[Feature] P2S VPNGateway support for flexnode by wenxuan0923 · Pull Request #68 · Azure/AKSFlexNode

wenxuan0923 · 2026-02-06T23:14:15Z

Pod networking needs IP reachability between nodes. This PR added a comprehensive VPN Gateway component enabling secure pod-to-pod communication between AKS clusters and AKS Flex nodes through Point-to-Site VPN connections.

Details

VPN Gateway provisioning: Automated Azure VPN Gateway creation with P2S configuration
Certificate management: Self-generated root CA and client certificates for authentication
OpenVPN integration: Automatic client configuration and systemd service management
Network setup: Route and iptables configuration for seamless pod connectivity
Graceful cleanup: Robust uninstaller with file, network, and Azure resource cleanup

New sample config for enabling VPN gateway for flex node -> AKS node communication:

{
  "azure": {
    "subscriptionId": "xxxxxxxxxxxxxx",
    "tenantId": "xxxxxxxxxxxxxx",
    "cloud": "AzurePublicCloud",
    "vpnGateway": {
      "enabled": true,
      "p2sGatewayCIDR": "192.168.100.0/24",
      "podCIDR": "172.16.0.0/16",
      "vnetID": "/subscriptions/xxxxxxxxxxxxxx/resourceGroups/MC_wenx-rg_wenx-edge-cluster_eastus/providers/Microsoft.Network/virtualNetworks/aks-vnet-xxxxx"
    },
    "arc": {
      "enabled": true,
      "machineName": "edge-node",
      "tags": {
        "node-type": "edge"
      },
      "resourceGroup": "wenx-rg",
      "location": "eastus"
    },
    "targetCluster": {
      "resourceId": "/subscriptions/xxxxxxxxxxxxxx/resourceGroups/wenx-rg/providers/Microsoft.ContainerService/managedClusters/wenx-edge-cluster",
      "location": "eastus"
    }
  },
  "kubernetes": {
    "version": "1.32.7"
  },
  "agent": {
    "logLevel": "info",
    "logDir": "/var/log/aks-flex-node"
  }
}

Then on top of that, user can use cilium for pod networking.

helm install cilium cilium/cilium \
  --version 1.16.5 \
  --namespace kube-system \
  --set operator.replicas=1 \
  --set routingMode=tunnel \
  --set tunnelProtocol=vxlan \
  --set mtu=1350 \
  --set ipam.mode=cluster-pool \
  --set ipam.operator.clusterPoolIPv4PodCIDRList="{172.16.0.0/16}" \
  --set bpf.masquerade=true \
  --set bpf.hostLegacyRouting=false \
  --set kubeProxyReplacement=true \
  --wait

wenxuan0923 force-pushed the wenx/vpn-gateway branch from 6167765 to c64bf09 Compare February 6, 2026 23:24

wenxuan0923 had a problem deploying to e2e-testing February 6, 2026 23:25 — with GitHub Actions Error

wenxuan0923 closed this Feb 6, 2026

wenxuan0923 force-pushed the wenx/vpn-gateway branch from c64bf09 to 6bdb4d8 Compare February 6, 2026 23:44

Squash

890a2c4

wenxuan0923 reopened this Feb 6, 2026

wenxuan0923 deployed to e2e-testing February 6, 2026 23:46 — with GitHub Actions Active

wenxuan0923 had a problem deploying to e2e-testing February 6, 2026 23:46 — with GitHub Actions Error

wenxuan0923 had a problem deploying to e2e-testing February 7, 2026 00:31 — with GitHub Actions Error

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Feature] P2S VPNGateway support for flexnode#68

[Feature] P2S VPNGateway support for flexnode#68
wenxuan0923 wants to merge 1 commit intomainfrom
wenx/vpn-gateway

wenxuan0923 commented Feb 6, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

wenxuan0923 commented Feb 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

wenxuan0923 commented Feb 6, 2026 •

edited

Loading