Azure: How to create Standard Load Balancer without public IP address?

%3CLINGO-SUB%20id%3D%22lingo-sub-2198503%22%20slang%3D%22en-US%22%3EAzure%3A%20How%20to%20create%20Standard%20Load%20Balancer%20without%20public%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2198503%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20run%20my%20application%20with%20AKS%20cluster(version%20-%201.18.14)%20with%20the%20dependency%20of%20standard%20load%20balancer%20to%20create%20multiple%20node%20pools.%20But%2C%20the%20standard%20load%20balancer%20is%20creating%20public%20IP%20address.%20which%20is%20not%20suitable%20for%20my%20application.%20Because%20my%20application%20is%20private%20not%20public.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20%3CSTRONG%3E%22create%20Standard%20load%20balancer%20without%20public%20IP%20address%20in%20Azure%3F%22%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2198503%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPatch%20%26amp%3B%20Change%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2200567%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%3A%20How%20to%20create%20Standard%20Load%20Balancer%20without%20public%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2200567%22%20slang%3D%22en-US%22%3EYou%20have%20to%20use%20an%20Internal%20Load%20Balancer%20for%20this%20purpose.%20Please%2C%20follow%20the%20doc%20below%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Faks%2Finternal-lb%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Faks%2Finternal-lb%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2284295%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%3A%20How%20to%20create%20Standard%20Load%20Balancer%20without%20public%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2284295%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%20target%3D%22_blank%22%3E%40hspinto%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20per%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faccess.redhat.com%2Fsolutions%2F3215091%2C%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faccess.redhat.com%2Fsolutions%2F3215091%2C%3C%2FA%3E%26nbsp%3BAzure%20internal%20load%20balancer%20is%20not%20suitable%20in%20front%20of%20a%20pool%20of%20master%20nodes%20servicing%20api%20calls%20that%20may%20come%20from%20master%20nodes%20themselves.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2287019%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%3A%20How%20to%20create%20Standard%20Load%20Balancer%20without%20public%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2287019%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3EYou%20can%20deploy%20an%20internal%20load%20balancer%20that%20can%20allow%20you%20to%20get%20an%20private%20IP%20.%20The%20manifest%20will%20look%20like%20this%20%3A%3CBR%20%2F%3EapiVersion%3A%20v1%3CBR%20%2F%3Ekind%3A%20Service%3CBR%20%2F%3Emetadata%3A%3CBR%20%2F%3Ename%3A%20internal-app%3CBR%20%2F%3Eannotations%3A%3CBR%20%2F%3Eservice.beta.kubernetes.io%2Fazure-load-balancer-internal%3A%20%22true%22%3CBR%20%2F%3Espec%3A%3CBR%20%2F%3Etype%3A%20LoadBalancer%3CBR%20%2F%3Eports%3A%3CBR%20%2F%3E-%20port%3A%2080%3CBR%20%2F%3Eselector%3A%3CBR%20%2F%3Eapp%3A%20internal-app%3CBR%20%2F%3Eand%20you%20deploy%20it%20with%20%3A%3CBR%20%2F%3Ekubectl%20apply%20-f%20YourManifestName.yaml%3CBR%20%2F%3EIf%20you%20didn%E2%80%99t%20specify%20the%20option%20enable%20private%20cluster%20the%20API%20and%20your%20load%20balancer%20remain%20public%20.%20To%20create%20private%20cluster%20see%20the%20link%20below%20%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Faks%2Fprivate-clusters%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Faks%2Fprivate-clusters%3C%2FA%3E%20.%20Check%20also%20this%20very%20good%20article%20on%20how%20to%20setup%20a%20fully%20private%20aks%20cluster%20(%20no%20public%20ip)%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdenniszielke.medium.com%2Ffully-private-aks-clusters-without-any-public-ips-finally-7f5688411184%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdenniszielke.medium.com%2Ffully-private-aks-clusters-without-any-public-ips-finally-7f5688411184%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2506453%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%3A%20How%20to%20create%20Standard%20Load%20Balancer%20without%20public%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2506453%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%20target%3D%22_blank%22%3E%40hspinto%3C%2FA%3E%20%2C%3C%2FP%3E%3CP%3EThe%20main%20issue%20here%20is%20that%20during%20creation%20of%20AKS%20cluster%20with%20Standard%20LoadBalancer%2C%20AKS%20cluster%20itself%20creates%20a%20Public%20IP%20address.%20We%20have%20clients%20which%20do%20not%20allow%20deploying%20Public%20IP%20address%20in%20their%20Tenant.%20Because%20of%20these%20issues%20we%20are%20unable%20to%20migrate%20to%20AKS%20cluster%20with%20standard%20LoadBalancer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20thing%20you%20just%20described%20is%20when%20the%20cluster%20is%20ready%20available%20and%20only%20with%20Basic%20LoadBalancer.%20If%20an%20AKS%20cluster%20is%20created%20with%20basic%20LoadBalancer%20it%20does%20not%20create%20Public%20IP%20address%20and%20LoadBalancer%20by%20its%20own.%20And%20it%20becomes%20visible%20only%20when%20we%20deploy%20nginx-ingress%20controller%20helm%20chart.%20This%20chart%20we%20can%20configure%20to%20point%20public%20IP%20or%20private%20IP%20from%20VNet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBecause%20of%20AKS%20cluster%20creating%20public%20IP%20address%20with%20standard%20LoadBalancer%2C%20we%20are%20not%20able%20to%20use%20this.%20And%20we%20need%20to%20create%20multiple%20nodepools.%20Multiple%20nodepools%20are%20only%20supported%20with%20standard%20LoadBalancer%20AKS%20cluster.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2853883%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%3A%20How%20to%20create%20Standard%20Load%20Balancer%20without%20public%20IP%20address%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2853883%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1092982%22%20target%3D%22_blank%22%3E%40AkshayMahakalkar%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUse%20the%20flag%20to%20create%20the%20cluster%20with%20Basic%20Load%20Balancer%2C%20because%20it%20won%E2%80%99t%20be%20created%20until%20you%20deploy%20the%20first%20external%20Load%20Balancer%20service%20from%20Kubernetes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%22%3Eaz%20aks%20create%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E-g%3C%2FSPAN%3E%3CSPAN%3E%20MyResourceGroup%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E-n%3C%2FSPAN%3E%3CSPAN%3E%20MyManagedCluster%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E--load-balancer-sku%3C%2FSPAN%3E%3CSPAN%3E%20basic%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBasic%20Load%20Balancer%20has%20implications%20in%20capacity%20for%20outbound%20connectivity%20to%20Internet%20from%20the%20cluster.%20basic%20LB%20has%201024%20SNAT%20ports%20fixed%2C%20in%20Standard%20LB%20this%20can%20be%20increased%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Visitor

I want to run my application with AKS cluster(version - 1.18.14) with the dependency of standard load balancer to create multiple node pools. But, the standard load balancer is creating public IP address. which is not suitable for my application. Because my application is private not public.

 

Is there any way to "create Standard load balancer without public IP address in Azure?"

 

Thanks.

5 Replies
You have to use an Internal Load Balancer for this purpose. Please, follow the doc below:

https://docs.microsoft.com/en-us/azure/aks/internal-lb

@hspinto 

As per https://access.redhat.com/solutions/3215091, Azure internal load balancer is not suitable in front of a pool of master nodes servicing api calls that may come from master nodes themselves.

Hi
You can deploy an internal load balancer that can allow you to get an private IP . The manifest will look like this :
apiVersion: v1
kind: Service
metadata:
name: internal-app
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
type: LoadBalancer
ports:
- port: 80
selector:
app: internal-app
and you deploy it with :
kubectl apply -f YourManifestName.yaml
If you didn’t specify the option enable private cluster the API and your load balancer remain public . To create private cluster see the link below :
https://docs.microsoft.com/en-us/azure/aks/private-clusters . Check also this very good article on how to setup a fully private aks cluster ( no public ip)
https://denniszielke.medium.com/fully-private-aks-clusters-without-any-public-ips-finally-7f56884111...

Hi@hspinto ,

The main issue here is that during creation of AKS cluster with Standard LoadBalancer, AKS cluster itself creates a Public IP address. We have clients which do not allow deploying Public IP address in their Tenant. Because of these issues we are unable to migrate to AKS cluster with standard LoadBalancer.

 

The thing you just described is when the cluster is ready available and only with Basic LoadBalancer. If an AKS cluster is created with basic LoadBalancer it does not create Public IP address and LoadBalancer by its own. And it becomes visible only when we deploy nginx-ingress controller helm chart. This chart we can configure to point public IP or private IP from VNet.

 

Because of AKS cluster creating public IP address with standard LoadBalancer, we are not able to use this. And we need to create multiple nodepools. Multiple nodepools are only supported with standard LoadBalancer AKS cluster.

@AkshayMahakalkar 

Use the flag to create the cluster with Basic Load Balancer, because it won’t be created until you deploy the first external Load Balancer service from Kubernetes.

 

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku basic

 

Basic Load Balancer has implications in capacity for outbound connectivity to Internet from the cluster. basic LB has 1024 SNAT ports fixed, in Standard LB this can be increased