diff --git a/byoc-examples/setup/azure/azure-automq-env/main.tf b/byoc-examples/setup/azure/azure-automq-env/main.tf
index 662556a..85d1ae7 100644
--- a/byoc-examples/setup/azure/azure-automq-env/main.tf
+++ b/byoc-examples/setup/azure/azure-automq-env/main.tf
@@ -95,7 +95,7 @@ module "automq_console" {
   location             = var.location
   resource_group_name  = azurerm_resource_group.rg.name
   vnet_id              = var.vnet_id
-  public_subnet_id     = var.public_subnet_id
+  private_subnet_id    = var.public_subnet_id
   private_subnet_ids   = [var.private_subnet_id]
   storage_account_name = local.storage_account_name
   ops_container_name   = local.ops_container_name
diff --git a/byoc-examples/setup/azure/azure-automq-env/modules/aks/main.tf b/byoc-examples/setup/azure/azure-automq-env/modules/aks/main.tf
index fdb5281..718d09b 100644
--- a/byoc-examples/setup/azure/azure-automq-env/modules/aks/main.tf
+++ b/byoc-examples/setup/azure/azure-automq-env/modules/aks/main.tf
@@ -59,12 +59,13 @@ variable "dns_service_ip" {
 }
 
 resource "azurerm_kubernetes_cluster" "aks" {
-  name                = var.aks_name
-  location            = var.location
-  resource_group_name = var.resource_group_name
-  dns_prefix          = var.dns_prefix
-  kubernetes_version  = var.kubernetes_version
-  sku_tier            = var.kubernetes_pricing_tier
+  name                    = var.aks_name
+  location                = var.location
+  resource_group_name     = var.resource_group_name
+  dns_prefix              = var.dns_prefix
+  kubernetes_version      = var.kubernetes_version
+  sku_tier                = var.kubernetes_pricing_tier
+  private_cluster_enabled = true
 
   identity {
     type         = "UserAssigned"
diff --git a/byoc-examples/setup/azure/azure-automq-env/modules/automq-console/main.tf b/byoc-examples/setup/azure/azure-automq-env/modules/automq-console/main.tf
index 49bef09..bf7ff6e 100644
--- a/byoc-examples/setup/azure/azure-automq-env/modules/automq-console/main.tf
+++ b/byoc-examples/setup/azure/azure-automq-env/modules/automq-console/main.tf
@@ -13,9 +13,9 @@ variable "vnet_id" {
   description = "ID of the virtual network"
 }
 
-variable "public_subnet_id" {
+variable "private_subnet_id" {
   type        = string
-  description = "Subnet ID for the console VM (public)"
+  description = "Subnet ID for the console VM (private)"
 }
 
 variable "private_subnet_ids" {
@@ -130,13 +130,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "zone_link" {
 }
 
 # Public IP and NIC for console
-resource "azurerm_public_ip" "console" {
-  name                = "pip-${local.env_name}"
-  resource_group_name = var.resource_group_name
-  location            = var.location
-  allocation_method   = "Static"
-  sku                 = "Standard"
-}
+
 
 resource "azurerm_network_security_group" "console" {
   name                = "nsg-${local.env_name}"
@@ -175,9 +169,8 @@ resource "azurerm_network_interface" "console" {
 
   ip_configuration {
     name                          = "internal"
-    subnet_id                     = var.public_subnet_id
+    subnet_id                     = var.private_subnet_id
     private_ip_address_allocation = "Dynamic"
-    public_ip_address_id          = azurerm_public_ip.console.id
   }
 }
 
@@ -258,7 +251,7 @@ resource "azurerm_virtual_machine_data_disk_attachment" "data_disk_attachment" {
 
 
 output "console_endpoint" {
-  value = "http://${azurerm_public_ip.console.ip_address}:8080"
+  value = "http://${azurerm_network_interface.console.private_ip_address}:8080"
 }
 
 output "console_initial_username" {