Hi,
I have created azure aks cluster following tutorial: Limit egress traffic https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic
The command:
az aks create --resource-group $RG --name $CLUSTER_NAME --node-count 3 --zones 1 2 3 --vm-set-type VirtualMachineScaleSets --network-plugin azure --service-cidr 10.0.0.0/16 --dns-service-ip 10.0.0.10 --docker-bridge-address 172.17.0.1/16 --network-policy calico --vnet-subnet-id $SUBNET_ID --service-principal $APP_ID --client-secret $APP_PWD --kubernetes-version 1.20.5 --outbound-type userDefinedRouting --enable-private-cluster --load-balancer-sku standard
It works fine when i choose the network plugin azure.
As:
- We need to connect our aks cluster to on premise data center
- We have a limited ip address in our subnet
So we want to use kubenet instead of azure network plugin
az aks create --resource-group $RG --name $CLUSTER_NAME --node-count 3 --zones 1 2 3 --vm-set-type VirtualMachineScaleSets --network-plugin kubenet --network-policy calico --vnet-subnet-id $SUBNET_ID --service-principal $APP_ID --client-secret $APP_PWD --kubernetes-version 1.20.5 --outbound-type userDefinedRouting --api-server-authorized-ip-ranges $FWPUBLIC_IP --load-balancer-sku standard
It also works fine.
But when we add --enable-private-cluster to the command to make the cluster private, all nodes are running in the Virtual machine scale set, but in aks cluster nodes are in NotReady state and the cluster fails to start.
So my questions:
- Why private cluster with userDefinedRouting works fine with azure network plugin, but does not works with kubenet plugin ? Is there any limitation?
- A non private cluster with a range of autorized ip is it secure and recommended to be connected to the on premise data center ?
Thanks