Skip to content

[Feature] P2S VPNGateway support for flexnode#50

Closed
wenxuan0923 wants to merge 1 commit intoAzure:mainfrom
wenxuan0923:wenx/vpn-gateway
Closed

[Feature] P2S VPNGateway support for flexnode#50
wenxuan0923 wants to merge 1 commit intoAzure:mainfrom
wenxuan0923:wenx/vpn-gateway

Conversation

@wenxuan0923
Copy link
Collaborator

@wenxuan0923 wenxuan0923 commented Jan 29, 2026
edited
Loading

  • Added new VPN Gateway component with installer, uninstaller, and operations management
  • Implemented kube-proxy component for enhanced networking capabilities
  • Enhanced configuration structures, logging, and utility functions
  • Updated CNI setup and kubelet components for better integration

New sample config for enabling VPN gateway for flex node -> AKS node communication:

Then on top of that, user can use cilium for pod networking.

{
  "azure": {
    "subscriptionId": "xxxxxxxxxxxxx",
    "tenantId": "xxxxxxxxxxxxx",
    "cloud": "AzurePublicCloud",
    "vpnGateway": {
      "enabled": true,
      "p2sGatewayCIDR": "192.168.100.0/24",
      "podCIDR": "172.16.0.0/16",
      "vnetID": "/subscriptions/xxxxxxxxxxxxx/resourceGroups/MC_wenx-rg_wenx-edge-cluster_eastus/providers/Microsoft.Network/virtualNetworks/aks-vnet-xxxxxxx"
    },
    "arc": {
      "machineName": "edge-node",
      "tags": {
        "node-type": "edge"
      },
      "resourceGroup": "wenx-rg",
      "location": "eastus",
      "autoRoleAssignment": true
    },
    "targetCluster": {
      "resourceId": "/subscriptions/xxxxxxxxxxxxx/resourceGroups/wenx-rg/providers/Microsoft.ContainerService/managedClusters/wenx-edge-cluster",
      "location": "eastus"
    }
  },
  "kubernetes": {
    "version": "1.32.7"
  },
  "agent": {
    "logLevel": "info",
    "logDir": "/var/log/aks-flex-node"
  }
}

Then to use Cilium for pod networking, do the following (the pod CIDR must match with config above)

helm install cilium cilium/cilium \
  --version 1.16.5 \
  --namespace kube-system \
  --set operator.replicas=1 \
  --set hubble.relay.enabled=true \
  --set hubble.ui.enabled=true \
  --set routingMode=tunnel \
  --set tunnelProtocol=vxlan \
  --set autoDirectNodeRoutes=false \
  --set ipam.mode=cluster-pool \
  --set ipam.operator.clusterPoolIPv4PodCIDRList="{172.16.0.0/16}" \
  --set enableIPv4Masquerade=true \
  --set bpf.hostLegacyRouting=true \
  --set cgroup.autoMount.enabled=false \
  --set cgroup.hostRoot=/sys/fs/cgroup \
  --set bpf.autoMount.enabled=false \
  --set kubeProxyReplacement=false \
  --wait

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 29, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 29, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 29, 2026
View reviewed changes
@wenxuan0923 wenxuan0923 closed this Feb 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wenxuan0923