Ok, so we can deploy AKS and restrict the IPs that can consume the K8S API but this is still “out in the internet” which might not sit right with management or security. So…. we can deploy a private AKS (article coming soon..) and keep all traffic internal. The trade off is that a private AKS cluster’s api endpoint cannot be restricted to specific subnets from the AKS console but you can deploy NSGs if needed. In this article we go trough setting up a service connection so you can deploy from Azure DevOps

I. From a machine inside your network get the kube config. 

az aks get-credentials --resource-group RGName --name aksname
cat ~/.kube/config

Copy all contents.

II. Create the Azure DevOps Service connection.

Select KubeConfig and copy the contents to the KubeConfig area.

You will not be able to validate since your AKS is internal.

This will not be able to validate.

III. Test pipelines with a hosted agent inside your network

I’ve successfully configured the Azure Express route and networking is in place so my agents can get to the endpoint.