How-to make use of an internal load balancer with Terraform Enterprise Flexible Deployment Options Kubernetes (Azure)

Introduction

The official documentation for installing Terraform Enterprise with Flexible Deployment Options for Azure Kubernetes Service (AKS) creates a public Load Balancer by default.

This article explains how to configure the overrides.yaml file in the Helm chart to create an internal Load Balancer in Azure instead.

Expected Outcome

Terraform Enterprise will use an internal Load Balancer with a private IP address and will not be exposed to the public internet.

Prerequisites

• A Terraform Enterprise Flexible Deployment on Azure Kubernetes Service (AKS).
• Two available private subnets in your network infrastructure.

Use Case

Deploy Terraform Enterprise on Azure Kubernetes Service with an internal Load Balancer for enhanced security and private network access.

Procedure

To create an internal Load Balancer, you must add specific annotations to the service block in your overrides.yaml file. Choose one of the following options based on your IP address requirements.

Option 1: Use a dynamically assigned private IP

1. Add the following configuration to your overrides.yaml file. This annotation instructs Azure to create an internal, rather than public, load balancer.

   service:
     annotations:
       service.beta.kubernetes.io/azure-load-balancer-internal: "true"
     type: LoadBalancer
     ports:
       - name: https-443
         port: 443
         protocol: TCP
         targetPort: 8443

Option 2: Use a specific static private IP

1. Add the following configuration to your overrides.yaml file. This includes an additional annotation to assign a specific private IP address to the load balancer. Replace <load-balancer-ip> with your desired IP address.

   service:
     annotations:
       service.beta.kubernetes.io/azure-load-balancer-internal: "true"
       service.beta.kubernetes.io/azure-load-balancer-ipv4: <load-balancer-ip>
     type: LoadBalancer
     ports:
       - name: https-443
         port: 443
         protocol: TCP
         targetPort: 8443

Apply and Verify the Configuration

1. After choosing an option and updating your overrides.yaml file, apply the Helm chart by following the installation guide to install the application.

2. Verify that the service is using an internal IP address by checking the services in your Terraform Enterprise namespace.

   $ kubectl get services -n terraform-enterprise

3. Confirm the EXTERNAL-IP value is the private IP address assigned to your internal Load Balancer.

   NAME                   TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)         AGE
   terraform-enterprise   LoadBalancer   10.0.123.180   10.211.1.5    443:30877/TCP   2m9s

Additional Information

• Create an internal load balancer with AKS
• Azure Kubernetes Service configuration for Terraform Enterprise Flexible Deployment Option