Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
197 questions
Azure Virtual WAN - integrate public Facing AKS
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 53%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Christoph
1
Reputation point
I have a simple setup of Azure Virtual WAN - one Hub with S2S, P2S gateway and an Azure Firewall (one public ip).
All traffic is secured by the firewall and p2s clients have a forced tunnel to also use the firewall as their public ip.
I have a spoke vnet that is connected to my hub in which I want to deploy one private AKS cluster to host several shared services.
This AKS hosts my internal DNS for instance and but I want to add a couple of internet facing applications.
I did setup a new public ip for the ingress controller and created an nignx ingress controller.
Everything good so far. As soon as I deploy my application and want to access it (yes, TLS cert and public DNS name is also created) I do not see any traffic on the ingress controller.
Accessing the app using a local port forwarding works just fine.
I created a public AKS cluster and integrated it the same way into my network, the behavior is the same, no traffic on the ingress controller.
As soon as I disconnect the vnet from the Hub and restart the cluster, it works just fine.
Somehow, my Virtual WAN configuration is interfering with the ingress of my aks and can not find a reason.
Is this just not supported?
I thought about adding a second public ip to my firewall and create a NAT, but this brings other complications.
Thanks!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee2021-11-19T17:18:49.987+00:00 Hello @Christoph , Thank you for reaching out. As per this documentation above scenario is supported although private clusters expose the Kubernetes API over a private IP address, but not over a public one. This private IP address is represented in the AKS virtual network through a private endpoint. The Kubernetes API shouldn't be accessed through its IP address, but instead through its fully qualified domain name (FQDN) which will be resolved by centralized DNS servers deployed in the connectivity subscription, either in a hub virtual network or in a shared service virtual network connected to an Azure Virtual WAN. You also need to have a private DNS zone for your AKS cluster to establish connectivity.
I am sure if you have already done this setup. If you have and are still facing the issue. Can you please share a Network diagram for your setup? and also more information on how DNS is setup will be helpful as well? Thank you! Please let me know if you have any additional questions.
Sign in to comment