Lets see how we can use a static public IP as a egress IP for the AKS cluster
Prerequisite
- Azure Account
- Configured Azure CLI for the Azure Subscription
- Terraform AKS cluster project
Create IP resource
We first need to create a Public IP Address for us to use it in our AKS cluster.
Login to Azure portal > Create a Resource Group
Choose your subscription and provide a name for the resource group E.g. Name StaticIpExample
Under the newly created StaticIpExample resource group, create a Public IP address resource.
Provide a name. E.g. Name: MyStaticIp, and make sure subscription and resource group are selected to the correct value. Once verified create the resource.
This will create a public IP for you.
Load the Public IP into Terraform
Open aks-cluster.tf file from the Terraform project and add following new block into the file.
data "azurerm_public_ip" "egress" {
name = "MyStaticIp"
resource_group_name = "StaticIpExample"
}once added, run terraform plan and verify the changes. This change will load the azurerm_public_ip resource named MyStaticIp from StaticIpExample resource group.
Use the static IP in AKS cluster
Now the above loaded static IP should be used in the AKS cluster declaration to use it as egress IP.
Open aks-cluster.tf file and add following block into the resource "azurerm_kubernetes_cluster" "default" { block.
network_profile {
network_plugin = "kubenet"
load_balancer_profile {
outbound_ip_address_ids = [data.azurerm_public_ip.egress.id]
}
}The block sets the kubenet as the default network plugin and sets the already defined static public IP as the outbound IP address for the load balancer.
Provide Access to AKS Cluster
If the Public IP address resource and AKS cluster are in two different resource groups then the AKS cluster needs to be provided with the access to use the IP address in the different resource group.
Create User Assigned Managed Identity resource in the resource group where the Public IP address resource present, in our case StaticIpExample, and provide a name E.g. Name: IpIdentity.
Open Public IP address resource MyStaticIp, navigate to Access Control (IAM) > Add role assignment > choose Contributor role under privileged administrator roles (or choose a role best match for you) > Next > Choose Managed Identity > Select newly created Managed Identity > Next > Review + assign
This will provide access to Managed Identity IpIdentity to handle Public IP address resource MyStaticIp.
Load the created managed identity into Terraform.
Open the aks-cluster.tf file and add following block
data "azurerm_user_assigned_identity" "ip_identity" {
name = "IpIdentity"
resource_group_name = "StaticIpExample"
}above declared managed identity data should be used in AKS cluster to be able to access the Public IP address resource present in the different resource group.
Open aks-cluster.tf file and add following block into the resource "azurerm_kubernetes_cluster" "default" { block.
identity {
type = "UserAssigned"
identity_ids = [
data.azurerm_user_assigned_identity.ip_identity.id
]
}that's all and terraform plan then terraform apply should now create an AKS cluster which uses our defined static Ip address as its egress IP.
This will make sure the cluster egress IP doesn't change when cluster deleted and re-created again.
No comments:
Post a Comment