Deploying an AKS Cluster with Custom IP Ranges
This section describes a specific scenario of building your Azure cloud infrastructure. The procedure below is necessary for situations where for some reason (such as, for example, requirements of your internal IP address assignment policy) IAAS VNet IP ranges overlap with the default IP ranges of the AKS VNet. In such a case, Azure will not allow you to configure VNet peering between the two VNets. To resolve this problem, you can deploy an AKS cluster with custom IP ranges which do not overlap with the IP ranges of your IAAS VNet.
To deploy a custom AKS cluster:
- Deploy your Azure cloud infrastructure according to the requirements and principles.
- Create a new VNet and a subnet in your Azure cloud infrastructure. The IP range which you define for the subnet will be used for Kubernetes nodes. This IP range must not overlap with any IP ranges from the IAAS VNet.
- Create a service principal which the AKS Cluster will use to access your Azure cloud infrastructure.
- Assign the roles to access the VNet you created above:
- “Contributor” role to the service principal created above.
- “Owner” role to the service principal “AzureContainerService”.
- Generate a pair of private and public SSH keys and save them for further use.
- Deploy an ARM template which implements an AKS cluster with customizable IP ranges for the AKS resource. As a result, a custom AKS cluster (with custom IP ranges) will be created. When deploying the template, complete these parameters:
- Environment: Choose Production or Staging to create installations with different non-overlapping IP ranges for the production or staging environment, respectively.
- AKS Cluster Name: Enter a name for the AKS cluster resource. If the Environment field is set to Staging, the prefix 'stg-' will be added automatically to the name. If there is another AKS cluster in the same resource group, drop that AKS cluster or make sure that the name of the new AKS cluster is different.
- Kubernetes Pods CIDR: A CIDR notation IP range from which Kubernetes pod IPs will be assigned. This range must not overlap with the IP ranges of the IAAS or AKS VNets.
- Kubernetes Services CIDR: A CIDR notation IP range from which service cluster IPs in Kubernetes will be assigned. This range must not overlap with the IP ranges of the IAAS or AKS VNets.
- Kubernetes DNS Service IP: An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service IP address range.
- Kubernetes Docker Bridge CIDR: A CIDR notation IP range assigned to the Docker bridge network in Kubernetes. This range must not overlap with the IP ranges of the IAAS or AKS VNets.
- AKS Nodes Subnet Resource ID: The ResourceID of the subnet from the AKS VNet. For example:
/subscriptions/xxx/resourceGroups/my-resource-group/providers/Microsoft.Network/virtualNetworks/my-vnet-aks/subnets/my-aks-nodes
- Admin Username: Enter a name which will be used as an SSH-capable user for all Kubernetes nodes.
- SSH Public Key: Enter the SSH public key which you created above. This key will be used for the Admin Username user to access all Kubernetes nodes.
- AKS Service Principal Client ID: Enter a service principal client ID (application ID) for the service principal that will be used to manage your Azure cloud infrastructure from the AKS cluster side.
- AKS Service Principal Secret: Enter a service principal secret (authentication key).
- AKSDNS Prefix: Enter a prefix for your AKS cluster. You can use any convenient name.
- Create VNet peering between the IAAS VNet and the newly created AKS VNet.
- Find the automatically created resource group of the AKS cluster. It can be found by name, which follows this convention:
mc_<main_resource_group_name>_<aks-cluster-resource-name>_<region_of_the_main_resource_group>
. For example, for a main resource group “cbprod” from the region “westeurope” and AKS resource name “akscluster”, the automatically created resource group will have this name: “mc_cbprod_akscluster_westeurope”. - Associate the subnet of the AKS cluster with the Route Table from the automatically created resource group of the AKS cluster. The Route Table resource name follows this convention:
aks-agentpool-XXXXXXXX-routetable
.