Azure Private Link Service
(PLS) is an infrastructure component that approves users to privately join by means of a Private Endpoint (PE) in a VNET in Azure and a Frontend IP Configuration associated with an Azure Load Balancer (ALB). With Private Link, customers as provider companies can securely grant their offerings to consumers who can connect from inside Azure or on-premises besides data exfiltration risks.
Before Private Link Service integration, users who desired private connectivity from on-premises or other VNETs to their services in the Azure Kubernetes cluster were required to create a Private Link Service (PLS) to reference the Azure Internal LoadBalancer
.
The consumer would then create a Private Endpoint (PE) to connect to the PLS to allow non-public connectivity. With this feature, a managed PLS to the LB would be created automatically, and the consumer would only be required to create PE connections to it for private connectivity.
Currently, managed private link service solely works with Azure Internal Standard Load Balancer. Users who favor to use private link service for their Kubernetes services have to set annotation service.beta.kubernetes.io/azure-load-balancer-internal
to be true
(Doc).
PrivateLinkService annotations
Below is a list of annotations supported for Kubernetes services with Azure PLS created:
Annotation | Value | Description | Required | Default |
---|---|---|---|---|
service.beta.kubernetes.io/azure-pls-create |
"true" |
Boolean indicating whether a PLS wishes to be created. | Required | |
service.beta.kubernetes.io/azure-pls-name |
<PLS name> |
String specifying the name of the PLS resource to be created. | Optional | "pls-<LB frontend config name>" |
service.beta.kubernetes.io/azure-pls-ip-configuration-subnet |
<Subnet name> |
String indicating the subnet to which the PLS will be deployed. This subnet ought to exist in the same VNET as the backend pool. PLS NAT IPs are allocated within this subnet. | Optional | If service.beta.kubernetes.io/azure-load-balancer-internal-subnet , this LB subnet is used. Otherwise, the default subnet from config file is used. |
service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address-count |
[1-8] |
Total number of private NAT IPs to allocate. | Optional | 1 |
service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address |
"10.0.0.7 ... 10.0.0.10" |
A space separated list of static IPv4 IPs to be allocated. (IPv6 is not supported right now.) Total number of IPs ought to not be greater than the ip count specifed in service.beta.kubernetes.io/azure-pls-ip-configuration-ip-address-count . If there are fewer IPs specified, the rest are dynamically allocated. The first IP in the list is set as Primary . |
Optional | All IPs are dynamically allocated. |
service.beta.kubernetes.io/azure-pls-fqdns |
"fqdn1 fqdn2" |
A space separated list of fqdns associated with the PLS. | Optional | [] |
service.beta.kubernetes.io/azure-pls-proxy-protocol |
"true" or "false"
|
Boolean indicating whether the TCP PROXY protocol should be enabled on the PLS to pass through connection information, including the link ID and source IP address. Note that the backend service MUST support the PROXY protocol or the connections will fail. | Optional | false |
service.beta.kubernetes.io/azure-pls-visibility |
"sub1 sub2 sub3 … subN" or "*"
|
A space separated list of Azure subscription ids for which the private link service is visible. Use "*" to expose the PLS to all subs (Least restrictive). |
Optional | Empty list [] indicating role-based access control only: This private link service will only be available to individuals with role-based access control permissions within your directory. (Most restrictive) |
service.beta.kubernetes.io/azure-pls-auto-approval |
"sub1 sub2 sub3 … subN" |
A space separated list of Azure subscription ids. This allows PE connection requests from the subscriptions listed to the PLS to be automatically approved. This solely works when visibility is set to "*". | Optional | [] |
For more important points about every configuration, please refer to Azure Private Link Service Documentation.
Managed PrivateLinkService Creation
An example for creating a Kubernetes service object with Azure ILB and PLS kcdplscreation.yaml
Thanks for studying my article till end. I hope you realized something unique today. If you enjoyed this article then please share to your buddies and if you have suggestions or thoughts to share with me then please write in the comment box.