This Terraform configuration provisions an Azure Kubernetes Service (AKS) cluster within a dedicated VNET, and sets up a Bastion host in a separate subnet within a peered VNET. The AKS cluster is configured with private API access, accessible only via Bastion using Private DNS and VNet peering.
- Virtual Networks
- AKS VNET in a separate resource group
- Bastion VNET in a separate resource group
- Azure Bastion deployed in the Bastion Subnet
- AKS cluster deployed in the AKS Subnet with private API server
- Private DNS Zone linked to Bastion VNET for AKS API resolution
- VNet Peering between AKS VNet and Bastion VNET
- All resources deployed using Terraform
- Create a virtual networks:
- One for AKS in a separate resource group
- One for Bastion in a separate resource group
- Deploy Azure Bastion into the Bastion Subnet
- Deploy AKS into the AKS Subnet with
private cluster enabled - Allow AKS to create a private DNS zone in its node resource group
- Configure VNet peering between Bastion VNET and AKS VNET
- Ensure network security groups (NSGs) and route tables allow necessary traffic between subnets
- Use Azure CLI to fetch the autogenerated private DNS zone name
- Use Azure CLI to create a private DNS zone virtual network link to Bastion VNET
- The Bastion host allows secure SSH/RDP access to resources in the AKS subnet
- AKS private API endpoint is not accessible from the internet
- DNS resolution of AKS private link endpoint is enabled via the linked Private DNS Zone
- This setup helps secure access to AKS while maintaining operational access via Bastion
- Terraform >= 1.3
- AzureRM Provider >= 3.0
terraform init
terraform apply