Skip to content

Hub-and-spoke private DNS zone linking#305

Merged
johnstairs merged 3 commits intomainfrom
johnstairs/private-dns-hub-and-spoke
Mar 31, 2026
Merged

Hub-and-spoke private DNS zone linking#305
johnstairs merged 3 commits intomainfrom
johnstairs/private-dns-hub-and-spoke

Conversation

@johnstairs
Copy link
Copy Markdown
Member

@johnstairs johnstairs commented Mar 30, 2026

This PR adds support for hub-and-spoke VNet topologies when using private networking, and switches AKS private clusters to use a custom private DNS zone with a user-assigned managed identity.

Note there is a breaking change in this PR and existing AKS clusters using private networking will need to be deleted in order to upgrade.

Hub-and-spoke DNS VNet links

A new cloud.additionalDnsVnetLinks configuration field allows users to specify additional VNets that should be linked to all Tyger-managed private DNS zones. This is essential for hub-and-spoke network architectures where a DNS resolver in the hub VNet needs to resolve Tyger's private endpoint addresses.

cloud:
  privateNetworking: true
  additionalDnsVnetLinks:
    - subscriptionId: 00000000-0000-0000-0000-000000000000  # optional
      resourceGroup: hub-networking-rg
      vnetName: hub-vnet

Key behaviors:

  • All private DNS zones (storage, database, AKS, API domain) are linked to the specified VNets in addition to the cluster's own VNet.
  • Stale VNet links (from VNets removed from the config) are automatically cleaned up on each install, matched by VNet resource ID.
  • Validation ensures the field is only used when privateNetworking is true, and that entries have the required fields.

AKS custom private DNS zone

Previously, AKS private clusters used PrivateDNSZone: "system", which places the DNS zone in the node resource group (MC_*) where Tyger cannot manage VNet links. This PR switches to a custom private DNS zone approach:

  • Creates a subzone <envName><hash>.privatelink.<region>.azmk8s.io (where <hash> is 8 hex chars from SHA-256 of subscription/resourceGroup/clusterName) to avoid cross-environment collisions.
  • Creates a tyger-aks user-assigned managed identity with Private DNS Zone Contributor and Network Contributor roles, which AKS requires to manage records in a custom DNS zone.
  • RBAC roles are pre-assigned before cluster creation since the identity must have permissions at creation time.
  • Existing clusters with PrivateDNSZone: "system" cannot be migrated; an error directs users to delete and recreate.

Organization uninstall cleanup

deleteOrgPrivateLinkResources handles cleanup of per-organization private link resources during tyger cloud uninstall:

  • Deletes all VNet links from each DNS zone before deleting the zone itself (required by Azure).
  • Retries DNS zone deletion on 409 Conflict (up to 5 attempts with 10s delay) to handle Azure eventual consistency.
  • Cleans up per-org storage private endpoints.

Documentation

Expanded the private networking section of the cloud installation guide with:

  • Required settings (with YAML examples)
  • Hub-and-spoke VNet topology usage
  • What Tyger creates vs. what users must set up themselves
  • Connectivity requirements for running commands

@johnstairs johnstairs marked this pull request as ready for review March 30, 2026 23:08
@johnstairs johnstairs merged commit f421497 into main Mar 31, 2026
41 of 42 checks passed
@johnstairs johnstairs deleted the johnstairs/private-dns-hub-and-spoke branch March 31, 2026 01:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hansenms hansenms hansenms approved these changes

@naegelejd naegelejd Awaiting requested review from naegelejd

@yuliadub yuliadub Awaiting requested review from yuliadub

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johnstairs @hansenms