Connecting-Securely-to-AKS-Private-Cluster

🚀 Deployment Flow Overview

This guide outlines the steps to deploy and securely connect to an Azure Kubernetes Service (AKS) private cluster using Cloud Shell with VNet integration, following a hub-and-spoke network topology.

## Access Options Flow For the purpose of this demonstration, access to the AKS private cluster will be established using Access Option 3.

Architecture Diagram

🧱 Existing Infrastructure

☸️ AKS Private Cluster Deployment

To deploy the AKS private cluster with a private API server endpoint, follow these steps in the Azure Portal:

1. Navigate to AKS Service

2. Configure Basics

Create Private AKS Cluster

3. Click “Next” Until You Reach the Networking Tab
Proceed through the tabs (Node Pools, Authentication, etc.) until you reach Networking.

Create Private AKS Cluster

4. Enable Private Access

Create Private AKS Cluster

5. Edit the name of Infrastructure Resource Group

6. Click Review + Create, validate the configuration, and then click Create to deploy the cluster.

What looks like Infrastructure Resource Group Resources

The following resources are provisioned as part of the AKS cluster deployment.

Infrastructure Resource Group

1. Locate the AKS Private DNS Zone

2. Link the Hub VNet in my case to the Private DNS Zone

Link Virtual Network to Private DNS Zone

Link Virtual Network to Private DNS Zone

🔧 Prerequisites for Cloud Shell VNet Integration

To configure Azure Cloud Shell with Virtual Network integration, the following components must be provisioned:

Required config resources

PS: The above resources are automatically deployed via the ARM Template Azure Cloud Shell,except the File Share that should be deployed manually. 👉 Important: Please make sure to check the section “Deploy Azure Relay Namespace” for additional deployment steps and configuration details.

### image Create a Storage Account in Azure Portal 1. Go to Azure Portal Navigate to https://portal.azure.com and sign in.

2. Search for “Storage Accounts” In the top search bar, type Storage Accounts and select it.

3. Click “Create” Click the + Create button to start the wizard.

4. Fill in the Basics:

Create Storage accout

#### image Create a File Share Inside the Storage Account 1. Navigate to the Storage Account
Once deployed, go to the newly created storage account.

2. Select “File shares” from the left menu
Under Data storage, click File shares.

3. Click “+ File share”

Create Storage accout

Provide:

Create Storage accout

4. Creation in Progress Your file share will be created and ready for use.

Cloud Shell needs access to certain Azure resources. You make that access available through resource providers. The following resource providers must be registered in your subscription:

Depending on when your tenant was created, some of these providers might already be registered.

To see all resource providers and the registration status for your subscription:

  1. Sign in to the Azure portal.
  2. On the Azure portal menu, search for Subscriptions. Select it from the available options.
  3. Select the subscription that you want to view.
  4. On the left menu, under Settings, select Resource providers.
  5. In the search box, enter cloudshell to search for the resource provider.
  6. Select the Microsoft.CloudShell resource provider from the provider list.
  7. Select Register to change the status from unregistered to registered.
  8. Repeat the previous steps for the Microsoft.ContainerInstance and Microsoft.Relay resource providers.

Register Reource provider

Register Reource provider

Get The Azure container instance ID

The Azure container instance ID is a unique value for every tenant.

  1. Sign in to the Azure portal. From the home page, select Microsoft Entra ID. If the icon isn’t displayed, enter Microsoft Entra ID in the top search bar.

  2. On the left menu, select Overview. Then enter azure container instance service in the search bar.

  3. In the results, under Enterprise applications, select Azure Container Instance Service.

Retrieve ACS ID

  1. On the Overview page for Azure Container Instance Service, locate the Object ID value listed under Properties. Click the button Copy to clipboard

You use this ID in the quickstart template for the virtual network.

Copy ID ACS

image Azure Relay Deployment & configure Cloud Shell

Deploy Azure Relay Namespace

The Azure Relay namespace, along with all required network components and authorization settings, will be deployed automatically using an ARM Template.

🔗 Deploy via Azure Cloud Shell – VNet Quickstart Template

DeployCloudShell ARM

⚠️ Important: If the Storage Account and VNet are not in the same resource group, Cloud Shell will not be able to associate the VNet with the Storage Account, and the configuration will fail.

DeployCloudShell ARM

DeployCloudShell ARM

Configure Cloud Shell within the Hub VNet (or VNet of your choice that is peered to AKS VNet)

1. Open Azure Cloud Shell

2. Access the Settings Menu

3. Select “Reset User Settings”

Configure CloudShell

4. Confirm the Reset

Configure CloudShell

5. Choose Your Shell Environment

Configure CloudShell

6. Reconfigure Storage (if needed)

⚠️Note: Resetting Cloud Shell will erase any files not stored in your mounted Azure File Share. Make sure important files are backed up.

7. Select an existing private virtual network

⚠️ Note: In this step you can choose to mount storage account or not to use storage account. Cloud Shell in a private virtual network using Azure Relay requires a storage account - File Share.

Configure CloudShell

8. Complete the Required Configuration Fields

Configure CloudShell

9. Requesting a Cloud Shell in private virtual network

Configure CloudShell

Configure CloudShell ifconfig

⚠️Important Note:
On ACI IP Visibility When verifying the IP address of the Azure Container Instance (ACI), you’ll notice that it is assigned from the Container Subnet configured during the deployment of the Azure Cloud Shell VNet. However, please be aware that this IP address will not appear under Connected Devices in the Azure Portal’s Virtual Network view. This behavior is expected, as the ACI networking is fully managed by Azure and does not expose the container’s IP in the standard VNet device list.

💡 Community Request: If anyone has found a method to retrieve or surface this information within their subscription, please feel free to reach out to me.

Use Cloud Shell to securely connect to the AKS private endpoint

1. Go to the AKS Resource

2. Click on the “Connect” Button

3. Launch Azure Cloud Shell

4. Run the Provided Command

The command usually looks like:

az aks get-credentials --resource-group <your-resource-group> --name <your-aks-cluster-name>

5. Connection Verification

Connect to AKS