Powered by MukeshLPM

Connecting to a Private AKS Cluster with Azure Bastion – No Jump Box Needed!

by
Spread the love


Reading Time: 4 minutes

If you have been following me for a while, you will know I am a big fan of Private AKS clusters. Keeping your API server off the public internet is one of the easiest wins for improving cluster security.

The problem?
Connecting to them has never been that smooth.

With a private cluster, you cannot just run kubectl from your laptop unless you are connected to the same virtual network. That usually means setting up a site-to-site VPN or point-to-site VPN so your machine can talk to the cluster.

If you did not want to deal with VPNs, the other option was to set up a jump box VM inside the VNet. You would connect via Azure Bastion, RDP, or SSH into the jump box VM, install the Azure CLI and kubectl, and run commands from there.

It works, but:

  • You have another VM to manage, patch, and pay for
  • It is slower to get connected
  • It is not a great developer experience

Table of Contents

Enter a new feature of Azure Bastion for AKS

This is a feature I have been waiting for since I first heard about Bastion. (I was even part of the private preview).
Azure Bastion has always been great for connecting to VMs without exposing RDP or SSH ports to the internet. Now it can do something even better and connect you to a Private AKS cluster without a jump box.

No messing with NSGs, no spinning up temporary VMs. Just a secure tunnel from your local CLI to your private API server.

What You Need

Before you get started, you will need:

  • The Azure CLI installed locally
  • kubectl installed locally
  • An Azure Bastion instance deployed in the same VNet (or peered VNet) as your AKS cluster
  • The Bastion must be Standard or Premium SKU and have native client support enabled in its configuration settings
  • Your cluster MUST have a public FQDN.

If you are already using Bastion for VM access, you are basically halfway there.

Oh, and if you are using Bastion to connect to a public cluster that has API server authorized IP ranges configured, you will need to add the public IP address of your Bastion to that allow list. Otherwise, your connection will be blocked before it even starts.

Oh, and if you are using Bastion to connect to a public cluster that has API server authorized IP ranges configured, you will need to add the public IP address of your Bastion to that allow list. Otherwise, your connection will be blocked before it even starts. Yes, thats right, its not only usable for private clusters!

You will also need the following Azure roles assigned:

  • Reader role on the AKS cluster
  • Reader role on the Azure Bastion resource
  • Reader role on the virtual network of the target AKS cluster (if the Bastion is deployed in a peered VNet)

How to Connect

Once you have everything set up, open a terminal, connect to your Azure subscription using az login and connect to the subscription your AKS cluster is running in:

Next, connect to your AKS cluster by running:

Now it’s time to get the Bastion tunnel up. To do so use the following command:

If this is teh first timee you have ran this command it will ask if you want to install the aks-preview extension. Just press y. Next it will ask you to install the bastion extension, again, just press y to install it.

Once both extension has been installed you will be presented with a sub shell. This is where you can run kubectl.

If you read the text you will see what running this command has actually done.

Now, you can go ahead and run kubectl get pods -A to see all your pods.

You are now talking to your private AKS cluster securely without leaving your machine. How cool is that?

Why This is a Big Deal

For me, this is all about simplicity and security.

  • No more jump boxes
    Less infrastructure to deploy, patch, and pay for. and no need for a VPN!
  • Consistent developer workflow
    You can work the same way you would with a public cluster.
  • Keeps your API server private
    No public endpoint and no internet exposure.
  • Faster onboarding
    New team members can connect without messing around with VM access.

Final Thoughts

This is the kind of feature that might not make flashy headlines but if you work with AKS day-to-day it is a massive improvement.

What I would love to see one day is when I am depolying an AKS cluster, say, via the portal, there is a tick box to deploy the Bastion and connect it all up so I dont need to suppply the Bastion resource Id. And if that could then be done via Infrastructure as Code (IaC), it would be even better. As Friends dont let Friends deploy via the Portal.


Share this content:

I am a passionate blogger with extensive experience in web design. As a seasoned YouTube SEO expert, I have helped numerous creators optimize their content for maximum visibility.

Contact

Leave a Comment

© 2025 Marketer • Built with GeneratePress
Privacy Policy Terms Contact