Use internal LB's IP for intra-node communication

Makefile

@@ -203,6 +203,12 @@ export CI_RG ?= $(AZWI_RESOURCE_GROUP)
 export USER_IDENTITY ?= $(addsuffix $(RANDOM_SUFFIX),$(CI_RG))
 export AZURE_IDENTITY_ID_FILEPATH ?= $(ROOT_DIR)/azure_identity_id
 
+# ensure that the APISERVER_LB_DNS_SUFFIX is of length 10 and contains only alphanumeric characters
+# LC_ALL=C is used to set the locale to C to ensure that the output is ASCII
+# head /dev/urandom generates random bytes. Will work on Linux and MacOS. Also works on Windows with WSL.
+# Ignore SIGPIPE error. This will suppress error messages if head closes the pipe before tr finishes.
+export APISERVER_LB_DNS_SUFFIX := $(shell LC_ALL=C tr -dc 'a-z0-9' < /dev/urandom | head -c 10 2>/dev/null)
+
 ## --------------------------------------
 ## Binaries
 ## --------------------------------------

api/v1beta1/tags.go

@@ -119,6 +119,10 @@ const (
 	// APIServerRole describes the value for the apiserver role.
 	APIServerRole = "apiserver"
 
+	// APIServerRoleInternal describes the value for the apiserver-internal role,
+	// an identifier for an internal load balancer serving apiserver traffic for cluster nodes.
+	APIServerRoleInternal = "apiserver-internal"
+
 	// NodeOutboundRole describes the value for the node outbound LB role.
 	NodeOutboundRole = "nodeOutbound"
 

azure/scope/cluster.go

@@ -265,6 +265,35 @@ func (s *ClusterScope) LBSpecs() []azure.ResourceSpecGetter {
 		},
 	}
 
+	if s.APIServerLB().Type != infrav1.Internal {
+		specs = append(specs, &loadbalancers.LBSpec{
+			Name:              s.APIServerLB().Name + "-internal",
+			ResourceGroup:     s.ResourceGroup(),
+			SubscriptionID:    s.SubscriptionID(),
+			ClusterName:       s.ClusterName(),
+			Location:          s.Location(),
+			ExtendedLocation:  s.ExtendedLocation(),
+			VNetName:          s.Vnet().Name,
+			VNetResourceGroup: s.Vnet().ResourceGroup,
+			SubnetName:        s.ControlPlaneSubnet().Name,
+			FrontendIPConfigs: []infrav1.FrontendIP{
+				{
+					Name: s.APIServerLB().Name + "-internal-frontEnd", // TODO: improve this name.
+					FrontendIPClass: infrav1.FrontendIPClass{
+						PrivateIPAddress: infrav1.DefaultInternalLBIPAddress,
+					},
+				},
+			},
+			APIServerPort:        s.APIServerPort(),
+			Type:                 infrav1.Internal,
+			SKU:                  s.APIServerLB().SKU,
+			Role:                 infrav1.APIServerRoleInternal,
+			BackendPoolName:      s.APIServerLB().BackendPool.Name + "-internal",
+			IdleTimeoutInMinutes: s.APIServerLB().IdleTimeoutInMinutes,
+			AdditionalTags:       s.AdditionalTags(),
+		})
+	}
+
 	// Node outbound LB
 	if s.NodeOutboundLB() != nil {
 		specs = append(specs, &loadbalancers.LBSpec{

azure/scope/cluster_test.go

@@ -2232,20 +2232,25 @@ func TestBackendPoolName(t *testing.T) {
 			}
 			clusterScope.AzureCluster.SetBackendPoolNameDefault()
 			got := clusterScope.LBSpecs()
-			g.Expect(got).To(HaveLen(3))
+			g.Expect(got).To(HaveLen(4))
 
 			// API server backend pool name
 			apiServerLBSpec := got[0].(*loadbalancers.LBSpec)
 			g.Expect(apiServerLBSpec.BackendPoolName).To(Equal(tc.expectedAPIServerBackendPoolName))
 			g.Expect(apiServerLBSpec.Role).To(Equal(infrav1.APIServerRole))
 
+			// API server backend pool name
+			apiServerILBSpec := got[1].(*loadbalancers.LBSpec)
+			g.Expect(apiServerILBSpec.BackendPoolName).To(Equal(tc.expectedAPIServerBackendPoolName + "-internal"))
+			g.Expect(apiServerILBSpec.Role).To(Equal(infrav1.APIServerRoleInternal))
+
 			// Node backend pool name
-			NodeLBSpec := got[1].(*loadbalancers.LBSpec)
+			NodeLBSpec := got[2].(*loadbalancers.LBSpec)
 			g.Expect(NodeLBSpec.BackendPoolName).To(Equal(tc.expectedNodeBackendPoolName))
 			g.Expect(NodeLBSpec.Role).To(Equal(infrav1.NodeOutboundRole))
 
 			// Control Plane backend pool name
-			controlPlaneLBSpec := got[2].(*loadbalancers.LBSpec)
+			controlPlaneLBSpec := got[3].(*loadbalancers.LBSpec)
 			g.Expect(controlPlaneLBSpec.BackendPoolName).To(Equal(tc.expectedControlPlaneBackendPoolName))
 			g.Expect(controlPlaneLBSpec.Role).To(Equal(infrav1.ControlPlaneOutboundRole))
 		})
@@ -2667,6 +2672,33 @@ func TestClusterScope_LBSpecs(t *testing.T) {
 						"foo": "bar",
 					},
 				},
+				&loadbalancers.LBSpec{
+					Name:              "api-server-lb-internal",
+					ResourceGroup:     "my-rg",
+					SubscriptionID:    "123",
+					ClusterName:       "my-cluster",
+					Location:          "westus2",
+					VNetName:          "my-vnet",
+					VNetResourceGroup: "my-rg",
+					SubnetName:        "cp-subnet",
+					FrontendIPConfigs: []infrav1.FrontendIP{
+						{
+							Name: "api-server-lb-internal-frontEnd",
+							FrontendIPClass: infrav1.FrontendIPClass{
+								PrivateIPAddress: infrav1.DefaultInternalLBIPAddress,
+							},
+						},
+					},
+					APIServerPort:        6443,
+					Type:                 infrav1.Internal,
+					SKU:                  infrav1.SKUStandard,
+					Role:                 infrav1.APIServerRoleInternal,
+					BackendPoolName:      "api-server-lb-backend-pool-internal",
+					IdleTimeoutInMinutes: ptr.To[int32](30),
+					AdditionalTags: infrav1.Tags{
+						"foo": "bar",
+					},
+				},
 				&loadbalancers.LBSpec{
 					Name:              "node-outbound-lb",
 					ResourceGroup:     "my-rg",

azure/scope/machine.go

@@ -298,6 +298,8 @@ func (m *MachineScope) BuildNICSpec(nicName string, infrav1NetworkInterface infr
 				spec.InternalLBName = m.APIServerLBName()
 				spec.InternalLBAddressPoolName = m.APIServerLBPoolName()
 			} else {
+				spec.InternalLBName = m.APIServerLBName() + "-internal"
+				spec.InternalLBAddressPoolName = m.APIServerLBPoolName() + "-internal"
 				spec.PublicLBNATRuleName = m.Name()
 				spec.PublicLBAddressPoolName = m.APIServerLBPoolName()
 			}

azure/scope/machine_test.go

@@ -2467,8 +2467,8 @@ func TestMachineScope_NICSpecs(t *testing.T) {
 					PublicLBName:              "api-lb",
 					PublicLBAddressPoolName:   "api-lb-backendPool",
 					PublicLBNATRuleName:       "machine-name",
-					InternalLBName:            "",
-					InternalLBAddressPoolName: "",
+					InternalLBName:            "api-lb-internal",
+					InternalLBAddressPoolName: "api-lb-backendPool-internal",
 					PublicIPName:              "",
 					AcceleratedNetworking:     nil,
 					DNSServers:                nil,
@@ -2578,8 +2578,8 @@ func TestMachineScope_NICSpecs(t *testing.T) {
 					PublicLBName:              "api-lb",
 					PublicLBAddressPoolName:   "api-lb-backendPool",
 					PublicLBNATRuleName:       "machine-name",
-					InternalLBName:            "",
-					InternalLBAddressPoolName: "",
+					InternalLBName:            "api-lb-internal",
+					InternalLBAddressPoolName: "api-lb-backendPool-internal",
 					PublicIPName:              "",
 					AcceleratedNetworking:     nil,
 					DNSServers:                []string{"123.123.123.123", "124.124.124.124"},

azure/services/loadbalancers/spec.go

@@ -214,7 +214,7 @@ func getOutboundRules(lbSpec LBSpec, frontendIDs []*armnetwork.SubResource) []*a
 }
 
 func getLoadBalancingRules(lbSpec LBSpec, frontendIDs []*armnetwork.SubResource) []*armnetwork.LoadBalancingRule {
-	if lbSpec.Role == infrav1.APIServerRole {
+	if lbSpec.Role == infrav1.APIServerRole || lbSpec.Role == infrav1.APIServerRoleInternal {
 		// We disable outbound SNAT explicitly in the HTTPS LB rule and enable TCP and UDP outbound NAT with an outbound rule.
 		// For more information on Standard LB outbound connections see https://learn.microsoft.com/azure/load-balancer/load-balancer-outbound-connections.
 		var frontendIPConfig *armnetwork.SubResource
@@ -255,7 +255,7 @@ func getBackendAddressPools(lbSpec LBSpec) []*armnetwork.BackendAddressPool {
 }
 
 func getProbes(lbSpec LBSpec) []*armnetwork.Probe {
-	if lbSpec.Role == infrav1.APIServerRole {
+	if lbSpec.Role == infrav1.APIServerRole || lbSpec.Role == infrav1.APIServerRoleInternal {
 		return []*armnetwork.Probe{
 			{
 				Name: ptr.To(httpsProbe),

scripts/aks-as-mgmt.sh

@@ -24,12 +24,11 @@ source "${REPO_ROOT}/hack/ensure-azcli.sh" # install az cli and login using WI
 source "${REPO_ROOT}/hack/ensure-tags.sh" # set the right timestamp and job name
 
 KUBECTL="${REPO_ROOT}/hack/tools/bin/kubectl"
-KIND="${REPO_ROOT}/hack/tools/bin/kind"
 AZWI="${REPO_ROOT}/hack/tools/bin/azwi"
-make --directory="${REPO_ROOT}" "${KUBECTL##*/}" "${KIND##*/}" "${AZWI##*/}"
+make --directory="${REPO_ROOT}" "${KUBECTL##*/}" "${AZWI##*/}"
 
-export MGMT_CLUSTER_NAME="${MGMT_CLUSTER_NAME:-aks-mgmt-capz}-${RANDOM_SUFFIX}" # management cluster name
-export AKS_RESOURCE_GROUP="${AKS_RESOURCE_GROUP:-aks-mgmt-capz}-${RANDOM_SUFFIX}" # resource group name
+export MGMT_CLUSTER_NAME="${MGMT_CLUSTER_NAME:-aks-mgmt-capz-${RANDOM_SUFFIX}}" # management cluster name
+export AKS_RESOURCE_GROUP="${AKS_RESOURCE_GROUP:-aks-mgmt-capz-${RANDOM_SUFFIX}}" # resource group name
 export AKS_NODE_RESOURCE_GROUP="node-${AKS_RESOURCE_GROUP}"
 export KUBERNETES_VERSION="${KUBERNETES_VERSION:-v1.30.2}"
 export AZURE_LOCATION="${AZURE_LOCATION:-westus2}"
@@ -48,6 +47,16 @@ export AZURE_SUBSCRIPTION_ID="${AZURE_SUBSCRIPTION_ID:-}"
 export AZURE_CLIENT_ID="${AZURE_CLIENT_ID:-}"
 export AZURE_TENANT_ID="${AZURE_TENANT_ID:-}"
 
+# to suppress unbound variable error message
+export APISERVER_LB_DNS_SUFFIX="${APISERVER_LB_DNS_SUFFIX:-}"
+export AKS_MI_CLIENT_ID="${AKS_MI_CLIENT_ID:-}"
+export AKS_MI_OBJECT_ID="${AKS_MI_OBJECT_ID:-}"
+export AKS_MI_RESOURCE_ID="${AKS_MI_RESOURCE_ID:-}"
+export MANAGED_IDENTITY_NAME="${MANAGED_IDENTITY_NAME:-}"
+export MANAGED_IDENTITY_RG="${MANAGED_IDENTITY_RG:-}"
+export ASO_CREDENTIAL_SECRET_MODE="${ASO_CREDENTIAL_SECRET_MODE:-}"
+export SKIP_AKS_CREATE="${SKIP_AKS_CREATE:-false}"
+
 main() {
 
   echo "--------------------------------"
@@ -66,12 +75,19 @@ main() {
   echo "SERVICE_ACCOUNT_SIGNING_PUB_FILEPATH: $SERVICE_ACCOUNT_SIGNING_PUB_FILEPATH"
   echo "SERVICE_ACCOUNT_SIGNING_KEY_FILEPATH: $SERVICE_ACCOUNT_SIGNING_KEY_FILEPATH"
   echo "REGISTRY:                             $REGISTRY"
+  echo "APISERVER_LB_DNS_SUFFIX:              $APISERVER_LB_DNS_SUFFIX"
 
   echo "AZURE_SUBSCRIPTION_ID:                $AZURE_SUBSCRIPTION_ID"
   echo "AZURE_CLIENT_ID:                      $AZURE_CLIENT_ID"
   echo "AZURE_TENANT_ID:                      $AZURE_TENANT_ID"
   echo "--------------------------------"
 
+  # if using SKIP_AKS_CREATE=true, skip creating the AKS cluster
+  if [[ "${SKIP_AKS_CREATE}" == "true" ]]; then
+    echo "Skipping AKS cluster creation"
+    return
+  fi
+
   create_aks_cluster
   set_env_varaibles
 }
@@ -178,6 +194,7 @@ kustomize_substitutions:
   CLUSTER_IDENTITY_TYPE: "UserAssignedMSI"
   ASO_CREDENTIAL_SECRET_MODE: "${ASO_CREDENTIAL_SECRET_MODE}"
   REGISTRY: "${REGISTRY}"
+  APISERVER_LB_DNS_SUFFIX: "${APISERVER_LB_DNS_SUFFIX}"
 allowed_contexts:
   - "$MGMT_CLUSTER_NAME"
   - "kind-capz"

templates/cluster-template.yaml

@@ -29,6 +29,12 @@ spec:
     name: ${CLUSTER_IDENTITY_NAME}
   location: ${AZURE_LOCATION}
   networkSpec:
+    apiServerLB:
+      frontendIPs:
+      - name: ${CLUSTER_NAME}-api-lb
+        publicIP:
+          dnsName: ${CLUSTER_NAME}-${APISERVER_LB_DNS_SUFFIX}.${AZURE_LOCATION}.cloudapp.azure.com
+          name: ${CLUSTER_NAME}-api-lb
     subnets:
     - name: control-plane-subnet
       role: control-plane
@@ -189,7 +195,9 @@ spec:
           kubeletExtraArgs:
             cloud-provider: external
           name: '{{ ds.meta_data["local_hostname"] }}'
-      preKubeadmCommands: []
+      preKubeadmCommands:
+      - echo '10.0.0.100   ${CLUSTER_NAME}-${APISERVER_LB_DNS_SUFFIX}.${AZURE_LOCATION}.cloudapp.azure.com'
+        >> /etc/hosts
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: AzureClusterIdentity

templates/flavors/default/kustomization.yaml

@@ -5,8 +5,11 @@ resources:
 - ../base
 - machine-deployment.yaml
 - ../../azure-cluster-identity
+
 patches:
 - path: ../../azure-cluster-identity/azurecluster-identity-ref.yaml
+- path: patches/control-plane.yaml
+- path: patches/kubeadm-config-template.yaml
 
 sortOptions:
   order: fifo