egress traffic.
This tutorial will guide you through the setup of a private AKS cluster with advanced networking capabilities, integrating it into a sophisticated network architecture using Pulumi.
By the end of this guide, you'll know how to integrate the AKS cluster with a Hub VNet and apply firewall policies established in the previous az-02-hub-vnet project.
Table of Contents
The project modules
The ContainerRegistry.ts Module
To enhance security and ensure that all Docker images deployed to our AKS cluster are verified, this module establishes a private Container Registry. By restricting AKS to pull images exclusively from this private registry, we eliminate the need to open firewalls on the public internet.
View code:
The AksFirewallRules.ts Module
This module sets up a FirewallPolicyRuleCollectionGroup with policies that enable controlled outbound communication for AKS nodes. The rules ensure that only necessary traffic is permitted, thus enhancing the security posture of our AKS cluster.
View code:
The VNet.ts Module
The Virtual Network (VNet) serves as the backbone for our AKS cluster. It provides the primary network environment that includes subnets dedicated to AKS nodes.
The VNet is peered with the Hub VNet to enable seamless integration with other services and to route all traffic through the Hub's firewall, ensuring all egress traffic is controlled.
- Security Group: By default, the VNet allows resources in all subnets to access the internet. To enhance security, a security group is created with the following default rules:
- Block all internet access from all subnets.
- Allow VNet-to-VNet communication to enable hub-spoke connectivity.
- Additional security rules can be added through parameters.
View code:
-
Route Table: This VNet will peer with the hub, necessitating a route table to direct all traffic to the private IP address of the firewall.
View code: [inline](https://github.com/baoduy/drunk-azure-pulumi-articles/blob/main/az-03-aks-cluster/VNet.ts#1-1000) -
VNet: Finally, the VNet is configured to create the route table and security group, injecting them into all provided subnets. Additionally, it establishes VNet peering with the hub VNet.
View code: [inline](https://github.com/baoduy/drunk-azure-pulumi-articles/blob/main/az-03-aks-cluster/VNet.ts#10-1000)
The AKS.ts Module
-
SSH Key Generation Custom Resource: An SSH key is required for configuring an AKS cluster.
Due to Pulumi's lack of native SSH support, I use Dynamic Resource Providers to create a custom component that dynamically generates an SSH key at runtime.
View SSH generator code:
[inline](https://github.com/baoduy/drunk-azure-pulumi-articles/blob/main/az-03-aks-cluster/SshGenerator.ts#1-1000)
</details>
> This component also demonstrates how to securely store secrets within the Pulumi state.
Furthermore, a helper method uses the SSH generator alongside a random password to create an SSH public and private key pair and stored them in Key Vault for AKS.
<details><summary><em>View code:</em></summary>
[inline](https://github.com/baoduy/drunk-azure-pulumi-articles/blob/main/az-03-aks-cluster/Aks.ts#78-116)
</details>
-
AKS Identity Creation: AKS can be configured to use Microsoft Entra ID for user authentication.
This setup allows users to sign in to an AKS cluster using a Microsoft Entra authentication to manage access to namespaces and cluster resources.
View code: [inline](https://github.com/baoduy/drunk-azure-pulumi-articles/blob/main/az-03-aks-cluster/Aks.ts#11-71) -
AKS Cluster Creation: Finally, by integrating all components, we establish our AKS cluster. The source code contains several key elements worth noting.
View code: [inline](https://github.com/baoduy/drunk-azure-pulumi-articles/blob/main/az-03-aks-cluster/Aks.ts#121-1000)
Developing a Private AKS Cluster
Our goal is to configure all necessary elements for the AKS Cluster, which include:
- Resource Group: A container for organizing related Azure resources, simplifying management and cost tracking.
- Container Registry: The main repository for all Docker images used by our private AKS, ensuring secure image deployment.
- AKS Firewall Policy: To enable outbound internet connectivity, we must configure firewall rules that allow AKS nodes to communicate securely with essential Azure services.
- Virtual Network (VNet): The primary network hosting our AKS subnets, integrated with our Hub VNet to ensure secure and managed traffic flow.
- AKS Cluster: An Azure-managed Kubernetes service, configured with advanced security and connectivity options.
View code:
Deployment and Cleanup
Deploying the Stack
To deploy the stack, execute the pnpm run up command. This provisions the necessary Azure resources. We can verify the deployment as follows:
- Successfully deployed Azure resources:
Overview of successfully deployed Azure resources.
Cleaning Up the Stack
To remove the stack and clean up all associated Azure resources, run the pnpm run destroy command. This ensures that any resources no longer needed are properly deleted.
Conclusion
In this tutorial, we've successfully implemented a private AKS cluster with advanced networking features using Pulumi.
By setting up a private Container Registry, configuring firewall rules, and integrating the cluster with a Hub VNet, we have enhanced the security and manageability of our Kubernetes environment.
These steps ensure that the AKS cluster is well-secured and capable of meeting the demands of a production-grade infrastructure.
References
- Outbound network and FQDN rules for AKS clusters
- Dynamic resource providers
- Use EntraID role-based access control for AKS
- Use a service principal with AKS
- Best Practices for Private AKS Clusters
Next
Day 06: Implements a private CloudPC and DevOps Agent Hub with Pulumi
In the next tutorial, it will guide us through setting up a secure CloudPC and DevOps agent hub, aimed at improving the management and operational capabilities of your private AKS environment using Pulumi.
Thank You
Thank you for taking the time to read this guide! I hope it has been helpful, feel free to explore further, and happy coding! 🌟✨
Steven | GitHub
Top comments (0)