cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
Asif_Ali_Khan
Calcite | Level 5 Asif_Ali_Khan
Calcite | Level 5

Can we use internal IP within organization network for ingress LoadBalancer for SAS Viya on AKS?

Posted 3 weeks ago (311 views)

Hello All, Good Afternoon

I would like to check and align on the possibility of using an internal IP within the organization network for the ingress LoadBalancer when deploying SAS Viya on Azure Kubernetes Service (AKS).

Currently, SAS Viya is deployed using the standard SAS‑recommended approach, where the ingress controller is exposed through a Kubernetes LoadBalancer service backed by an external (public) Azure Load Balancer. This is the model documented and supported by SAS.

The question raised is whether we can instead expose the ingress controller using an internal Azure Load Balancer with a private IP, allowing access only from within the corporate network (for example, via VNet peering, VPN, or ExpressRoute), and thereby avoiding public exposure.

From an Azure and AKS perspective, using an internal load balancer for ingress is technically possible. However, there are several points that would need careful consideration:

  • SAS documentation does not explicitly describe or validate the use of an internal (private) cloud load balancer for SAS Viya ingress.
  • The current environment uses integrations such as SCIM with Microsoft Entra ID, which rely on external reachability. Using an internal‑only ingress may require additional network architecture (for example, private connectivity or specific routing) to ensure these integrations continue to function.
  • Switching from an external to an internal ingress cannot be performed in place and would likely require a redeployment with revised ingress configuration.
  • This approach would fall outside the standard, documented SAS deployment model and would therefore require additional validation and confirmation of supportability.

Before proceeding further, it would be helpful to clarify:

  • Whether internal‑only access is a strict requirement
  • Whether the additional design and validation effort is acceptable
  • Whether we should seek explicit confirmation from SAS regarding support for this deployment model

Please let me know your thoughts or if you would like to discuss this further in a dedicated session.

Kind regards,
Asif

0 Likes
Reply
1 REPLY 1
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Can we use internal IP within organization network for ingress LoadBalancer for SAS Viya on AKS?

Posted 2 weeks ago (126 views)  |   In reply to Asif_Ali_Khan
The Viya platform does not require it be publicly accessible, but using SCIM from Entra ID as you mention would require this unless you use a provisioning agent that is part of the internal network:
https://learn.microsoft.com/en-us/entra/identity/app-provisioning/on-premises-scim-provisioning
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

Learn how to explore data assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 1 reply
  • 3 weeks ago
  • 312 views
  • 0 likes
  • 2 in conversation