Solution for remote development team access to private AKS  managed cluster

Copper Contributor

Hi All,

 I am exploring options to allow my remote development team access to private AKS  managed cluster in Azure with AAD and RBAC enabled .

Our access  options  to AKS are  via  Bastion or VDi and each pose a unique set of challenges.  I will outline each and my overall  proposed solution

  1. Bastion access  via kv and shared VM local credentials:  problem is remote developers will require  access to Azure portal then bastion into a local VM  using kv shared credentials, this may work but not  practical because each developers require a unique kubectl profile/config file  when access aks,  which is  overwritten when  another user logs on. Also remote access into bastion timeouts occasionally  and  AKS auth flow via browser into aks  sometimes displays a blank page and cumbersome to logon
  2. VDI access pose similar  challenges, no access to install development tools and all  session settings are reset  when the user  logged off

My proposed solution is bastion access via native rdp client access along with an  AAD joined VM on the private cluster network. This solution requires no Azure  portal access and provides direct RDP access into the  AAD VM using AAD credentials and conditional access.  Also  the problem with kubectl  profile no longer an issue as each logon user will have  AAD credentials and user profile .


Changes required to implement:

  1. Bump up Bastion sku  from basic to standard to allow RDP native client, however the user (remote)  session need to be initiated from a AAD registererd machine or hybrid or AAD join to establish a connection to bastion via RDP native client which then allow rdp access with AAD credentials onto the AAD joined server hosted in Azure


Welcome all feedback and or  corrections based on my initial solution assessment



0 Replies