-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preserve private endpoint when stop and starts an AKS cluster #2745
Comments
Hi arcezd, AKS bot here 👋 I might be just a bot, but I'm told my suggestions are normally quite good, as such:
|
Triage required from @Azure/aks-pm |
Triage required from @Azure/aks-pm |
Action required from @Azure/aks-pm |
Issue needing attention of @Azure/aks-leads |
1 similar comment
Issue needing attention of @Azure/aks-leads |
Any updates on this? |
Issue needing attention of @Azure/aks-leads |
3 similar comments
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Any chance we got any response here? This is starting to be a major problem for our non-production workloads |
Hello! Please can you provide an update on this? It is a much needed feature |
@andyzhangx , @djdongjin , @raghulmsft, @Azure apologies, but is anyone working on/considering this request? |
Issue needing attention of @Azure/aks-leads |
1 similar comment
Issue needing attention of @Azure/aks-leads |
This also caused us several hours of work to retrace and reconfigure things |
Issue needing attention of @Azure/aks-leads |
2 similar comments
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
4 similar comments
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
The need to recreate the private endpoint is the main reason why we don't stop our AKS clusters. We could of course put effort into creating our own version of the reconfiguration script, but I would much rather have a supported/built-in solution from Microsoft. My use cases:
|
you can use private cluster with APIServer Vnet Integration. The private ip will be reserved during stop/start. |
We connect from remote vnets without line of sight so that doesn't solve our problem. |
Just open a ticket about it to Azure support to see if they have something planned to solve this issue. |
Maube you can try UDR when ingressing to vnet\local FW from remote (I'm guessing peered?) vnet? |
Nope, no peering. No line of sight. You can create private endpoints to any vnet anywhere in azure, totally disconnected networks. |
What is the status of this issue? |
Whats the status of this issue? Due to this, start and stop feature is almost unusable in case of private clusters. |
Issue needing attention of @Azure/aks-leads |
8 similar comments
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Any updates on this issue? Having to re-provision the private endpoint every time the cluster stops, is a pain in the ass |
From AKS perspective, we have to recreate the private endpoint during stop/start in order to build the private connection. Right now, we don't have any future plan on private v1 cluster (implemented by private link). |
This issue has been automatically marked as stale because it has not had any activity for 21 days. It will be closed if no further activity occurs within 7 days of this comment. |
This issue will now be closed because it hasn't had any activity for 7 days after stale. arcezd feel free to comment again on the next 7 days to reopen or open a new issue after that time if you still have a question/issue or suggestion. |
What happened:
We need to stop and start our Development aks cluster daily, just to avoid costs when it's not in use, this cluster is a private cluster, so we are accessing the Kubernetes API Server through a private endpoint.
We have a third-party network virtual appliance firewall solution deployed at our tenant to inspect/allow/block traffic between vnets or even on-premise to Azure.
According to the private endpoints documentation (and our tests), we need to register every private endpoint IP to the Azure Route Table to force the traffic to pass through the firewall.
Use Azure Firewall to inspect traffic destined to a private endpoint
We know that according to the Documentation: Stop and Start an Azure Kubernetes Service (AKS) cluster:
So any workaround or any chance to create a feature request to preserve the private endpoint and don't need to recreate it every time we need to stop and start the cluster?
What you expected to happen:
We expect any option to preserve the IP of the private endpoint when we stop and starts the cluster.
How to reproduce it (as minimally and precisely as possible):
Deploy an AKS with a private endpoint, and stop and start the cluster.
Anything else we need to know?:
Environment:
kubectl version
):4 nodes
The text was updated successfully, but these errors were encountered: