Cluster connect on Azure Arc enabled Kubernetes

The Azure Arc enabled Kubernetes cluster connect feature provides connectivity to the apiserver of the cluster without requiring any inbound port to be enabled on the firewall. A reverse proxy agent running on the cluster can securely start a session with the Azure Arc service in an outbound manner.

Cluster connect allows developers to access their clusters from anywhere for interactive development and debugging. It also lets cluster users and administrators access or manage their clusters from anywhere. You can even use hosted agents/runners of Azure Pipelines, GitHub Actions, or any other hosted CI/CD service to deploy applications to on-prem clusters, without requiring self-hosted agents.


Azure Arc enabled Kubernetes preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. Azure Arc enabled Kubernetes previews are partially covered by customer support on a best-effort basis.


Cluster connect architecture

On the cluster side, a reverse proxy agent called clusterconnect-agent deployed as part of agent helm chart, makes outbound calls to Azure Arc service to establish the session.

When the user calls az connectedk8s proxy:

  1. Azure Arc proxy binary is downloaded and spun up as a process on the client machine.
  2. Azure Arc proxy fetches a kubeconfig file associated with the Azure Arc enabled Kubernetes cluster on which the az connectedk8s proxy is invoked.
    • Azure Arc proxy uses the caller's Azure access token and the Azure Resource Manager ID name.
  3. The kubeconfig file, saved on the machine by Azure Arc proxy, points the server URL to an endpoint on the Azure Arc proxy process.

When a user sends a request using this kubeconfig file:

  1. Azure Arc proxy maps the endpoint receiving the request to the Azure Arc service.
  2. Azure Arc service then forwards the request to the clusterconnect-agent running on the cluster.
  3. The clusterconnect-agent passes on the request to the kube-aad-proxy component, which performs Azure AD authentication on the calling entity.
  4. After Azure AD authentication, kube-aad-proxy uses Kubernetes user impersonation feature to forward the request to the cluster's apiserver.

Next steps