Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: ✔️ AKS Automatic ✔️ AKS Standard
An Azure Kubernetes Service (AKS) cluster configured with API Server VNet Integration projects the API server endpoint directly into a delegated subnet in the VNet where AKS is deployed. API Server VNet Integration enables network communication between the API server and the cluster nodes without requiring a private link or tunnel. The API server is available behind an internal load balancer VIP in the delegated subnet, which the nodes are configured to utilize. By using API Server VNet Integration, you can ensure network traffic between your API server and your node pools remains on the private network only.
For most production workloads, AKS Automatic is the recommended default AKS experience. AKS Automatic is production ready by default and includes API Server VNet Integration as a preconfigured cluster security capability. In AKS Standard, API Server VNet Integration is optional and you enable it during cluster creation or by updating an existing cluster.
To learn more about AKS Automatic, see What is Azure Kubernetes Service (AKS) Automatic?
API Server VNet Integration in AKS Automatic and AKS Standard
API Server VNet Integration is available in both AKS cluster modes, but setup differs:
- AKS Automatic: API Server VNet Integration is preconfigured.
- AKS Standard: API Server VNet Integration is optional and must be enabled explicitly.
For most production scenarios, start with AKS Automatic to use production-ready defaults and reduce operational overhead.
API server connectivity
The control plane or API server is in an AKS-managed Azure subscription. Your cluster or node pool is in your Azure subscription. The server and the virtual machines that make up the cluster nodes can communicate with each other through the API server VIP and pod IPs that are projected into the delegated subnet.
API Server VNet Integration is supported for public or private clusters. You can add or remove public access after cluster provisioning. Unlike non-VNet integrated clusters, the agent nodes always communicate directly with the private IP address of the API server internal load balancer (ILB) IP without using DNS. All node to API server traffic is kept on private networking, and no tunnel is required for API server to node connectivity. Out-of-cluster clients needing to communicate with the API server can do so normally if public network access is enabled. If public network access is disabled, you should follow the same private DNS setup methodology as standard private clusters.
Prerequisites
- You must have Azure CLI version 2.73.0 or later installed. You can check your version using the
az --versioncommand. - If you bring your own virtual network, review the virtual network prerequisites.
Limitations
The following limitations apply to API Server VNet Integration, whether it's preconfigured on AKS Automatic or explicitly enabled on AKS Standard:
- API Server VNet Integration doesn't support Virtual Network Encryption. Clusters deployed on v3 or earlier AKS node SKUs (which don't support VNet Encryption) are allowed, but traffic isn't encrypted. Clusters deployed on v4 or later AKS node SKUs (which support VNet Encryption) are blocked because encrypted VNets are incompatible with API Server VNet Integration. For more information, see AKS supported VM SKUs.
- To use dual-stack networking your cluster needs Kubernetes version 1.26.3 or later, network plugin
azureand network plugin modeoverlay. For more information, see Azure CNI cluster with dual-stack networking.
Availability
- API Server VNet Integration is available in all GA public cloud regions except qatarcentral.
Create a cluster with API Server VNet Integration
AKS Automatic (recommended default for production)
In AKS Automatic, API Server VNet Integration is preconfigured. No explicit --enable-apiserver-vnet-integration flag is required.
Create an AKS Automatic cluster by following the quickstart:
AKS Standard: managed VNet
You can configure AKS Standard clusters with API Server VNet Integration in managed VNet mode as public or private clusters.
Note
API Server VNet Integration isn't available in qatarcentral.
Create a resource group
Create a resource group using the az group create command.
az group create --location <location> --name <resource-group>
Deploy a public cluster
Deploy a public AKS Standard cluster with API Server VNet integration for managed VNet using the az aks create command with the --enable-apiserver-vnet-integration flag.
az aks create --name <cluster-name> \
--resource-group <resource-group> \
--location <location> \
--network-plugin azure \
--enable-apiserver-vnet-integration \
--generate-ssh-keys
Deploy a private cluster
Deploy a private AKS Standard cluster with API Server VNet integration for managed VNet using the az aks create command with the --enable-apiserver-vnet-integration and --enable-private-cluster flags.
az aks create --name <cluster-name> \
--resource-group <resource-group> \
--location <location> \
--network-plugin azure \
--enable-private-cluster \
--enable-apiserver-vnet-integration \
--generate-ssh-keys
AKS Standard: bring-your-own VNet
When you use bring-your-own VNet, you must create and delegate an API server subnet to Microsoft.ContainerService/managedClusters. This delegation grants the AKS service permissions to inject the API server pods and internal load balancer into that subnet. You can't use the subnet for any other workloads, but you can use it for multiple AKS clusters located in the same virtual network. The minimum supported API server subnet size is /28.
The cluster identity needs permissions to both the API server subnet and the node subnet. Lack of permissions at the API server subnet can cause a provisioning failure.
Warning
An AKS cluster reserves at least nine IPs in the subnet address space. Running out of IP addresses can prevent API server scaling and cause an API server outage.
Note
API Server VNet Integration isn't available in qatarcentral.
Create a resource group
Create a resource group using the az group create command.
az group create --location <location> --name <resource-group>
Create a virtual network
Create a virtual network using the
az network vnet createcommand.az network vnet create --name <vnet-name> \ --resource-group <resource-group> \ --location <location> \ --address-prefixes 172.19.0.0/16Create an API server subnet using the
az network vnet subnet createcommand.az network vnet subnet create --resource-group <resource-group> \ --vnet-name <vnet-name> \ --name <apiserver-subnet-name> \ --delegations Microsoft.ContainerService/managedClusters \ --address-prefixes 172.19.0.0/28Create a cluster subnet using the
az network vnet subnet createcommand.az network vnet subnet create --resource-group <resource-group> \ --vnet-name <vnet-name> \ --name <cluster-subnet-name> \ --address-prefixes 172.19.1.0/24
Create a managed identity and give it permissions on the virtual network
Create a managed identity using the
az identity createcommand.az identity create --resource-group <resource-group> --name <managed-identity-name> --location <location>Assign the Network Contributor role to the API server subnet using the
az role assignment createcommand.az role assignment create --scope <apiserver-subnet-resource-id> \ --role "Network Contributor" \ --assignee <managed-identity-client-id>Assign the Network Contributor role to the cluster subnet using the
az role assignment createcommand.az role assignment create --scope <cluster-subnet-resource-id> \ --role "Network Contributor" \ --assignee <managed-identity-client-id>
Deploy a public cluster
Deploy a public AKS cluster with API Server VNet integration using the az aks create command with the --enable-apiserver-vnet-integration flag.
az aks create --name <cluster-name> \
--resource-group <resource-group> \
--location <location> \
--network-plugin azure \
--enable-apiserver-vnet-integration \
--vnet-subnet-id <cluster-subnet-resource-id> \
--apiserver-subnet-id <apiserver-subnet-resource-id> \
--assign-identity <managed-identity-resource-id> \
--generate-ssh-keys
Deploy a private cluster
Deploy a private AKS cluster with API Server VNet integration using the az aks create command with the --enable-apiserver-vnet-integration and --enable-private-cluster flags.
az aks create --name <cluster-name> \
--resource-group <resource-group> \
--location <location> \
--network-plugin azure \
--enable-private-cluster \
--enable-apiserver-vnet-integration \
--vnet-subnet-id <cluster-subnet-resource-id> \
--apiserver-subnet-id <apiserver-subnet-resource-id> \
--assign-identity <managed-identity-resource-id> \
--generate-ssh-keys
Convert an existing AKS Standard cluster to API Server VNet Integration
Warning
API Server VNet Integration is a one-way, capacity-sensitive feature. When you enable API Server VNet Integration on an existing AKS Standard cluster, the following limitations apply:
- Manual restart required: After enabling API Server VNet Integration using
az aks update --enable-apiserver-vnet-integration, due to control plane resource transition, you must immediately restart the cluster for the change to take effect. This restart isn't automated. Delaying the restart increases the risk of capacity becoming unavailable, which can prevent the API server from starting. The cluster restart also ensures that all nodes reliably reconnect to the new API server endpoint. - Capacity is validated, but not reserved: AKS validates regional capacity when you enable the feature on an existing cluster, but this validation doesn't reserve capacity. If you delay the restart and capacity becomes unavailable in the meantime, the cluster might fail to start after a stop or restart. Clusters that enabled this feature before general availability (GA), or that haven't yet restarted since enablement, don't undergo capacity validation.
- Feature can't be disabled: Once enabled, the feature is permanent. You can't disable API Server VNet Integration.
This upgrade performs a node-image version upgrade on all node pools and restarts all workloads while they undergo a rolling image upgrade.
Warning
Converting a cluster to API Server VNet Integration results in a change of the API Server IP address, though the hostname remains the same. If you configure the IP address of the API server in any firewalls or network security group rules, you might need to update those rules.
Update your cluster to API Server VNet Integration using the
az aks updatecommand with the--enable-apiserver-vnet-integrationflag.az aks update --name <cluster-name> \ --resource-group <resource-group> \ --enable-apiserver-vnet-integration \ --apiserver-subnet-id <apiserver-subnet-resource-id>Restart your cluster using the [
az aks stop][az-aks-stop] and [az aks start][az-aks-start] commands.az aks stop --name <cluster-name> --resource-group <resource-group> az aks start --name <cluster-name> --resource-group <resource-group>
Enable or disable private cluster mode on an existing cluster with API Server VNet Integration
AKS clusters configured with API Server VNet Integration can have public network access/private cluster mode enabled or disabled without redeploying the cluster. The API server hostname doesn't change, but public DNS entries are modified or removed if necessary.
Note
--disable-private-cluster is currently in preview. For more information, see Reference and support levels.
Enable private cluster mode
Enable private cluster mode using the az aks update command with the --enable-private-cluster flag.
az aks update --name <cluster-name> \
--resource-group <resource-group> \
--enable-private-cluster \
--enable-apiserver-vnet-integration \
--apiserver-subnet-id <apiserver-subnet-resource-id>
Disable private cluster mode
Disable private cluster mode using the az aks update command with the --disable-private-cluster flag.
az aks update --name <cluster-name> \
--resource-group <resource-group> \
--disable-private-cluster
Connect to cluster using kubectl
Configure kubectl to connect to your cluster using the az aks get-credentials command.
az aks get-credentials --resource-group <resource-group> --name <cluster-name>
Expose the API server through Private Link
You can expose the API server endpoint of a private cluster with API Server VNet Integration using Azure Private Link. The following steps show how to create a Private Link Service (PLS) in the cluster VNet and connect to it from another VNet or subscription using a Private Endpoint.
Note
API Server VNet Integration isn't available in qatarcentral.
Create an API Server VNet Integration Private cluster
Create a private AKS cluster with API Server VNet Integration using the az aks create command with the --enable-apiserver-vnet-integration and --enable-private-cluster flags.
az aks create --name <cluster-name> \
--resource-group <resource-group> \
--location <location> \
--enable-private-cluster \
--enable-apiserver-vnet-integration
For more guidance on how to set up Private Link with API Server VNet Integration, see Private Link with API Server VNet Integration.
Network security group (NSG) security rules
All traffic within the VNet is allowed by default. But if you have added NSG rules to restrict traffic between different subnets, ensure that the NSG security rules permit the following types of communication:
| Destination | Source | Protocol | Port | Use |
|---|---|---|---|---|
| APIServer Subnet CIDR | Cluster Subnet | TCP | 443 and 4443 | Required to enable communication between Nodes and the API server. |
| APIServer Subnet CIDR | Azure Load Balancer | TCP | 9988 | Required to enable communication between Azure Load Balancer and the API server. You can also enable all communications between the Azure Load Balancer and the API Server Subnet CIDR. |
Related content
- Create an AKS Automatic cluster
- For associated best practices, see Best practices for network connectivity and security in AKS.
- For guidance on how to set up private link with API Server VNet Integration, see Private Link with API Server VNet Integration.