Using VS Code and Lens to connect to a private AKS cluster

Summary: This wiki page explains how to use VS Code and Lens to connect to a private AKS cluster.
Date: 15 September 2025

There are many ways to connect to a private AKS cluster. This page assumes you have a jumpbox VM in the same virtual network as the AKS cluster, and that you can connect to the jumpbox using Azure Bastion. Using VS Code with the extensions explained below is the easiest way to connect to a private AKS cluster, but also has it's limitations. For that reason, I'll also explain how to use Lens to connect to the private AKS cluster.

See here the design of the network setup to connect to a private AKS cluster using a jumpbox through Azure Bastion. For simplicity, setup and requirements that are not relevant for this page, like private DNS, are left out:

Network overview of an private AKS cluster

Note: The Bastion must be Standard or Premium SKU and have native client support enabled under configuration settings

To use VS Code to connect to a private AKS cluster, make sure you have the 'Remote Explorer' and 'Kubernetes' extensions installed. Then, follow these steps:

• Optional: If applicable, activate the required Privileged Identity Management (PIM) groups to assign permissions for your account. You need at least 'Reader' permissions on the resource group where the bastion is located, and, depending on what you'll need to do, 'Reader' or 'Contributor' permissions on the resource group where the jumpbox and AKS cluster are located.
• Use the following Azure CLI commands to connect to Azure and set the subscribtion to the one with the bastion:

  # We need to use the azure cli as creating the tunnel to the jumpbox will only work with the azure cli
  az logout
  # Disable the subscription selector feature as well as sign in with WAM
  az config set core.login_experience_v2=off
  az config set core.enable_broker_on_windows=false
  az login --tenant 7e4an71d-a123-a123-a123-abcd12345678
  # Set the subscription to the bastion subscription
  az account set --subscription aa123456-a123-a123-a123-abcd12345678

• Use the following Azure CLI command to create a ssh tunnel to the jumpbox through the bastion:

  az network bastion tunnel --name bas-001 --resource-group rg-bastion --target-resource-id /subscriptions/aa123456-a123-a123-a123-abcd12345678/resourceGroups/rg-cluster/providers/Microsoft.Compute/virtualMachines/vm-jumpbox --resource-port 22 --port 50022

• To use the 'Remote Explorer' extension, you need to add an entry to your ssh config file (usually located at `C:\Users\<your-username>\.ssh\config`):

  # Read more about SSH config files: https://linux.die.net/man/5/ssh_config
  Host vm-jumpbox
      HostName 127.0.0.1
      User azadmin
      Port 50022
      IdentityFile C:/Users/sjoer/.ssh/private_cluster.pem

  • Note that the `IdentityFile` must point to the private key that matches the public key configured on the jumpbox VM.
• In VS Code, open the Remote Explorer extension from the activity bar → SSH Targets → Open 127.0.0.1 (linux) in a new window
  • This will open a new VS Code window connected to the jumpbox VM. You can now open a terminal in this window and run commands on the jumpbox VM. To be able to connect to the AKS cluster, you need to install various tools on the jumpbox first. Note that all of the command below can be obtained by going to your cluster in the Azure portal and then to 'Connect':

# Install the Azure CLI: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest
# Download and install the Microsoft signing key
sudo mkdir -p /etc/apt/keyrings
curl -sLS https://packages.microsoft.com/keys/microsoft.asc |
    gpg --dearmor |
    sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null
sudo chmod go+r /etc/apt/keyrings/microsoft.gpg
 
# Add the Azure CLI software repository
AZ_REPO=$(lsb_release -cs)
echo "deb [arch=`dpkg --print-architecture` signed-by=/etc/apt/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" |
    sudo tee /etc/apt/sources.list.d/azure-cli.list
 
# Update repository information and install the azure-cli package
sudo apt-get update
sudo apt-get install azure-cli
 
# Install kubectl and kubelogin: https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-install-cli
sudo az aks install-cli
 
# Login to Azure
az login
 
# Set subscription to the one with the AKS cluster and login to the AKS cluster
az account set --subscription aa123456-a123-a123-a123-abcd12345679
az aks get-credentials --admin --name aks-privatecluster --resource-group rg-privatecluster --overwrite-existing
 
# Use kubelogin plugin for authentication
kubelogin convert-kubeconfig -l azurecli
 
# Verify your aks connection
kubectl cluster-info

• You can now use the 'Kubernetes' extension to view and manage the AKS cluster. Open the 'Kubernetes' extension from the activity bar → Click on the refresh button in the 'Clusters' section to load the clusters from your kubeconfig file. You should see your AKS cluster listed there. You can now expand the cluster to view its resources and perform various actions like viewing logs, executing commands in pods and more.

Note that some of the above steps can be automated using VS Code Tasks.

Lens is a popular Kubernetes IDE that makes it easy to manage and monitor Kubernetes clusters. You can download it from here. To connect to a private AKS cluster using Lens, follow these steps:

• Install lens
• Lens automatically uses your local kube config to connect to clusters. To use Lens to connect to a privatecluster first connect to the privatecluster using the jumpbox as explained above. Then, copy the kubeconfig file from the jumpbox to your local machine. From your home directory on the jumpbox, use cat .kube/config to display the content of the kubeconfig file. Copy the content and save it to a file on your local machine, for example C:\Users\sjoer\.kube\privatecluster-config
• Open the file in your VS Code and make the following changes:
  • Change server: https://aks-privatecluster-m8k6low2.privatelink.westeurope.azmk8s.io:443 to server: https://localhost:6443
  • Add the line insecure-skip-tls-verify: true under the cluster section:

    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: LS1QLSJBXXX
        server: https://localhost:6443
      insecure-skip-tls-verify: true
      name: aks-privatecluster
    contexts:
    - context:
        cluster: aks-privatecluster
        namespace: appops
        user: clusterAdmin_rg-privatecluster_aks-privatecluster
      name: aks-privatecluster-admin
    current-context: aks-privatecluster-admin
    kind: Config
    preferences: {}
    users:
    - name: clusterAdmin_rg-privatecluster_aks-privatecluster
      user:
        client-certificate-data: LS1QLSJBNMXXXLS0tCg==
        client-key-data: LS1QLSJBNMXXX
        token: xxx

• In Lens, go to File → Add Cluster → Select kubeconfig file and select the file you just created. You should now see the AKS cluster in Lens.
• Before you can manage it, you first need to create a ssh tunnel to the jumpbox through the bastion:

  az network bastion ssh --name bas-001 --resource-group "rg-bastion" --target-resource-id /subscriptions/aa123456-a123-a123-a123-abcd12345678/resourceGroups/rg-cluster/providers/Microsoft.Compute/virtualMachines/vm-jumpbox --auth-type AAD -- -L 6443:aks-privatecluster-m8k6low2.privatelink.westeurope.azmk8s.io:443

Note: The command above is different from the previous command as it used a ssh tunnel. Note that it also uses AAD authentication which is optional. A privatekey as setup before in the ssh config will work just as well.

This wiki has been made possible by: