How can we improve the Azure Kubernetes Service (AKS)?

Secure AKS API from Public Internet

Managed K8s in Azure makes the AKS API publically accessible via an Internet endpoint.
This Master node access is separate from the Agent nodes we stand up inside a VNet and can protect with interior private IPs and NSGs.

While access to the AKS-API is be protected using Azure DDOS, and integration to AAD and RBAC for user access, some customer security organizations demand either IP whitelisting on it, or some type of if firewalling to limit access to it to only their company. VNet Service Endpoint as another option although not certain can can work. But that kind of protection is sought.
Reference: https://github.com/Azure/AKS/issues/572

216 votes
Sign in
(thinking…)
Password icon
Signed in as (Sign out)

We’ll send you updates on this idea

Steve DiStefano shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  AdminAKS Team (Admin, Microsoft Azure) responded  · 

We’ve started work on enabling you to create a set of authorized IP ranges that have access to the API server so that you can lock it down.

23 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
← Previous 1

Feedback and Knowledge Base