aks public cluster with api server vnet integration

azure/examples/simple/main.tf

@@ -41,9 +41,11 @@ provider "kubectl" {
 
 locals {
   vnet_config = {
-    address_space        = "20.0.0.0/16"
-    aks_subnet_cidr      = "20.0.0.0/20"
-    postgres_subnet_cidr = "20.0.16.0/24"
+    address_space                      = "20.0.0.0/16"
+    aks_subnet_cidr                    = "20.0.0.0/20"
+    postgres_subnet_cidr               = "20.0.16.0/24"
+    enable_api_server_vnet_integration = true
+    api_server_subnet_cidr             = "20.0.32.0/27" # keeping atleast 32 IPs reserved for API server and related services used in delegation might reduce it later.
   }
 
   aks_config = {
@@ -133,12 +135,14 @@ resource "azurerm_resource_group" "materialize" {
 module "networking" {
   source = "../../modules/networking"
 
-  resource_group_name  = azurerm_resource_group.materialize.name
-  location             = var.location
-  prefix               = var.name_prefix
-  vnet_address_space   = local.vnet_config.address_space
-  aks_subnet_cidr      = local.vnet_config.aks_subnet_cidr
-  postgres_subnet_cidr = local.vnet_config.postgres_subnet_cidr
+  resource_group_name                = azurerm_resource_group.materialize.name
+  location                           = var.location
+  prefix                             = var.name_prefix
+  vnet_address_space                 = local.vnet_config.address_space
+  aks_subnet_cidr                    = local.vnet_config.aks_subnet_cidr
+  postgres_subnet_cidr               = local.vnet_config.postgres_subnet_cidr
+  enable_api_server_vnet_integration = local.vnet_config.enable_api_server_vnet_integration
+  api_server_subnet_cidr             = local.vnet_config.api_server_subnet_cidr
 
   tags = var.tags
 
@@ -158,6 +162,10 @@ module "aks" {
   subnet_name         = module.networking.aks_subnet_name
   subnet_id           = module.networking.aks_subnet_id
 
+  enable_api_server_vnet_integration = local.vnet_config.enable_api_server_vnet_integration
+  api_server_authorized_ip_ranges    = ["0.0.0.0/0"]
+  api_server_subnet_id               = module.networking.api_server_subnet_id
+
   # Default node pool with autoscaling (runs all workloads except Materialize)
   default_node_pool_vm_size             = "Standard_D4pds_v6"
   default_node_pool_enable_auto_scaling = true

azure/examples/simple/outputs.tf

@@ -5,6 +5,7 @@ output "networking" {
     vnet_id               = module.networking.vnet_id
     vnet_name             = module.networking.vnet_name
     aks_subnet_id         = module.networking.aks_subnet_id
+    api_server_subnet_id  = module.networking.api_server_subnet_id
     postgres_subnet_id    = module.networking.postgres_subnet_id
     private_dns_zone_id   = module.networking.private_dns_zone_id
     nat_gateway_id        = module.networking.nat_gateway_id
@@ -13,6 +14,7 @@ output "networking" {
   }
 }
 
+
 # Cluster outputs
 output "aks_cluster_name" {
   description = "The name of the AKS cluster"
@@ -29,6 +31,11 @@ output "aks_cluster_fqdn" {
   value       = module.aks.cluster_fqdn
 }
 
+output "aks_cluster_private_fqdn" {
+  description = "The private FQDN of the AKS cluster"
+  value       = module.aks.cluster_private_fqdn
+}
+
 output "aks_cluster_endpoint" {
   description = "The endpoint of the AKS cluster"
   value       = module.aks.cluster_endpoint

azure/examples/simple/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 4.0"
+      version = "4.54.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

azure/modules/aks/README.md

@@ -21,6 +21,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [azurerm_kubernetes_cluster.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) | resource |
+| [azurerm_role_assignment.aks_apiserver_network_contributer](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.aks_network_contributer](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_user_assigned_identity.aks_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
 | [azurerm_user_assigned_identity.workload_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
@@ -30,6 +31,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_api_server_authorized_ip_ranges"></a> [api\_server\_authorized\_ip\_ranges](#input\_api\_server\_authorized\_ip\_ranges) | List of authorized IP ranges that can access the Kubernetes API server when public access is available. Defaults to ['0.0.0.0/0'] (allow all). For production, restrict to specific IPs (e.g., ['203.0.113.0/24']) | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
+| <a name="input_api_server_subnet_id"></a> [api\_server\_subnet\_id](#input\_api\_server\_subnet\_id) | Subnet ID for API Server VNet Integration (must be delegated to Microsoft.ContainerService/managedClusters). Required when enable\_api\_server\_vnet\_integration is true. | `string` | `null` | no |
 | <a name="input_azure_ad_admin_group_object_ids"></a> [azure\_ad\_admin\_group\_object\_ids](#input\_azure\_ad\_admin\_group\_object\_ids) | List of Azure AD group object IDs that will have admin access to the cluster, applied only if enable\_azure\_ad\_rbac is true | `list(string)` | `[]` | no |
 | <a name="input_default_node_pool_enable_auto_scaling"></a> [default\_node\_pool\_enable\_auto\_scaling](#input\_default\_node\_pool\_enable\_auto\_scaling) | Enable auto scaling for the default node pool | `bool` | `true` | no |
 | <a name="input_default_node_pool_max_count"></a> [default\_node\_pool\_max\_count](#input\_default\_node\_pool\_max\_count) | Maximum number of nodes in the default node pool (used only when auto scaling is enabled) | `number` | `5` | no |
@@ -39,6 +42,7 @@ No modules.
 | <a name="input_default_node_pool_os_disk_size_gb"></a> [default\_node\_pool\_os\_disk\_size\_gb](#input\_default\_node\_pool\_os\_disk\_size\_gb) | OS disk size in GB for the default node pool | `number` | `100` | no |
 | <a name="input_default_node_pool_vm_size"></a> [default\_node\_pool\_vm\_size](#input\_default\_node\_pool\_vm\_size) | VM size for the default node pool (system node pool) | `string` | `"Standard_D2s_v3"` | no |
 | <a name="input_dns_service_ip"></a> [dns\_service\_ip](#input\_dns\_service\_ip) | IP address within the service CIDR that will be used by cluster service discovery (kube-dns). If not specified, will be calculated automatically. | `string` | `null` | no |
+| <a name="input_enable_api_server_vnet_integration"></a> [enable\_api\_server\_vnet\_integration](#input\_enable\_api\_server\_vnet\_integration) | Enable API Server VNet Integration. Projects the API server into a delegated subnet in your VNet. Requires api\_server\_subnet\_id to be provided. | `bool` | `true` | no |
 | <a name="input_enable_azure_ad_rbac"></a> [enable\_azure\_ad\_rbac](#input\_enable\_azure\_ad\_rbac) | Enable Azure Active Directory integration for RBAC | `bool` | `false` | no |
 | <a name="input_enable_azure_monitor"></a> [enable\_azure\_monitor](#input\_enable\_azure\_monitor) | Enable Azure Monitor for the AKS cluster | `bool` | `false` | no |
 | <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | Version of Kubernetes to use for the AKS cluster | `string` | `"1.32"` | no |

azure/modules/aks/main.tf

@@ -13,6 +13,14 @@ resource "azurerm_role_assignment" "aks_network_contributer" {
   principal_id         = resource.azurerm_user_assigned_identity.aks_identity.principal_id
 }
 
+# Role assignment for API server subnet (required for VNet Integration)
+resource "azurerm_role_assignment" "aks_apiserver_network_contributer" {
+  count                = var.enable_api_server_vnet_integration && var.api_server_subnet_id != null ? 1 : 0
+  scope                = var.api_server_subnet_id
+  role_definition_name = "Network Contributor"
+  principal_id         = resource.azurerm_user_assigned_identity.aks_identity.principal_id
+}
+
 resource "azurerm_user_assigned_identity" "workload_identity" {
   name                = "${var.prefix}-workload-identity"
   resource_group_name = var.resource_group_name
@@ -52,6 +60,15 @@ resource "azurerm_kubernetes_cluster" "aks" {
     identity_ids = [azurerm_user_assigned_identity.aks_identity.id]
   }
 
+  # API Server VNet Integration - Projects API server into a delegated subnet
+  # Can be used for BOTH public and private clusters
+  # Reference: https://learn.microsoft.com/en-us/azure/aks/api-server-vnet-integration
+  api_server_access_profile {
+    virtual_network_integration_enabled = var.enable_api_server_vnet_integration
+    subnet_id                           = var.api_server_subnet_id
+    authorized_ip_ranges                = var.api_server_authorized_ip_ranges
+  }
+
   oidc_issuer_enabled       = true
   workload_identity_enabled = true
 
@@ -83,6 +100,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
 
   depends_on = [
     resource.azurerm_role_assignment.aks_network_contributer,
+    resource.azurerm_role_assignment.aks_apiserver_network_contributer,
   ]
 
   lifecycle {
@@ -106,5 +124,10 @@ resource "azurerm_kubernetes_cluster" "aks" {
       )
       error_message = "When network_policy is 'cilium', network_data_plane must also be 'cilium'."
     }
+
+    precondition {
+      condition     = !var.enable_api_server_vnet_integration || var.api_server_subnet_id != null
+      error_message = "api_server_subnet_id must be provided when enable_api_server_vnet_integration is true."
+    }
   }
 }