Create a fully private AKS infrastructure with Bicep #AKS #biceplang

14 Apr


In this blog post I will describe a way to implement an architecture that includes a private Azure Kubernetes Service (AKS) Cluster by using Bicep, a declarative language for describing and deploying Azure resources.

According to project’s page on GitHub, Bicep is a Domain Specific Language (DSL) for deploying Azure resources declaratively and It aims to drastically simplify the authoring experience with a cleaner syntax, improved type safety, and better support for modularity and code re-use. 

The control plane or API server, in a fully private AKS cluster, has internal IP address and it communicates with the node pools through the private network, by leveraging the technology of Azure Private Link service. Furthermore, there is no need for the worker nodes to have a public IP assigned to a standard loadbalancer for egress the traffic as we are able to redirect the egress path through a Network Virtual Appliance or Azure Firewall.

In a nutshell, a fully private AKS cluster does not expose or use any public IP.


The initial idea to create a Bicep script that deploys an architecture like the one mentioned in the architectural diagram section, was taken from the following articles:

Architectural Diagram

Private AKS

Bicep script

The sources can be found at the following GitHub repository

The main Bicep script that deploys the architecture that is shown in the diagram, follows the modular approach and it has ‘subscription’ as its target scope.

// set the target scope to subscription
targetScope = 'subscription'

/ Create the hub vnet with all its components
module hubvnet './modules/hub-default.bicep' = {
  name: 'hub-vnet'
  scope: resourceGroup(
  params: {
    location: location
    hubVnetName: hubvnetName
    hubFwName: 'hub-fw'
    tags: tags

there is a folder called ‘modules’ that contains the smaller parts of the whole implementation such as:

  • The hub virtual network with all its components like the Azure Firewall and Azure Bastion
  • The Virtual Network for the AKS cluster
  • The Virtual Network for the Development Virtual Machines (agents)
  • The VNET peering and route tables
  • The private AKS cluster
  • The AKS’s private DNS zone links to hub and dev Virtual Networks
  • The dev VM which is an Ubuntu with Docker extension

Running the script

First you have to install the Bicep executable by following this guide:

Setup your Bicep development environment

Then, you will need to install either the Az CLI (2.20.0+) or the PowerShell Az module (v5.6.0+) that have Bicep support built-in.

After that, you will need to run the following commands in an Azure CLI or PowerShell console:

## Login to your Azure account
az login

## clone the repository

## Start the deployment
az deployment sub create -f ./private-aks.bicep -l northeurope

As you see, you can use the standard deployment commands with your *.bicep files and the tooling will transpile the code and send it to ARM on your behalf.