Engineering Guides

Securing Kubernetes workloads by removing public endpoints and utilizing internal load balancers. Date Category 2025-12-01 Azure / Kubernetes Overview What: We will deploy a fully private Azure Kubernetes Service (AKS) cluster that is only accessible from within our Virtual Network (VNet). Why: To achieve a Zero Trust architecture where the API server and workloads have zero public visibility. This ensures that no part of the cluster is reachable from the public internet, reducing the attack surface to the absolute minimum. Who: Cloud Engineers and DevOps professionals looking to secure their container infrastructure. Prerequisites Azure CLI installed locally. Resource Group created for the AKS Cluster. Virtual Network (VNet) with a dedicated /24 subnet available for AKS. Firewall rule from on-premises to AKS subnet Route Table (UDR) associated with the AKS subnet containing a 0.0.0.0/0 route (required for --outbound-type userDefinedRouting). Hub & Spoke / Hybrid Connectivity: Ensure you have network line-of-sight to the VNet. This could be via: Site-to-Site (S2S) VPN or ExpressRoute (for on-prem hybrid access). Point-to-Site (P2S) VPN (for individual developer access). A Jumpbox VM inside the VNet. Firewall Requirements (Egress) For a private AKS cluster to function (pull system images, register nodes), your Azure Firewall must allow outbound HTTPS (443) access to these Global Microsoft FQDNs: ...