Skip to main content

How do I define a management Peering Rule for a Private Cluster?

note

This is only required for private clusters. Skip this if your cluster plan does not enable a private cluster.


Prerequisite(s)

Also see these related cluster networking sections:


Overview

Wayfinder requires direct connectivity to the public kubernetes API. This is the cloud managed Kubernetes API, not the authentication module. Setting a cluster to private (enablePrivateCluster: true) removes all public access to the API endpoint, so you must create a peering back to the management network.


To define the management peering rule

Create a resource file and apply it using the CLI:

wf apply -f FILENAME


AWS Example Peering Rule Definition

apiVersion: networking.appvia.io/v2beta1
kind: PeeringRule
metadata:
  name: eks-private
spec:
  filters:
    allocation:
      type: all
    selectors:
      # This example uses the custom label 'clustergroup' to identify the clusters to peer
      # You should use something similar to this in your plan and peering rule to match the two together.
      matchLabels: 
        clustergroup: eks-private
        appvia.io/stage: nonprod
        appvia.io/provider: aws
        appvia.io/region: eu-west-2
  cloudAccessConfigRef:
    name: aws-peering-e2e
    namespace: ws-admin
  connection:
    type: gateway
    gateway:
      enableAutoApproval: true
      # Set the appropriate transit gateway ID:
      identifier: tgw-01234567890abcdef
      providerDetails:
        aws:
          enableDNS: true
      routes:  # Set these as appropriate for your environment
      - 10.80.0.0/12
      - 10.240.0.0/16


Azure Example Peering Rule Definition

apiVersion: networking.appvia.io/v2beta1
kind: PeeringRule
metadata:
  name: aks-private
spec:
  filters:
    allocation:
      type: all
    selectors:
      # This example uses the custom label 'clustergroup' to identify the clusters to peer
      # You should use something similar to this in your plan and peering rule to match the two together.
      matchLabels: 
        clustergroup: aks-private
        appvia.io/stage: nonprod
        appvia.io/provider: azure
        appvia.io/region: uksouth
  cloudAccessConfigRef:
    name: azure-peering-e2e
    namespace: ws-admin
  connection:
    type: peering
    peering:
      enableAutoApproval: true
      network:
        account: "1"
        location: uksouth
        # Set the identifier for your hub vNet to peer with here:
        identifier: "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.Network/virtualNetworks/VNET_NAME"