meshcloud
diff --git a/‎modules/azure/aks/backplane/README.md‎
Lines changed: 6 additions & 0 deletions b/‎modules/azure/aks/backplane/README.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎modules/azure/aks/backplane/main.tf‎
Lines changed: 36 additions & 0 deletions b/‎modules/azure/aks/backplane/main.tf‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎modules/azure/aks/backplane/outputs.tf‎
Lines changed: 20 additions & 0 deletions b/‎modules/azure/aks/backplane/outputs.tf‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎modules/azure/aks/buildingblock/APP_TEAM_README.md‎
Lines changed: 84 additions & 6 deletions b/‎modules/azure/aks/buildingblock/APP_TEAM_README.md‎
Lines changed: 84 additions & 6 deletions
diff --git a/‎modules/azure/aks/buildingblock/README.md‎
Lines changed: 12 additions & 2 deletions b/‎modules/azure/aks/buildingblock/README.md‎
Lines changed: 12 additions & 2 deletions
@@ -24,7 +24,9 @@ No modules.
 | Name | Type |
 |------|------|
 | [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
+| [azurerm_role_definition.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
 
 ## Inputs
 
@@ -39,6 +41,10 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_documentation_md"></a> [documentation\_md](#output\_documentation\_md) | Markdown documentation with information about the AKS Building Block building block backplane |
+| <a name="output_hub_role_assignment_ids"></a> [hub\_role\_assignment\_ids](#output\_hub\_role\_assignment\_ids) | The IDs of the hub role assignments for the service principals. |
+| <a name="output_hub_role_assignment_principal_ids"></a> [hub\_role\_assignment\_principal\_ids](#output\_hub\_role\_assignment\_principal\_ids) | The principal IDs of the service principals that have been assigned the hub role. |
+| <a name="output_hub_role_definition_id"></a> [hub\_role\_definition\_id](#output\_hub\_role\_definition\_id) | The ID of the role definition that enables deployment of the building block to the hub. |
+| <a name="output_hub_role_definition_name"></a> [hub\_role\_definition\_name](#output\_hub\_role\_definition\_name) | The name of the role definition that enables deployment of the building block to the hub. |
 | <a name="output_role_assignment_ids"></a> [role\_assignment\_ids](#output\_role\_assignment\_ids) | The IDs of the role assignments for the service principals. |
 | <a name="output_role_assignment_principal_ids"></a> [role\_assignment\_principal\_ids](#output\_role\_assignment\_principal\_ids) | The principal IDs of the service principals that have been assigned the role. |
 | <a name="output_role_definition_id"></a> [role\_definition\_id](#output\_role\_definition\_id) | The ID of the role definition that enables deployment of the building block to subscriptions. |
 
@@ -23,6 +23,10 @@ resource "azurerm_role_definition" "buildingblock_deploy" {
       "Microsoft.Network/virtualNetworks/subnets/write",
       "Microsoft.Network/virtualNetworks/subnets/delete",
       "Microsoft.Network/virtualNetworks/subnets/join/action",
+      "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
+      "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
+      "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
+      "Microsoft.Network/virtualNetworks/peer/action",
       "Microsoft.Network/networkInterfaces/read",
       "Microsoft.Network/networkSecurityGroups/read",
       "Microsoft.Network/networkSecurityGroups/write",
@@ -33,6 +37,12 @@ resource "azurerm_role_definition" "buildingblock_deploy" {
       "Microsoft.Network/loadBalancers/read",
       "Microsoft.Network/loadBalancers/write",
       "Microsoft.Network/loadBalancers/delete",
+      "Microsoft.Network/privateDnsZones/read",
+      "Microsoft.Network/privateDnsZones/write",
+      "Microsoft.Network/privateDnsZones/delete",
+      "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
+      "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
+      "Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete",
       "Microsoft.Resources/deployments/read",
       "Microsoft.Resources/deployments/write",
       "Microsoft.Resources/deployments/delete",
@@ -57,3 +67,29 @@ resource "azurerm_role_assignment" "buildingblock_deploy" {
   principal_id       = each.value
   scope              = var.scope
 }
+
+resource "azurerm_role_definition" "buildingblock_deploy_hub" {
+  name        = "${var.name}-deploy-hub"
+  description = "Enables deployment of the ${var.name} building block to the hub (for private cluster peering)"
+  scope       = var.scope
+
+  permissions {
+    actions = [
+      "Microsoft.Resources/subscriptions/resourceGroups/read",
+      "Microsoft.Network/virtualNetworks/read",
+      "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
+      "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
+      "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
+      "Microsoft.Network/virtualNetworks/peer/action",
+    ]
+  }
+}
+
+resource "azurerm_role_assignment" "buildingblock_deploy_hub" {
+  for_each = var.principal_ids
+
+  role_definition_id = azurerm_role_definition.buildingblock_deploy_hub.role_definition_resource_id
+  description        = azurerm_role_definition.buildingblock_deploy_hub.description
+  principal_id       = each.value
+  scope              = var.scope
+}
@@ -22,3 +22,23 @@ output "scope" {
   value       = var.scope
   description = "The scope where the role definition and role assignments are applied."
 }
+
+output "hub_role_definition_id" {
+  value       = azurerm_role_definition.buildingblock_deploy_hub.id
+  description = "The ID of the role definition that enables deployment of the building block to the hub."
+}
+
+output "hub_role_definition_name" {
+  value       = azurerm_role_definition.buildingblock_deploy_hub.name
+  description = "The name of the role definition that enables deployment of the building block to the hub."
+}
+
+output "hub_role_assignment_ids" {
+  value       = { for id in var.principal_ids : id => azurerm_role_assignment.buildingblock_deploy_hub[id].id }
+  description = "The IDs of the hub role assignments for the service principals."
+}
+
+output "hub_role_assignment_principal_ids" {
+  value       = { for id in var.principal_ids : id => azurerm_role_assignment.buildingblock_deploy_hub[id].principal_id }
+  description = "The principal IDs of the service principals that have been assigned the hub role."
+}
@@ -1,7 +1,7 @@
 # Azure Kubernetes Service (AKS)
 
 ## Description
-This building block provides a production-grade Azure Kubernetes Service (AKS) cluster with integrated security, monitoring, and networking features. It delivers a fully managed Kubernetes environment with Azure AD authentication, workload identity support, and comprehensive observability through Log Analytics.
+This building block provides a production-grade Azure Kubernetes Service (AKS) cluster with integrated security, monitoring, and networking features. It delivers a fully managed Kubernetes environment with Azure AD authentication, workload identity support, and comprehensive observability through Log Analytics. The cluster supports both public and private deployment scenarios with optional hub-and-spoke network connectivity.
 
 ## Usage Motivation
 This building block is for application teams that need to deploy containerized applications on a secure, scalable, and managed Kubernetes platform. The AKS cluster comes pre-configured with enterprise-grade security features, eliminating the operational complexity of managing Kubernetes infrastructure while maintaining the flexibility to run any containerized workload.
@@ -21,6 +21,7 @@ This building block is for application teams that need to deploy containerized a
 | Configuring Azure AD authentication and RBAC | ✅ | ❌ |
 | Setting up Log Analytics and monitoring infrastructure | ✅ | ❌ |
 | Managing virtual network and subnet configuration | ✅ | ❌ |
+| Managing hub network peering (for private clusters) | ✅ | ❌ |
 | Deploying and managing applications and workloads | ❌ | ✅ |
 | Configuring application-level resource limits and quotas | ❌ | ✅ |
 | Managing Kubernetes namespaces and RBAC within the cluster | ❌ | ✅ |
@@ -56,25 +57,102 @@ This building block is for application teams that need to deploy containerized a
 ## Cluster Features
 
 ### Authentication & Authorization
-- **Azure AD Integration**: Cluster uses Azure AD for authentication, enabling centralized identity management
+- **Azure AD Integration**: Cluster uses Azure AD for authentication, enabling centralized identity management (optional)
 - **OIDC Issuer**: Workload Identity enabled for secure pod-to-Azure-resource authentication
 
 ### Monitoring & Logging
-- **Log Analytics Workspace**: Centralized logging for cluster and application logs
+- **Log Analytics Workspace**: Centralized logging for cluster and application logs (optional)
 - **Container Insights**: Integrated monitoring for container performance and health
 - **Diagnostic Settings**: Cluster metrics and logs forwarded to Log Analytics
 
 ### Networking
 - **Custom VNet**: Dedicated virtual network and subnet for cluster isolation
 - **Azure CNI**: Advanced networking capabilities with pod-level networking
+- **Private Cluster**: Optional private API server accessible only via private endpoint
+- **Hub Connectivity**: Optional VNet peering to central hub network for on-premises connectivity
 
 ### Auto-Scaling
-- **Cluster Autoscaler**: Automatically adjusts node count based on resource requirements
-- **System Node Pool**: Dedicated node pool for system workloads with auto-scaling enabled
+- **Cluster Autoscaler**: Automatically adjusts node count based on resource requirements (when enabled)
+- **System Node Pool**: Dedicated node pool for system workloads with optional auto-scaling
+
+## Deployment Scenarios
+
+### Public Cluster (Default)
+```hcl
+module "aks" {
+  source = "./buildingblock"
+
+  aks_cluster_name             = "my-public-aks"
+  resource_group_name          = "aks-rg"
+  location                     = "West Europe"
+  aks_admin_group_object_id    = "12345678-1234-1234-1234-123456789012"
+  log_analytics_workspace_name = "my-law"
+}
+```
+
+### Private Cluster with Hub Connectivity
+```hcl
+provider "azurerm" {
+  alias           = "hub"
+  subscription_id = "hub-subscription-id"
+  # hub credentials
+}
+
+module "aks" {
+  source = "./buildingblock"
+
+  providers = {
+    azurerm     = azurerm
+    azurerm.hub = azurerm.hub
+  }
+
+  aks_cluster_name             = "my-private-aks"
+  resource_group_name          = "aks-rg"
+  location                     = "West Europe"
+
+  # Private cluster settings
+  private_cluster_enabled           = true
+  private_dns_zone_id               = "System"
+  private_cluster_public_fqdn_enabled = false
+
+  # Hub connectivity
+  hub_subscription_id      = "hub-subscription-id"
+  hub_resource_group_name  = "hub-network-rg"
+  hub_vnet_name            = "hub-vnet"
+
+  # Azure AD and monitoring
+  aks_admin_group_object_id    = "12345678-1234-1234-1234-123456789012"
+  log_analytics_workspace_name = "my-law"
+}
+```
+
+### Private Cluster without Hub (Isolated)
+```hcl
+module "aks" {
+  source = "./buildingblock"
+
+  aks_cluster_name                  = "my-isolated-aks"
+  resource_group_name               = "aks-rg"
+  location                          = "West Europe"
+  private_cluster_enabled           = true
+  private_dns_zone_id               = "System"
+  aks_admin_group_object_id         = "12345678-1234-1234-1234-123456789012"
+  log_analytics_workspace_name      = "my-law"
+}
+```
 
 ## Getting Started
 
-1. **Access the cluster**: Use `az aks get-credentials` to configure kubectl access
+### Public Cluster
+1. **Access the cluster**: Use `az aks get-credentials --resource-group <rg> --name <cluster-name>` to configure kubectl access
 2. **Verify connectivity**: Run `kubectl get nodes` to confirm cluster connectivity
 3. **Deploy your application**: Use `kubectl apply` or Helm to deploy applications
 4. **Monitor your workloads**: View logs and metrics in Azure Monitor or Log Analytics
+
+### Private Cluster
+1. **Ensure network connectivity**: Access must be from a network peered with the AKS VNet or the hub network
+2. **Access the cluster**: Use `az aks get-credentials --resource-group <rg> --name <cluster-name>` from a machine with network access
+3. **Use Azure Bastion or VPN**: Connect via Azure Bastion, VPN Gateway, or ExpressRoute for management access
+4. **Verify connectivity**: Run `kubectl get nodes` to confirm cluster connectivity
+5. **Deploy your application**: Use `kubectl apply` or Helm to deploy applications
+6. **Monitor your workloads**: View logs and metrics in Azure Monitor or Log Analytics
@@ -60,18 +60,25 @@ No modules.
 | [azurerm_resource_group.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_subnet.aks_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
 | [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource |
+| [azurerm_virtual_network_peering.aks_to_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering) | resource |
+| [azurerm_virtual_network_peering.hub_to_aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering) | resource |
 | [time_sleep.wait_for_subnet](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [azurerm_resource_group.hub_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_virtual_network.hub_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_aks_admin_group_object_id"></a> [aks\_admin\_group\_object\_id](#input\_aks\_admin\_group\_object\_id) | Object ID of the Azure AD group used for AKS admin access | `string` | n/a | yes |
+| <a name="input_aks_admin_group_object_id"></a> [aks\_admin\_group\_object\_id](#input\_aks\_admin\_group\_object\_id) | Object ID of the Azure AD group used for AKS admin access. If null, Azure AD RBAC will not be configured. | `string` | `null` | no |
 | <a name="input_aks_cluster_name"></a> [aks\_cluster\_name](#input\_aks\_cluster\_name) | Name of the AKS cluster | `string` | `"prod-aks"` | no |
 | <a name="input_dns_prefix"></a> [dns\_prefix](#input\_dns\_prefix) | DNS prefix for the AKS cluster | `string` | `"prodaks"` | no |
 | <a name="input_dns_service_ip"></a> [dns\_service\_ip](#input\_dns\_service\_ip) | IP address for Kubernetes DNS service (must be within service\_cidr) | `string` | `"10.0.0.10"` | no |
 | <a name="input_enable_auto_scaling"></a> [enable\_auto\_scaling](#input\_enable\_auto\_scaling) | Enable auto-scaling for the default node pool | `bool` | `false` | no |
-| <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes version for the AKS cluster | `string` | `"1.29.2"` | no |
+| <a name="input_hub_resource_group_name"></a> [hub\_resource\_group\_name](#input\_hub\_resource\_group\_name) | Resource group name of the hub virtual network. Required when private\_cluster\_enabled is true and connecting to a hub. | `string` | `null` | no |
+| <a name="input_hub_subscription_id"></a> [hub\_subscription\_id](#input\_hub\_subscription\_id) | Subscription ID of the hub network. Required when private\_cluster\_enabled is true and connecting to a hub. | `string` | `null` | no |
+| <a name="input_hub_vnet_name"></a> [hub\_vnet\_name](#input\_hub\_vnet\_name) | Name of the hub virtual network to peer with. Required when private\_cluster\_enabled is true and connecting to a hub. | `string` | `null` | no |
+| <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes version for the AKS cluster | `string` | `"1.33.0"` | no |
 | <a name="input_location"></a> [location](#input\_location) | Azure region where resources will be deployed | `string` | `"Germany West Central"` | no |
 | <a name="input_log_analytics_workspace_name"></a> [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Name of the Log Analytics Workspace. If null, no LAW or monitoring will be created. | `string` | `null` | no |
 | <a name="input_log_retention_days"></a> [log\_retention\_days](#input\_log\_retention\_days) | Number of days to retain logs in Log Analytics Workspace | `number` | `30` | no |
@@ -81,6 +88,9 @@ No modules.
 | <a name="input_network_policy"></a> [network\_policy](#input\_network\_policy) | Network policy to use (azure, calico, or cilium) | `string` | `"azure"` | no |
 | <a name="input_node_count"></a> [node\_count](#input\_node\_count) | Initial number of nodes in the default node pool | `number` | `3` | no |
 | <a name="input_os_disk_size_gb"></a> [os\_disk\_size\_gb](#input\_os\_disk\_size\_gb) | OS disk size in GB for the node pool | `number` | `100` | no |
+| <a name="input_private_cluster_enabled"></a> [private\_cluster\_enabled](#input\_private\_cluster\_enabled) | Enable private cluster (API server only accessible via private endpoint) | `bool` | `false` | no |
+| <a name="input_private_cluster_public_fqdn_enabled"></a> [private\_cluster\_public\_fqdn\_enabled](#input\_private\_cluster\_public\_fqdn\_enabled) | Enable public FQDN for private cluster (allows public DNS resolution but API server remains private) | `bool` | `false` | no |
+| <a name="input_private_dns_zone_id"></a> [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id) | Private DNS Zone ID for private cluster. Use 'System' for Azure-managed zone, or provide custom zone ID. Only used when private\_cluster\_enabled is true. | `string` | `"System"` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group to create for the AKS cluster | `string` | `"aks-prod-rg"` | no |
 | <a name="input_service_cidr"></a> [service\_cidr](#input\_service\_cidr) | CIDR for Kubernetes services (must not overlap with VNet or subnet) | `string` | `"10.0.0.0/16"` | no |
 | <a name="input_subnet_address_prefix"></a> [subnet\_address\_prefix](#input\_subnet\_address\_prefix) | Address prefix for the AKS subnet | `string` | `"10.240.0.0/20"` | no |