## Description This architecture is designed to **deploy a private Azure Kubernetes Service (AKS) cluster** while leveraging a **public DNS zone** to enable external access. The infrastructure follows **best practices for security, networking, and high availability**, ensuring a robust and production-ready environment. This **Private AKS Cluster with Public DNS Zone architecture** combines **security, performance, and scalability**, ensuring a **production-ready Kubernetes environment**. It **minimizes public exposure**, leverages **Azure-native security controls**, and **optimizes traffic flow for secure workloads**. **A must-have architecture for organizations that prioritize Kubernetes security & seamless external access!** **N.B:** - The Terraform code is automatically generated with best practices and contains variables that you can customize to fir your needs. - You have full control to change, add, delete resources or their configuration. The newly generated code will reflect these changes. - You can replace some resources with Terraform modules. > terraform apply status: successful > ## Architecture components | **Component** | **Description** | |--------------------------------------|-------------------------------------------------------------| | Resource Group | Logical container for managing Azure resources. | | Hub Virtual Network | Centralized VNet for managing private connectivity. | | AKS Virtual Network | VNet dedicated to Azure Kubernetes Service (AKS). | | Subnet - Azure Bastion | Isolated subnet for Azure Bastion deployment. | | Subnet - Private Endpoint | Subnet for hosting private endpoints (Storage, ACR, etc.). | | Subnet - AKS Cluster | Subnet assigned to AKS worker nodes and services. | | Azure Bastion | Provides secure remote access to Azure VMs without public IP. | | Public IP - Bastion | Static public IP address for Azure Bastion. | | Virtual Network Peering | Connects Hub and AKS VNets for private communication. | | Jumpbox VM | Secure VM for remote management via Bastion. | | Jumpbox Network Interface | Network interface for Jumpbox VM. | | Azure Firewall | Protects outbound network traffic with security rules. | | Firewall Subnet | Dedicated subnet for hosting Azure Firewall. | | Application Gateway (AGW) | Manages external traffic and provides WAF protection. | | Public IP - Application Gateway | Public IP assigned to the Application Gateway. | | Storage Account | Stores application data and Kubernetes artifacts. | | Private DNS Zone - Storage | Enables private resolution for Storage Account. | | Private Endpoint - Storage | Private access to Storage Account without public exposure. | | Key Vault | Secure storage for secrets and encryption keys. | | Private DNS Zone - Key Vault | Enables private resolution for Key Vault. | | Private Endpoint - Key Vault | Private access to Key Vault for secure secret retrieval. | | Azure Container Registry (ACR) | Manages container images for AKS workloads. | | Private DNS Zone - ACR | Private domain resolution for ACR. | | Private Endpoint - ACR | Enables secure access to ACR for AKS nodes. | | Azure Kubernetes Service (AKS) | Private AKS cluster with no public API access. | | AKS Private DNS Zone | Private resolution for AKS API and services. | | AKS Node Pool | Additional node pool for scaling workloads. | | Log Analytics Workspace | Stores logs and telemetry for monitoring. | | User Assigned Identity (AKS) | Provides secure identity management for AKS. | | Role Assignment - Network | Grants AKS the necessary network permissions. | | Role Assignment - DNS | Provides access to manage Private DNS zones. | | Role Assignment - ACR | Allows AKS to pull images from ACR securely. | | Role Assignment - Application Gateway | Assigns contributor access for AGW. | ## Requirements | Name | Configuration | | --- | --- | | Terraform | all versions | | Provider | AZURE | | Provider version | >=3.88.0| | Access | Admin access | | Access Requirements | Service Principal with `Contributor` Role | | Authentication | Managed Identity for AKS, ACR, and Storage | | Networking | Hub-Spoke VNet Model with Private Endpoints and Peering | | Security | Azure Firewall, NSGs, and Private Endpoints | | Storage Security | Private Access to Storage Accounts, Key Vault, and ACR | | Private DNS Zones | Required for Storage, Key Vault, and ACR | | Application Gateway | WAF-enabled AGW for external traffic routing | | Bastion & Jumpbox | Secure remote access without exposing RDP/SSH | | Kubernetes Cluster | Private AKS with No Public API Access | | Logging & Monitoring | Azure Monitor and Log Analytics integration | | Role Assignments | AKS, ACR, DNS, and Network Contributor roles | | Firewall Rules | Configured to allow required outbound and internal traffic | | Load Balancer | Standard SKU with Backend Address Pool for AKS nodes | | Public IPs | Required for Bastion and Application Gateway ## How to use the architecture Clone the architecture and modify the following variables according to your needs: ## Variables and Descriptions | **Variable** | **Description** | |--------------------------------|-----------------------------------------------------------------| | `Azure_SP_object_id` | Azure Service Principal Object ID | | `Brainboard_IP_Range_List` | List of IP ranges allowed for Brainboard access | | `brainboard_object_id` | Brainboard Object ID | | `dns_config_name` | DNS configuration name for Traffic Manager | | `dns_config_tll` | Time-to-live (TTL) value for DNS configuration | | `env` | Deployment environment (e.g., `prod`, `dev`, `staging`) | | `fw-ipconf-name` | Firewall IP configuration name | | `fw-nat-rule-action` | Firewall NAT rule action (e.g., `Dnat`) | | `fw-nat-rule-eus_name` | NAT rule name for East US Firewall | | `fw-nat-rule-priority` | Priority of the firewall NAT rule | | `fw-nat-rule-weu_name` | NAT rule name for West Europe Firewall | | `fw_sku_name` | SKU name for Azure Firewall | | `fw_sku_tier` | SKU tier for Azure Firewall (`Standard`, `Premium`) | | `lb_frontend_name` | Name of the Load Balancer Frontend Configuration | | `location_eus` | Azure region for East US | | `location_weu` | Azure region for West Europe | | `monitor_interval_sc` | Monitoring interval in seconds | | `monitor_number_failures` | Number of failures before failover | | `monitor_path` | HTTP path for monitoring health checks | | `monitor_port` | Monitoring port for health checks | | `monitor_protocol` | Protocol used for monitoring (`HTTP`, `HTTPS`) | | `monitor_timeout` | Timeout duration for monitoring checks | | `office_ip` | Office IP range for security policies | | `pip_sku` | Public IP SKU type (`Dynamic` or `Standard`) | | `projet_name` | Name of the project | | `region_eus_name` | Short name for East US region | | `region_weu_name` | Short name for West Europe region | | `servercounta` | Number of servers in Availability Set A | | `servercountb` | Number of servers in Availability Set B | | `snet_eus_addr_space` | Subnet address space for East US | | `snet_fw_eus_addr_space` | Subnet address space for East US Firewall | | `snet_fw_mngt_name` | Name of the Firewall Management Subnet | | `snet_fw_name` | Name of the Firewall Subnet | | `snet_fw_weu_addr_space` | Subnet address space for West Europe Firewall | | `snet_fwmngt_eus_addr_space` | Subnet address space for East US Firewall Management | | `snet_fwmngt_weu_addr_space` | Subnet address space for West Europe Firewall Management | | `snet_lb_eus_addr_space` | Subnet address space for East US Load Balancer | | `snet_lb_weu_addr_space` | Subnet address space for West Europe Load Balancer | | `snet_weu_addr_space` | Subnet address space for West Europe | | `src_img_ref_offer` | OS image offer for virtual machines | | `src_img_ref_publisher` | OS image publisher for virtual machines | | `src_img_ref_sku` | OS image SKU for virtual machines | | `src_img_ref_version` | OS image version for virtual machines | | `tags` | Tags assigned to all deployed resources | | `traffic_manager_name` | Name of the Azure Traffic Manager | | `vm_admin_username` | Admin username for virtual machines | | `vm_size` | Size of the virtual machines | | `vm_storage_account_type` | Storage account type for VM OS disks | | `vnet_eus_addr_space` | Address space for the East US Virtual Network | | `vnet_weu_addr_space` | Address space for the West Europe Virtual Network | | | | **N.B:** - Feel free to remove the resources that are not relevant to your use-case. - Some variables have default values, please change it if it doesn't fit your deployment. ## Maintainer(s) You can reach out to these maintainers if you need help or assistance: - [Brainboard team](mailto:support@brainboard.co)