This guide outlines the steps to deploy and securely connect to an Azure Kubernetes Service (AKS) private cluster using Cloud Shell with VNet integration, following a hub-and-spoke network topology.
## Access Options Flow For the purpose of this demonstration, access to the AKS private cluster will be established using Access Option 3.
To deploy the AKS private cluster with a private API server endpoint, follow these steps in the Azure Portal:
1. Navigate to AKS Service
2. Configure Basics
3. Click “Next” Until You Reach the Networking Tab
Proceed through the tabs (Node Pools, Authentication, etc.) until you reach Networking.
4. Enable Private Access
5. Edit the name of Infrastructure Resource Group
6. Click Review + Create, validate the configuration, and then click Create to deploy the cluster.
The following resources are provisioned as part of the AKS cluster deployment.
1. Locate the AKS Private DNS Zone
2. Link the Hub VNet in my case to the Private DNS Zone
To configure Azure Cloud Shell with Virtual Network integration, the following components must be provisioned:
PS: The above resources are automatically deployed via the ARM Template Azure Cloud Shell,except the File Share that should be deployed manually. 👉 Important: Please make sure to check the section “Deploy Azure Relay Namespace” for additional deployment steps and configuration details.
### Create a Storage Account in Azure Portal
1. Go to Azure Portal
Navigate to https://portal.azure.com and sign in.
2. Search for “Storage Accounts” In the top search bar, type Storage Accounts and select it.
3. Click “Create” Click the + Create button to start the wizard.
4. Fill in the Basics:
#### Create a File Share Inside the Storage Account
1. Navigate to the Storage Account
Once deployed, go to the newly created storage account.
2. Select “File shares” from the left menu
Under Data storage, click File shares.
3. Click “+ File share”
Provide:
4. Creation in Progress Your file share will be created and ready for use.
Cloud Shell needs access to certain Azure resources. You make that access available through resource providers. The following resource providers must be registered in your subscription:
Depending on when your tenant was created, some of these providers might already be registered.
To see all resource providers and the registration status for your subscription:
The Azure container instance ID is a unique value for every tenant.
Sign in to the Azure portal. From the home page, select Microsoft Entra ID. If the icon isn’t displayed, enter Microsoft Entra ID in the top search bar.
On the left menu, select Overview. Then enter azure container instance service in the search bar.
In the results, under Enterprise applications, select Azure Container Instance Service.
You use this ID in the quickstart template for the virtual network.
The Azure Relay namespace, along with all required network components and authorization settings, will be deployed automatically using an ARM Template.
🔗 Deploy via Azure Cloud Shell – VNet Quickstart Template
When deploying Azure Cloud Shell ARM ensure that you:
⚠️ Important: If the Storage Account and VNet are not in the same resource group, Cloud Shell will not be able to associate the VNet with the Storage Account, and the configuration will fail.
1. Open Azure Cloud Shell
2. Access the Settings Menu
3. Select “Reset User Settings”
4. Confirm the Reset
5. Choose Your Shell Environment
6. Reconfigure Storage (if needed)
⚠️Note: Resetting Cloud Shell will erase any files not stored in your mounted Azure File Share. Make sure important files are backed up.
7. Select an existing private virtual network
⚠️ Note: In this step you can choose to mount storage account or not to use storage account. Cloud Shell in a private virtual network using Azure Relay requires a storage account - File Share.
8. Complete the Required Configuration Fields
9. Requesting a Cloud Shell in private virtual network
⚠️Important Note:
On ACI IP Visibility When verifying the IP address of the Azure Container Instance (ACI), you’ll notice that it is assigned from the Container Subnet configured during the deployment of the Azure Cloud Shell VNet. However, please be aware that this IP address will not appear under Connected Devices in the Azure Portal’s Virtual Network view. This behavior is expected, as the ACI networking is fully managed by Azure and does not expose the container’s IP in the standard VNet device list.
💡 Community Request: If anyone has found a method to retrieve or surface this information within their subscription, please feel free to reach out to me.
1. Go to the AKS Resource
2. Click on the “Connect” Button
3. Launch Azure Cloud Shell
4. Run the Provided Command
The command usually looks like:
az aks get-credentials --resource-group <your-resource-group> --name <your-aks-cluster-name>
5. Connection Verification