Using Azure Private Link Service Integration on AKS

In some cases, you may want to create a private link for the services that you host on an AKS cluster. With private link, clients or services outside of the AKS cluster can communicate with your services on the cluster via private endpoints.

A typical use case is that you want to use Azure Front Door as the load balancer in front of the services running on your AKS cluster. In this case, you would create a private link for your services, and configure Azure Front Door to connect to your services via the private link.

Creating a private link service manually is not a complex task. There are documents about doing it with different tools. Although you still need to have basic understanding to the concept of private link service. The only issue of creating the private link manually for services on AKS cluster is about the lifecycle management. The creation of Kubernetes services is managed by Kubernetes itself, while the creation of the private link is managed separately. It could add some overhead to operations.

So here comes the Azure Private Link Service Integration. It is a feature of Kubernetes Azure cloud provider, which allows Kubernetes to create and managed the lifecycle of the private link. You just need to include the necessary annotations on Kubernetes services that you want to expose via the private link, the Azure cloud provider will help you do the rest.

Here is a sample that I created to show you how to create a nginx ingress controller and expose it via a private link. The sample is a simple Helm chart derived from the official nginx ingress controller with customer values to include the annotations for the private link.