question

PratimDasParthaC-8631 avatar image
1 Vote"
PratimDasParthaC-8631 asked vipullag-MSFT commented

Why should we create AKS cluster as private?

I went through different documents available on Microsoft site, created one private AKS cluster on my own. Still I'm not clear why private cluster? What is the benefit of making API server of AKS cluster private? Even for private AKS cluster, the load balancer created has public endpoint and can be accessed over the internet. Then how it became a private cluster and why is it assumed to be more secure?

azure-kubernetes-service
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sam-Cogan avatar image
2 Votes"
Sam-Cogan answered

The API server is the way that you can control and access your Kubernetes control plane, and so is a tempting attack surface for anyone wanting to breach your cluster. If someone gains access to the Kubernetes API they can do pretty much anything with your cluster. By using a private cluster this API is only accessible from your virtual network and traffic only goes over the virtual network and does not traverse the internet. This provides a few benefits:

  1. The API server is not accessible over the internet at all, blocking any would be attacker from having a endpoint they can try and attack

  2. The traffic to the API server is not traversing the internet, removing the risk of a man in the middle or other interception type attack


For some people this may not be required, and your happy with the security of the public API server, in which case you don't need this. However there are many scenarios where this is not an acceptable level of security and they need a private API server to be able to use AKS.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipullag-MSFT avatar image
4 Votes"
vipullag-MSFT answered vipullag-MSFT commented

@PratimDasParthaC-8631

As per the Private AKS Cluster Document, by using a private cluster it will ensure that network traffic between your API server and your node pools remains on the private network only.

The Public IP for the Load Balancer is part of the current design for Private AKS Clusters. As the newer CLI versions will by default create Standard Load Balancer which required a Public IP and Load Balancer for egress. By default AKS still uses a public IP for egress traffic from nodes/pods to outside world, even in private AKS instances.

As this default setup may not meet the requirements of all scenarios if public IPs are disallowed or additional hops are required for egress, to avoid pubic IPs altogether you can Customize cluster egress with a User-Defined Route. Please check this article for more details.

Just for your reference, similar issue raised for getting this cluster egress with a UDR to GA.

Please 'Accept as answer' if the provided information is helpful, so that it can help others in the community looking for help on similar topics.


· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for quick response. But what is the point in making network traffic between API server and node pools on the private network?

0 Votes 0 ·
vipullag-MSFT avatar image vipullag-MSFT PratimDasParthaC-8631 ·

API server can be accessed from vnet and peered vnets only.

1 Vote 1 ·

That is fine @vipullag-MSFT , but my question is why - what is the point of making API server externally accessible? I can access the services on public endpoints of that LB. Why should I safeguard the API server only?

0 Votes 0 ·
Show more comments

Why are more than 1 public IP addresses created for both private and public AKS clusters?

0 Votes 0 ·

@vipullag-MSFT , most of my confusion regarding private AKS is clear. Can you help me understanding the PCI DSS requirement for AKS. We have a design of public AKS for the customer who is looking for the compliance thing now.

Is public AKS PCI compliant or we need to re-design to private cluster ?

0 Votes 0 ·

@DebabrataHowlee-8755

Here is the document (This one is the introduction) which has all the details on customer's responsibilities and responsibilities as Service Provider as far as PCI DSS is concerned.

Hope these document references help.

0 Votes 0 ·