Security is a top concern for many developers and consumers alike. This is especially true if you’re in the financial or government sectors with a lot of sensitive or classified information. Many of us also want to use container orchestration tools like Kubernetes for deployment to allow for faster time-to-market and simplified scalability. One way to ensure the security of your application, as well as to take advantage of Kubernetes, is by deploying to a private Kubernetes cluster using Azure DevOps.

Why a Private Cluster?

A private cluster is just that: private. But how exactly? The API server is how you can control and access your Kubernetes control plane. By using a private server, you are ensuring that all network traffic between your API server and your node pools will remain on the private network only. They will communicate through the Azure Private Link service in the API server virtual network and a private endpoint that is exposed in the subnet of your AKS cluster.

Build and Deploy in the Private Kubernetes Cluster

Since your AKS cluster is only accessible within the virtual network, you’ll need a self-hosted agent within the same virtual network. Therefore, you’ll create a virtual network. Next, you’ll create a private Azure Container Registry (ACR), as well as the registry’s private endpoint that you’ll use to integrate AKS with ACR. With your AKS cluster created and integrated, you’ll need a virtual machine to host your agent. This virtual machine will live within the virtual network with your AKS cluster.

After you’ve deployed your agent on the virtual machine, you’ll create the pipeline you want to build and deploy your app with. You can do this from Azure DevOps Services or from your own instance of Azure DevOps Server. It may seem a little counter-intuitive to use Azure DevOps Services for your build and deployment because it is in the public internet. However, by using a service endpoint, your virtual network resources use private IP addresses to connect to Azure DevOps Service’s public endpoint. This effectively extends the identity of the virtual network to the target resource. Additionally, traffic flows over the Azure backbone instead of over the internet. Therefore, you can take advantage of the ease and power of Azure DevOps Services while still maintaining the level of security and privacy required by your organization.

For more information, or to get started today, contact our team of experts at PRAKTIK.