Workloads deployed on an Azure Kubernetes Service (AKS) cluster often need to access Azure backing resources, such as Azure Key Vault, databases, or AI services like Azure OpenAI Service. Users are required to manually configure Microsoft Entra Workload ID or Managed Identities so their AKS workloads can securely access these protected resources.
The Service Connector integration greatly simplifies the connection configuration experience for AKS workloads and Azure backing services. Service Connector takes care of authentication and network configurations securely and follows Azure best practices, so you can focus on your application code without worrying about your infrastructure connectivity.
Service Connector Action Breakdown
Before, in order to connect from AKS pods to a private Azure backing services using workload identity, users needed to perform the following actions manually:
- Create a managed identity
- Retrieve the OIDC issuer URL
- Create Kubernetes service account
- Establish federated identity credential trust
- Grant permissions to access Azure Services
- Deploy the application
Now, Service Connector performs steps 2 to 5 automatically. Additionally, for Azure services without public access, Service Connector creates private connection components such as private link, private endpoint, DNS record,
You can create a connection in the Service Connection blade within AKS.
Click create and select the target service, authentication method, and networking rule. The connection will then be automatically set up. Here are a few helpful links to for you to learn more about Service Connector.
- What is Service Connector?
- Create a service connection in an AKS cluster from the Azure portal
- Tutorial: Use the Azure Key Vault provider for Secrets Store CSI Driver in an Azure Kubernetes Service (AKS) cluster
- Tutorial: Connect to Azure storage account in Azure Kubernetes Service (AKS) with Service Connector using workload identity
-
Tutorial: Connect to Azure OpenAI Service in AKS using a connection string (preview) - Tutorial: Connect to Azure OpenAI Service in AKS using Workload Identity (preview)
Microsoft
