2

I am looking for a way to create a docker cluster (probably kubernetes) on azure, and expose the containers only via a vnet to my datacenter.

Is such a setup possible?

That is that the container services can only be access via the vpn that is created. So that the container can use private resources (mainly database) not available in the azure cloud?

And so that I can access the resources in the cloud, only from my dc.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
Wouter
  • 371
  • 2
  • 12

2 Answers2

0

I am looking for a way to create a docker cluster (probably kubernetes) on azure, and expose the containers only via a vnet to my datacenter.

Yes, we just create k8s pod, and not expose it to internet. Then create S2S VPN connect Azure Vnet to your DC, in this way, your DC's VMs can connect to Azure K8S pod via Azure private IP address.

Update:

If you want to connect your K8S pods via VPN, we can create Azure route table to achieve that.

More information about create route table, please refer to my another answer.

Jason Ye
  • 13,710
  • 2
  • 16
  • 25
  • I can find some documentation using acs-engine to create template that can be deployed. Is that the way you are doing that. – Wouter Sep 19 '17 at 14:51
  • @Wouter we can via Azure marketplace to deploy ACS-K8S, then deploy a site-to-site VPN between Azure and your datacenter, in this way, we can use private IP address to access your container services:) – Jason Ye Sep 20 '17 at 07:37
  • I managed partly to get a cluster up and running. It was using the provided vnet and ip's in that range, but there was also a public ip assigned and saw some subnets being defined in ranges that I cannot via vpn. Probably has to do with kubernetes, still learning. – Wouter Sep 21 '17 at 18:14
  • @Wouter Do you want to connect your k8s container pods via VPN? if yes, maybe you can refer to this [answer](https://stackoverflow.com/questions/46277845/k8s-pods-unable-to-reach-external-vm-via-internal-ip/46291889#46291889), we can use Azure route table to achieve that. If you need more help please let me know. – Jason Ye Sep 22 '17 at 00:59
  • @Wouter Please let me know if you need more help about this issue:) – Jason Ye Sep 25 '17 at 09:18
  • Looks like it is working now. I cannot yet connect to the dashboard via kubectl proxy. But other interfaces do work. So definitely something progress – Wouter Oct 11 '17 at 19:46
0

Yes, that is perfectly possible. depending on your setup you need to deploy regular kubernetes cluster and use site-to-site VPN to connect networks or use ACS engine to deploy kubernetes into existing vnet\subnet.

You would also need to tweak your network security group rules to allow traffic to flow (if you have them).

https://github.com/Azure/acs-engine/tree/master/examples/vnet
https://learn.microsoft.com/en-us/azure/container-service/kubernetes/container-service-kubernetes-walkthrough
https://blogs.technet.microsoft.com/canitpro/2017/06/28/step-by-step-configuring-a-site-to-site-vpn-gateway-between-azure-and-on-premise/

4c74356b41
  • 69,186
  • 6
  • 100
  • 141