Can we use internal IP within organization network for ingress LoadBalancer for SAS Viya on AKS?

Asif_Ali_Khan — Thu, 16 Apr 2026 11:56:49 GMT

Hello All, Good Afternoon

I would like to check and align on the possibility of using an internal IP within the organization network for the ingress LoadBalancer when deploying SAS Viya on Azure Kubernetes Service (AKS).

Currently, SAS Viya is deployed using the standard SAS‑recommended approach, where the ingress controller is exposed through a Kubernetes LoadBalancer service backed by an external (public) Azure Load Balancer. This is the model documented and supported by SAS.

The question raised is whether we can instead expose the ingress controller using an internal Azure Load Balancer with a private IP, allowing access only from within the corporate network (for example, via VNet peering, VPN, or ExpressRoute), and thereby avoiding public exposure.

From an Azure and AKS perspective, using an internal load balancer for ingress is technically possible. However, there are several points that would need careful consideration:

SAS documentation does not explicitly describe or validate the use of an internal (private) cloud load balancer for SAS Viya ingress.
The current environment uses integrations such as SCIM with Microsoft Entra ID, which rely on external reachability. Using an internal‑only ingress may require additional network architecture (for example, private connectivity or specific routing) to ensure these integrations continue to function.
Switching from an external to an internal ingress cannot be performed in place and would likely require a redeployment with revised ingress configuration.
This approach would fall outside the standard, documented SAS deployment model and would therefore require additional validation and confirmation of supportability.

Before proceeding further, it would be helpful to clarify:

Whether internal‑only access is a strict requirement
Whether the additional design and validation effort is acceptable
Whether we should seek explicit confirmation from SAS regarding support for this deployment model

Please let me know your thoughts or if you would like to discuss this further in a dedicated session.

Kind regards,
Asif

Re: Can we use internal IP within organization network for ingress LoadBalancer for SAS Viya on AKS?

gwootton — Tue, 21 Apr 2026 12:47:40 GMT

The Viya platform does not require it be publicly accessible, but using SCIM from Entra ID as you mention would require this unless you use a provisioning agent that is part of the internal network:
https://learn.microsoft.com/en-us/entra/identity/app-provisioning/on-premises-scim-provisioning

topic Re: Can we use internal IP within organization network for ingress LoadBalancer for SAS Viya on AKS? in Administration and Deployment

Can we use internal IP within organization network for ingress LoadBalancer for SAS Viya on AKS?

Re: Can we use internal IP within organization network for ingress LoadBalancer for SAS Viya on AKS?