Skip to content

rhummelmose/private-aks-dns-zone-linker-function-app

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

.vscode-defaults

.vscode-defaults

 
 

private-aks-dns-zone-linker

private-aks-dns-zone-linker

 
 

.funcignore

.funcignore

 
 

.gitignore

.gitignore

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

host.json

host.json

 
 

local.settings.json-default

local.settings.json-default

 
 

package.json

package.json

 
 

tsconfig.json

tsconfig.json

 
 

Repository files navigation

private-aks-dns-zone-linker-function-app

This function was built to allow enterprises with hub/spoke networking topologies in Azure, using their own DNS to enable name resolution to/from on-premises to use private link enabled AKS clusters as per the documentation (https://docs.microsoft.com/en-us/azure/aks/private-clusters#hub-and-spoke-with-custom-dns).

Does this apply to you checklist

  • Do you have a hub/spoke networking topology in Azure?
  • Do you provision your own DNS server in hub networks to allow connectivity to/from on-premises?
  • Do you need private link enabled clusters provisioned without manual intervention?

If you can answer yes to the above, and BYO DNS still isn't available for AKS private clusters, then it does.

What does the function do

  1. It triggers when new resources are created, reacting only to private DNS zones created by AKS
  2. Gets a list of target VNets from the environment, for which a link from the private DNS zone should be created
  3. Creates said links

Instructions

  1. Create a new function app with runtime stack node version 12
  2. Enable system managed identity on the function app
  3. Grant Network Contributor and DNS Contributor roles to the function app's identity
  4. On the function app, add a new application configuration variable: PRIVATE_AKS_DNS_ZONE_LINKER_AUTHENTICATION_TYPE with value APP_SERVICE_MSI
  5. base64 encode a JSON array of your hub vnet resource ids. Ie. echo -n '["id1", "id2"]' | base64
  6. On the function app, add a new application configuration variable: PRIVATE_AKS_DNS_ZONE_LINKER_TARGET_VNETS with a value derived from the previous bullet.
  7. Run command tsc to compile the function app - requires TypeScript (https://www.typescriptlang.org/#download-links)
  8. Run command func azure functionapp publish to publish the function - requires azure-functions-core-tools (https://github.com/Azure/azure-functions-core-tools)
  9. Subscribe the function to all events on the subscriptions relevant

IMPORTANT

Even though the function only reacts to events of type ResourceWriteSuccess on the private DNS zone resource type, I've found that when applying any filters at all a significant delay is sometimes introduced from action to event, causing the function not to run in time. Sometimes the delay has been hours.

I haven't been able to break it when subscribing to ALL events on a given subscription.

About

Use custom DNS with Azure AKS private clusters

Topics

azure aks azure-kubernetes-service private-link

Resources

Readme

License

MIT license
Activity

Stars

10 stars

Watchers

5 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages