Create a private Azure Kubernetes Service cluster using Terraform and access kubectl commands (Control Plane) through a private endpoint. Deploy ACR with a private endpoint. Access ingress controller through private endpoint.

• Azure CLI and the Azure CLI AKS Preview extension.
  • See how to install Azure CLI here.

  # Confirm AZ CLI installation
  az --version
  
  # Install the aks-preview extension
  az extension add --name aks-preview
  
  # Update the extension to make sure you have the latest version installed
  az extension update --name aks-preview

• Terraform version 0.12.24 or later.
  • See how to install Terraform here.
• Install Azure DevOps Extension.

  # Confirm AZ CLI installation
  az --version
  
  # Install and confirm Azure DevOps extension.
  az extension add --name azure-devops
  az extension show --name azure-devops

• Git to manage your repository locally.
  • See how to install here.
• Azure DevOps Self Hosted Agents.
  • See how to setup your Self Hosted Agents in Azure as shown in the diagram below here

The purpose of this sample is to create an end to end solution to connect to applications hosted in AKS privately within the network.

This is a sample architecture. Let's break it down:

• Connects to on-premises via Azure ExpressRoute - this is not required or configured in this sample, however it's meant to show case the availability for access your private application from on-premises due to the ExpressRoute connection.
• ADO Server - this VM is configured as a Azure Pipeline Self-hosted Agent within the network that can connect privately to Azure Container Registry and AKS cluster.
• Private Endpoints - this allows private and secure connection using Azure Private Link - Private Endpoints which provisions a network interface with a private Ip bringing your service into the VNET.
• Private DNS Zone - it is responsible for translating a service name to its IP address, you can link a Private DNS Zone to a VNET to override and resolve specific domains. For enterprise solutions, that already have a custom DNS server, you can add or modify your records to achive the same. Alternatively, for testing purposes you can modify your Hosts file (etc/hosts) locally and map hostnames to IP address.
  • Modify /etc/hosts in Linux

    sudo echo "127.0.0.1    localhost" | sudo tee -a /etc/hosts

  • Modify /etc/hosts in Windows - Open PowerShell in Admin mode and execute:

    # Go to hosts file directory location
    cd C:\Windows\System32\drivers\etc
    
    # Add new IP / FQDN mapping 
    "127.0.0.1  localhost" | Add-Content hosts
    
    # Get updated hosts content
    Get-Content hosts 

• Azure Container Registry - managed, private Docker registry service based on Docker Registry 2.0. In this case we will be accesing ACR using Private Endpoint, for more information see here
• Private Azure Kubernetes Service - by using a private cluster with internal IP you can ensure that network traffic remains inside the network.
• Private Link Service - is the reference to your own service that is running behind Azure Standard Load Balancer so that access to your service can be privately from their own VNets.

This sample uses Azure Voting App as our demo application. This application creates a multi-container application in an Azure Kubernetes Service (AKS) cluster.

To walk through a quick deployment of this application, see the AKS quick start.