Merge pull request #3 from quixio/azure/supportedRoutingTraffic

Azure/supported routing traffic using UDR

Author: joseEnrique

BASTION_ACCESS.md

@@ -9,32 +9,9 @@ This guide shows how to connect to a private AKS cluster using Azure Bastion, ei
 - Azure CLI installed locally
 - Your SSH private key corresponding to jumpbox_ssh_public_key
 
-## Option A: Run kubectl from the Jumpbox
 
-1. Open an SSH session to the jumpbox via Bastion (Native client):
-```bash
-export RG="<RESOURCE_GROUP>"
-export BASTION="<BASTION_NAME>"
-export VM="<JUMPBOX_NAME>"
-export SSH_KEY="$HOME/.ssh/id_rsa"
-
-VM_ID=$(az vm show -g "$RG" -n "$VM" --query id -o tsv)
-az network bastion ssh \
-  --name "$BASTION" \
-  --resource-group "$RG" \
-  --target-resource-id "$VM_ID" \
-  --auth-type ssh-key --username <ADMIN_USERNAME> --ssh-key $SSH_KEY
-```
-
-2. Inside the VM, authenticate and fetch kubeconfig:
-```bash
-az login --use-device-code
-az account set --subscription "<SUBSCRIPTION_ID>"
-az aks get-credentials -g "<RESOURCE_GROUP>" -n "<AKS_NAME>" --overwrite-existing
-kubectl get nodes -o wide
-```
 
-## Option B: Run kubectl from your local machine (Bastion tunneling)
+## Run kubectl from your local machine (Bastion tunneling)
 
 1. Start SSH tunnel to the VM via Bastion:
 ```bash

README.md

@@ -46,6 +46,28 @@ module "quix_aks" {
 }
 ```
 
+### Private DNS Zone for Private Clusters
+
+When deploying a private AKS cluster, you can control how the Private DNS Zone is managed using the `private_dns_zone_id` variable:
+
+```hcl
+module "quix_aks" {
+  # ...
+  private_cluster_enabled = true
+  
+  # Option 1: Let AKS manage the Private DNS Zone automatically (default)
+  private_dns_zone_id = "System"
+  
+  # Option 2: Disable Private DNS Zone management (manual DNS configuration required)
+  # private_dns_zone_id = "None"
+  
+  # Option 3: Use an existing Private DNS Zone (BYO)
+  # private_dns_zone_id = "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Network/privateDnsZones/privatelink.<region>.azmk8s.io"
+}
+```
+
+**Note:** When using an existing Private DNS Zone (Option 3), the module automatically assigns the `Private DNS Zone Contributor` role to the AKS cluster identity.
+
 ## Tiered Storage module (tiered-storage)
 
 Module documentation (inputs/outputs/resources):
@@ -115,7 +137,7 @@ module "quix_aks" {
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "my-nat-id"
+  identity_name = "my-nat-id"
   public_ip_name    = "my-nat-ip"
   nat_gateway_name  = "my-nat"
   availability_zone = "1"

examples/private-quix-infr-external-vnet/main.tf

@@ -79,16 +79,10 @@ module "aks" {
   sku_tier                = "Standard"
   private_cluster_enabled = true
 
-  vnet_name          = "vnet-quix-private"
-  vnet_address_space = ["10.240.0.0/16"]
-  nodes_subnet_name  = "Subnet-Nodes"
-  nodes_subnet_cidr  = "10.240.0.0/22"
+  vnet_name          = azurerm_virtual_network.ext.name
+  nodes_subnet_name  = azurerm_subnet.nodes_ext.name
 
-  # Reuse external VNet/Subnets
-  vnet_id         = azurerm_virtual_network.ext.id
-  nodes_subnet_id = azurerm_subnet.nodes_ext.id
-
-  nat_identity_name = "quix-private-nat-id"
+  identity_name     = "quix-private-nat-id"
   public_ip_name    = "quix-private-nat-ip"
   nat_gateway_name  = "quix-private-nat"
   availability_zone = "2"
@@ -117,8 +111,6 @@ module "aks" {
   create_bastion_subnet = false
   enable_bastion        = true
   bastion_name          = "quix-bastion"
-  # Reuse external Bastion subnet & IP
-  bastion_subnet_id = azurerm_subnet.bastion_ext.id
 
   jumpbox_name           = "quix-jumpbox"
   jumpbox_vm_size        = "Standard_B2s"

examples/private-quix-infr/main.tf

@@ -20,25 +20,60 @@ resource "azurerm_resource_group" "this" {
 module "aks" {
   source = "../../modules/quix-aks"
 
+  # Core + RG
   name                    = "quix-aks-private"
   location                = "westeurope"
   resource_group_name     = "rg-quix-private"
   create_resource_group   = false
   kubernetes_version      = "1.32.4"
   sku_tier                = "Standard"
   private_cluster_enabled = true
-
+  # Use existing Private DNS Zone for the AKS private API server:
+  #   - "System" lets AKS manage it automatically (default)
+  #   - "None" disables creation/association (you must manage DNS yourself)
+  #   - "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Network/privateDnsZones/privatelink.westeurope.azmk8s.io"
+  #     to reuse an existing zone
+  private_dns_zone_id = "System"
+
+  # Networking (VNet/Subnet)
   vnet_name          = "vnet-quix-private"
   vnet_address_space = ["10.240.0.0/16"]
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "quix-private-nat-id"
+  # Network profile
+  network_profile = {
+    network_plugin_mode = "overlay"
+    service_cidr        = "172.22.0.0/16"
+    dns_service_ip      = "172.22.0.10"
+    pod_cidr            = "10.144.0.0/16"
+  }
+
+  # NAT (names reserved even if not used with userDefinedRouting)
+  identity_name     = "quix-private-nat-id"
   public_ip_name    = "quix-private-nat-ip"
   nat_gateway_name  = "quix-private-nat"
   availability_zone = "2"
 
-  enable_credentials_fetch = true
+  # Bastion
+  create_bastion_subnet  = true
+  enable_bastion         = true
+  bastion_subnet_cidr    = "10.240.5.0/27"
+  bastion_name           = "quix-bastion"
+  bastion_public_ip_name = "quix-bastion-ip"
+
+  # Jumpbox
+  jumpbox_name           = "quix-jumpbox"
+  jumpbox_vm_size        = "Standard_B2s"
+  jumpbox_admin_username = "azureuser"
+  jumpbox_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3Zz+tHUEI7ulzE69GxtLwi9DOvROBG4aI7h3za2FAP6Ya9/GhG2zcBiKOzk3SlKavE3/5NomgGifTC/ica6rTPlpb4U5oky/2phs9AtczVVI2G+yNC43hJzVhWbqKT3qAGGCGEm2+Cpxx7spKEbZAfAcq5GxL3k9kTcpaQEv3hpVvqK3zlCziHyahUv1pxQGuX3b2hqi4idgFX3m0FaqU98DtQu/I9x95jXHrb7Wltp3sbTSKCDxGo3nk4plpzILs/OqTMSPpfxwarCXA1ZtU82hyWO4Szn2U4I+MbuNaO/dso1oNlprqJQgsQ8t+hawCdIHeZ00M/QELdnYldBjo1jM19AT1OwMcB7PP7GRTNv7YsDW10YCvX9XRPab66PIKpe5R4IG/n6TzEwUP2pb4hRJWvnPJzrHK5HEJg7G7baCEyjCtaWkL4M7dBxIGJ3sp9IfjdeztV2Llh+hYmwPefTejprER+Q/qHZTNr1wEW4BV0TQQd+jeqdIL4QkIno3IyM3IBX+uPM/WlSpi2sT+hDqiUcCRu/x21O/bVYz/UbeHIqptRDfGc5rVoAN/zc/kGsGeGuP3auyI6aQxlnU0wMDdyS8rf3SpWagOB2UFNxZSuU2gnYdtz2uWG4vF75Sqr04MFJImHIY4N7gHJrvdarg6YBaDDnmdREcqp3ooAw=="
+
+  # Features
+  oidc_issuer_enabled       = true
+  workload_identity_enabled = true
+  enable_credentials_fetch  = true
+
+  # Node pools
   node_pools = {
     default = {
       name       = "default"
@@ -56,32 +91,13 @@ module "aks" {
     }
   }
 
-  network_profile = {
-    network_plugin_mode = "overlay"
-    service_cidr        = "172.22.0.0/16"
-    dns_service_ip      = "172.22.0.10"
-    pod_cidr            = "10.144.0.0/16"
-  }
-
-  enable_bastion         = true
-  bastion_subnet_cidr    = "10.240.5.0/27"
-  bastion_name           = "quix-bastion"
-  bastion_public_ip_name = "quix-bastion-ip"
-
-  jumpbox_name           = "quix-jumpbox"
-  jumpbox_vm_size        = "Standard_B2s"
-  jumpbox_admin_username = "azureuser"
-  jumpbox_ssh_public_key = "ssh-rsa ......"
-
-  oidc_issuer_enabled       = true
-  workload_identity_enabled = true
-
-
+  # Tags
   tags = {
     environment = "demo"
     project     = "Quix"
   }
 
+  # Dependencies
   depends_on = [azurerm_resource_group.this]
 }
 

examples/public-quix-infr-tiered-storage/main.tf

@@ -27,7 +27,7 @@ module "aks" {
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "quix-public-nat-id"
+  identity_name     = "quix-public-nat-id"
   public_ip_name    = "quix-public-nat-ip"
   nat_gateway_name  = "quix-public-nat"
   availability_zone = "1"

examples/public-quix-infr/main.tf

@@ -27,7 +27,7 @@ module "aks" {
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "quix-public-nat-id"
+  identity_name     = "quix-public-nat-id"
   public_ip_name    = "quix-public-nat-ip"
   nat_gateway_name  = "quix-public-nat"
   availability_zone = "1"

modules/quix-aks/README.md

@@ -74,7 +74,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | Name of the AKS cluster | `string` | n/a | yes |
 | <a name="input_nat_gateway_id"></a> [nat\_gateway\_id](#input\_nat\_gateway\_id) | Existing NAT Gateway ID to associate when create\_nat is false | `string` | `null` | no |
 | <a name="input_nat_gateway_name"></a> [nat\_gateway\_name](#input\_nat\_gateway\_name) | Name of the NAT Gateway | `string` | n/a | yes |
-| <a name="input_nat_identity_name"></a> [nat\_identity\_name](#input\_nat\_identity\_name) | Name of the managed identity for NAT | `string` | n/a | yes |
+| <a name="input_identity_name"></a> [identity_name](#input_identity_name) | Name of the user-assigned managed identity for the AKS cluster | `string` | n/a | yes |
 | <a name="input_network_profile"></a> [network\_profile](#input\_network\_profile) | AKS network profile | <pre>object({<br/>    network_plugin_mode = string # "overlay" or "vnet"<br/>    service_cidr        = string<br/>    dns_service_ip      = string<br/>    pod_cidr            = optional(string)<br/>    network_policy      = optional(string, "calico")<br/>    outbound_type       = optional(string, "userAssignedNATGateway")<br/>  })</pre> | n/a | yes |
 | <a name="input_node_pools"></a> [node\_pools](#input\_node\_pools) | Map of additional node pools (include a 'system' pool to override default) | <pre>map(object({<br/>    name       = string<br/>    type       = string # system | user<br/>    node_count = number<br/>    vm_size    = string<br/>    max_pods   = optional(number)<br/>    taints     = optional(list(string))<br/>    labels     = optional(map(string))<br/>    mode       = optional(string) # system | user (overrides type)<br/>  }))</pre> | `{}` | no |
 | <a name="input_nodes_subnet_cidr"></a> [nodes\_subnet\_cidr](#input\_nodes\_subnet\_cidr) | CIDR for the AKS nodes subnet | `string` | n/a | yes |

modules/quix-aks/aks.tf

@@ -10,6 +10,7 @@ resource "azurerm_kubernetes_cluster" "this" {
   kubernetes_version      = var.kubernetes_version
   sku_tier                = var.sku_tier
   private_cluster_enabled = var.private_cluster_enabled
+  private_dns_zone_id     = var.private_cluster_enabled ? var.private_dns_zone_id : null
 
   oidc_issuer_enabled       = var.oidc_issuer_enabled
   workload_identity_enabled = var.workload_identity_enabled
@@ -18,7 +19,7 @@ resource "azurerm_kubernetes_cluster" "this" {
     name           = local.system_pool_name
     node_count     = local.system_pool.node_count
     vm_size        = local.system_pool.vm_size
-    vnet_subnet_id = coalesce(try(azurerm_subnet.nodes[0].id, null), var.nodes_subnet_id)
+    vnet_subnet_id = coalesce(try(azurerm_subnet.nodes[0].id, null), try(data.azurerm_subnet.existing[0].id, null))
 
     upgrade_settings {
       max_surge                     = "10%"
@@ -67,7 +68,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "additional" {
   kubernetes_cluster_id = azurerm_kubernetes_cluster.this.id
   vm_size               = each.value.vm_size
   node_count            = each.value.node_count
-  vnet_subnet_id        = coalesce(try(azurerm_subnet.nodes[0].id, null), var.nodes_subnet_id)
+  vnet_subnet_id        = coalesce(try(azurerm_subnet.nodes[0].id, null), try(data.azurerm_subnet.existing[0].id, null))
   mode                  = lower(coalesce(each.value.mode, each.value.type)) == "system" ? "System" : "User"
   node_taints           = coalesce(each.value.taints, null)
   orchestrator_version  = var.kubernetes_version

modules/quix-aks/bastion.tf

@@ -5,23 +5,23 @@
 resource "azurerm_subnet" "bastion" {
   count                = var.enable_bastion && var.create_bastion_subnet ? 1 : 0
   name                 = "AzureBastionSubnet"
-  resource_group_name  = local.rg_name_effective
+  resource_group_name  = local.vnet_rg_effective
   virtual_network_name = coalesce(try(azurerm_virtual_network.this[0].name, null), try(data.azurerm_virtual_network.existing[0].name, null), var.vnet_name)
   address_prefixes     = [var.bastion_subnet_cidr]
 }
 
-data "azurerm_subnet" "bastion" {
+data "azurerm_subnet" "existing_bastion" {
   count                = var.enable_bastion && !var.create_bastion_subnet ? 1 : 0
   name                 = "AzureBastionSubnet"
   virtual_network_name = var.vnet_name
-  resource_group_name  = local.rg_name_effective
+  resource_group_name  = local.vnet_rg_effective
 }
 
 resource "azurerm_public_ip" "bastion" {
   count               = var.enable_bastion && (var.bastion_public_ip_id == null) ? 1 : 0
   name                = var.bastion_public_ip_name
   location            = local.rg_location
-  resource_group_name = local.rg_name_effective
+  resource_group_name = local.vnet_rg_effective
   allocation_method   = "Static"
   sku                 = "Standard"
   tags                = var.tags
@@ -31,14 +31,14 @@ resource "azurerm_bastion_host" "this" {
   count               = var.enable_bastion ? 1 : 0
   name                = var.bastion_name
   location            = local.rg_location
-  resource_group_name = local.rg_name_effective
+  resource_group_name = local.vnet_rg_effective
   sku                 = "Standard"
   tunneling_enabled   = true
   ip_connect_enabled  = true
 
   ip_configuration {
     name                 = "configuration"
-    subnet_id            = coalesce(try(azurerm_subnet.bastion[0].id, null), try(data.azurerm_subnet.bastion[0].id, null), var.bastion_subnet_id)
+    subnet_id            = coalesce(try(azurerm_subnet.bastion[0].id, null), try(data.azurerm_subnet.existing_bastion[0].id, null))
     public_ip_address_id = coalesce(try(azurerm_public_ip.bastion[0].id, null), var.bastion_public_ip_id)
   }
 
@@ -49,11 +49,11 @@ resource "azurerm_network_interface" "jumpbox" {
   count               = var.enable_bastion ? 1 : 0
   name                = "${var.jumpbox_name}-nic"
   location            = local.rg_location
-  resource_group_name = local.rg_name_effective
+  resource_group_name = local.vnet_rg_effective
 
   ip_configuration {
     name                          = "ipconfig1"
-    subnet_id                     = coalesce(try(azurerm_subnet.nodes[0].id, null), data.azurerm_subnet.nodes[0].id, var.nodes_subnet_id)
+    subnet_id                     = coalesce(try(azurerm_subnet.nodes[0].id, null), try(data.azurerm_subnet.existing[0].id, null))
     private_ip_address_allocation = "Dynamic"
   }
 
@@ -64,7 +64,7 @@ resource "azurerm_linux_virtual_machine" "jumpbox" {
   count               = var.enable_bastion ? 1 : 0
   name                = var.jumpbox_name
   location            = local.rg_location
-  resource_group_name = local.rg_name_effective
+  resource_group_name = local.vnet_rg_effective
   size                = var.jumpbox_vm_size
   admin_username      = var.jumpbox_admin_username
 

modules/quix-aks/network.tf

@@ -2,39 +2,44 @@
 # Networking: VNet, Subnets, NAT Gateway and Identity
 ################################################################################
 
+locals {
+  # When provided, place/read VNet and Subnets from this resource group
+  vnet_rg_effective = coalesce(var.vnet_resource_group, local.rg_name_effective)
+}
+
 resource "azurerm_virtual_network" "this" {
   count               = var.create_vnet ? 1 : 0
   name                = var.vnet_name
   location            = local.rg_location
-  resource_group_name = local.rg_name_effective
+  resource_group_name = local.vnet_rg_effective
   address_space       = var.vnet_address_space
   tags                = var.tags
 }
 
 data "azurerm_virtual_network" "existing" {
   count               = var.create_vnet ? 0 : 1
   name                = var.vnet_name
-  resource_group_name = local.rg_name_effective
+  resource_group_name = local.vnet_rg_effective
 }
 
 resource "azurerm_subnet" "nodes" {
   count                = var.create_nodes_subnet ? 1 : 0
   name                 = var.nodes_subnet_name
-  resource_group_name  = local.rg_name_effective
+  resource_group_name  = local.vnet_rg_effective
   virtual_network_name = coalesce(try(azurerm_virtual_network.this[0].name, null), try(data.azurerm_virtual_network.existing[0].name, null), var.vnet_name)
   address_prefixes     = [var.nodes_subnet_cidr]
   service_endpoints    = ["Microsoft.Storage"]
 }
 
-data "azurerm_subnet" "nodes" {
+data "azurerm_subnet" "existing" {
   count                = var.create_nodes_subnet ? 0 : 1
   name                 = var.nodes_subnet_name
   virtual_network_name = var.vnet_name
-  resource_group_name  = local.rg_name_effective
+  resource_group_name  = local.vnet_rg_effective
 }
 
 resource "azurerm_user_assigned_identity" "nat_identity" {
-  name                = var.nat_identity_name
+  name                = var.identity_name
   location            = local.rg_location
   resource_group_name = local.rg_name_effective
   tags                = var.tags
@@ -68,7 +73,7 @@ resource "azurerm_nat_gateway_public_ip_association" "this" {
 
 resource "azurerm_subnet_nat_gateway_association" "nodes" {
   count          = (var.create_nodes_subnet || var.create_nat) ? 1 : 0
-  subnet_id      = coalesce(try(azurerm_subnet.nodes[0].id, null), try(data.azurerm_subnet.nodes[0].id, null), var.nodes_subnet_id)
+  subnet_id      = coalesce(try(azurerm_subnet.nodes[0].id, null), try(data.azurerm_subnet.existing[0].id, null))
   nat_gateway_id = coalesce(try(azurerm_nat_gateway.this[0].id, null), var.nat_gateway_id)
 }