Private Link for upstream CAPZ

[Rotfuks]

Motivation

In #2011 we learned that we can improve the security and stability of our private network workload clusters by introducing private links to upstream capz. With that we can easily connect to workload clusters private endpoints and don't have to care too much about overlapping IP addresses.

Todo

- [x] Investigate the state of private endpoints / private link in upstream
- [x] Create an issue to propose and discuss private link as a new feature in upstream https://github.com/kubernetes-sigs/cluster-api-provider-azure/issues/3400
- [x] Implement private link in our CAPZ fork https://github.com/giantswarm/cluster-api-provider-azure/pull/17
- [ ] Update CAPZ app https://github.com/giantswarm/cluster-api-provider-azure-app/pull/104
- [ ] Update cluster-azure app https://github.com/giantswarm/cluster-azure/pull/115

Outcome

• We can easily and securely connect management clusters with workload clusters in a private network configuration

[primeroz]

As discussed in Refinement we might need to think how we will access WC nodes over ssh if we use PrivateLinks

From an AZURE architecture point of view we might just a bastion private link exposed in the MC Vnet where

[Bastion PrivateLink EndPont in MC Vnet] -> [ Bastion LB in WC Vnet ] -> [ Bastion Node LB Member ]

like

The only issue here would be how do we automate creation and mantainance of he LB and the PrivateLink Endpoint

• How do we create the PrivateLink EP in the MC Vnet , the LB in the WC Vnet and link them in an automated way for each cluster we create ?
• How do we update members of the LB Backend when the bastion node is recycled and on creation ?