DreamozTech

Are you looking to create valuable SEO content at an affordable price? Our SEO platform allows you to be creative, while still helping you boost your SEO ranking. Sign up today to find out more.

»Blog

How To Sell Something Online

Keywords And Post Types Can Be Modified And Can Be Used Across Multiple Pages And Posts

Coronavirus Covid 19 India

Local Business Promotions

How To Navigate Map After Adding Custom Points

Using This Seo Platform I Can Sell My Products

Sample Shopping Cart Product Creation

What If You Had To Build A Website For Your Business

Premium And Free Bootstrap Templates

Steps To Rebuild Your Business After Covid 19

Coronavirus Covid19 India Break The Chain

Marketing Manager To Promote Dreamoztech Tokens

How To Choose Where To Study Abroad Idp India

How Is Multicap Different From Flexicap Fund Lets Find Out

Flexi Cap Fund Its Benefits

Gold Is Forever A Hedge Player In Your Portfolio

The Great Indian Gold Love

Just In Stock Broking Now Live On Paytm Money

Paytm Money Launches Futures Options On Its App

Mutual Funds India Invest In Best Direct Mutual Funds Of 2021

Stock Market Live Stocks To Buy Today Indian Share Markets Nse Bse

National Pension Scheme Nps Scheme Online Account Opening Contribution

Simplifying Banking For Nris Sbnri

Kotak Monthly Market Outlook

Tata Asset Management Limited Has A Track Record Of More Than 24 Years In Investment Management

Sharekhan In House Education Solutions Ensure You Get To Choose The Right Learning Platform For Yourself

Kotak Multicap Fund An Open Ended Equity Scheme Investing Across Large Cap Mid Cap And Small Cap Stocks

Here Are 12 Benefits Of Utilizing Lean Six Sigma Knowledge

Time For A Breather Markets Continued To Trend Up In August Globally

Nps Scheme Online Account Opening Contibution

Mutualfundindia Is A Complete Guide To Mutual Funds

Mutual Funds India Investment Plans Tax Saving Mutual Funds Nav

India Cant Ignore The Promise Of Big Blockchain Innovations

Things To Know Before Investing In A Mutual Fund In India

12 Best Sips For The Long Term Investment Time Frame Starting 2021

African Governments Have Developed A Taste For Eurobonds Why Its Dangerous

Zomatos Losses Widen In First Quarterly Earnings Since Ipo

Dlf Projects Limited

Kotak Mf

Announcing Widget Cards

How To Tell If A Car Was Previously Damaged In A Flood

»Tech

What Is Seo

Paytm Mobile Recharge Or Bill Payment

The Email Marketing Platform Built For Your Business

Google Analytics Community Template Gallery

Tips To Boost Your Facebook Page

Whats New In Confluence Cloud

How To Approach Basic Seo Optimization

Get Started With Azure Advisor

Ci Cd Tool Should Be Integrated With What Matters Most

How To Choose The Right Cms

What Is Google Ads

Great Names Available Get Your First Domain Name

Enabling Remote Work At Microsoft Teamwork And Meetings

New Ways To Make Maps Work For You

5 Trello Features That Will Change The Way You Work

Firebase Helps Mobile And Web App Teams Succeed

How We Tracked The Eating Habits Of Snakes In Africa With The Help Of A Facebook Group

Howzat We Can All Learn From Elite Batsmen And Not Just About Cricket

Stunning Free Images And Royalty Free Stock

Free Assets For Your Next Video Project

Build Your Responsive Mobile Friendly Dynamic And Search Engine Optimized Web Apps

Dreamoz Technologies App For Android

How Dry Ice Blasting Is Used In The Aerospace Industry

Fast And Reliable Fuel Delivery Services

Hey There Business Magnet Last 10 Things You Didn Not Know About Save Money On Recurring Cost

View The Free Tools That Can Help Achieve Your Business Goals And Increase Engagement On Your Page

Its Time To Unleash Some Secrets About Telegram Marketing

Http Is A Contract A Communication Protocol

Facebook Plans To Become Worlds Biggest Central Bank

Investors Race To Win Early Stage Startup Deals In India

Lemuria Or Limuria Is A Discovered Theoretical Continent

A New Windows Experience Bringing You Closer

Does It Still Come As A Surprise That Bitcoin Continues Trading

Kotak Global Innovation Fund Of Fund

Indian Bank Blocks Use Of Rbis Remittance System For Crypto While Government Delays Bill

Fidelitys Crypto Branch To Increase Staff By 70 President Sees More Interest In Ether

Paytm Money Online Demat Account Trading Direct Mutual Funds Nps

Blockchain Immutability Dispute Sparked By Ethereum Request For Reorg Contract

Indias Finance Minister Says Crypto Bill Ready For Cabinet

Coinbase Actively Building Crypto Hub In India Looking To Hire Hundreds Of People

Crypto Investments In India Gain Significant Traction Despite Regulatory Uncertainty

Indian Rapper Raftaar To Be Paid In Cryptocurrency For Upcoming Performance In Canada

Indian Government May Regulate Crypto As Asset Class Report

India Probes Cryptocurrency Exchange Wazirx In Chinese Money Laundering Case

Nyse Fang Index Power Of 10 Tech Behemoths

Major Cryptocurrency Exchanges Explore Entering Indian Crypto Market

Infosys Chairman Advocates Regulation Of Crypto Assets As Commodities In India

Indias Central Bank Rbi Still Has Major Concerns About Crypto After Saying Ban No Longer Valid

Major Indian Bank Hdfc Says Its A Matter Of Time Before Indian Investors Have Legal Access To Crypto Plays

Indian Government To Set Up Panel Of Experts To Take A Fresh Look At Regulating Cryptocurrencies

Vitalik Buterin Donates 1b Worth Of Shiba Inu Tokens To Indias Crypto Covid Relief Fund

Former Finance Secretary Urges Indian Government To Encourage Crypto Services Regulate Cryptocurrencies

Vitalik Buterin And Balaji Srinivasan Donate To Indian Covid Relief Fund Despite Countrys Intentions To Ban Cryptos

Indian Government Clarifies Status Of Cryptocurrency Trading Regulation Investor Protection

Top 5 Cryptocurrencies For Indians To Buy In May 2021

Why Crypto Community Is Bullish Even As The Govt Delays Regulation

Rupee Blockchain

Indian Penal Code And Other Laws Have Provision To Protect Investors Against Cryptocurrency Fraud

E Shram Portal

Wazirx Nischal Shetty Built Indias Largest Crypto Trading Exchange

Indias 1 Online Platform To Invest In Mutual Funds Sip Fundsindia

Mutual Funds Online Mutual Fund Investment Best Mutual Funds India Groww

Mutual Fund Definition Benefits How To Invest In Top 10 Mutual Funds In India 2021

Which Indian Companies Accept Payments In Cryptocurrency

Mutual Fund Transfer Agent Online Investment Services Statements

If Machines Can Be Inventors Could Ai Soon Monopolise Technology

The Best Vpn Money Can Buy Fastest Vpn Service Purevpn

Bootstrap The Most Popular Html Css And Js Library In The World

Manipal Technologies Limited

Mixkit Awesome Free Assets For Your Next Video Project

Free Vectors Stock Photos Psd Downloads Freepik

Free Stock Photos Pexels

Free Bootstrap Themes And Website Templates Bootstrapmade

Bootstrap Themes Built Curated By The Bootstrap Team

Free Bootstrap Themes Templates Start Bootstrap

When And When Not To Use Redux

Understanding How Reducers Are Used In Redux

Stack Overflow Company

Introduction To Storybook

Cdsl Central Depository Services India Limited

React Vs Angular The Complete Comparison Programming With Mosh

Version 10 Of Angular Now Available

Conditional Rendering In React 9 Methods With Examples

Rendering And Updating Data Using Component Lifecycle Methods In React

Docker Deployment On Azure Microsoft Azure

Crypto Price Prediction

Jasmine Behavior Driven Javascript

Mocha The Fun Simple Flexible Javascript Test Framework

How To Use Dependency Injection In Asp Net Web Forms

Onlydomains For All Your Domain Email Website Needs

Buy A Domain Name Register Cheap Domain Names From 0 99 Namecheap

Maps Geocoding And Navigation Apis Sdks Mapbox

Send Money From India Online Western Union

Support Emails Now Automatically Customized For You

Is It Time To Invest In Commodities As Crypto Crashes Heres The Why And How

Tawk To 100 Free Live Chat Software For Your Website

Extract Images

Animated Gif Editor And Gif Maker

Cloud Convert

Optimize Return On Ad Spend Opentracker

Promote Your Mobile App With A Great Landing Page

Blockreward Earn Rewards In Crypto

Ubdi Universal Basic Data Income

Delegated Proof Of Stake Freed Benign Master

Buy Bitcoin Xrp Ethereum Online Uphold

Wiz365 A State Of The Art Virtual Events Platform By Wiztales

Coin Market Cap

Mutual Funds Stock Broking Made Easy Via Paytm Amc Payments

Consolidating Debt Easing Taxes

82 Of Institutional Crypto Investors Expect To Increase Market Exposure

The First Celebrity Moments Nft Marketplace

The Crypto Coalition Ryan Selkis By Ryan Sean Adams And David Hoffman Bankless Shows

Bitcoin Has No Competition

Where Can You Find One Stop Shopping For Social Security

Dca Effective Going All In On Bitcoin

Three Reasons Why Polkadot Is Enroute To A New All Time High Even After A 256 Rally

All The Meta Tags

Fetching Data From An Api Using React Redux

Token Based Authentication In Web Api

Webpack

Grow Your Wealth Matrixport

How To Create Asp Net Web Api With Token Based Authentication

Microservices Architecture On Azure Kubernetes Service

Tutorial Create A Web Api With Asp Net Core

External Authentication Services With Asp Net Web Api

Productionizing Machine Learning With Delta Lake

What Is A Lakehouse

Dependency Injection In Asp Net Web Forms

Use Dependency Injection In Webforms Application

Getting Started Jest

How To Get Started With Selenium Core And Asp Net Mvc

Javascript Code Prettifier

50 Top Angular Interview Questions And Answers In 2021

Angular Tslint Preset

»Social

How To Check Whether Your Web Page Is Mobile Friendly

Twitter For Business

Read About Too Faced Success On Instagram And Facebook

Attract New Customers With Your Free Business Profile

Content Marketing Strategy

Outsource The Management Of Mobile Infrastructure

The Benefits Of Moving To The Cloud

Improve Your Performance On Google Search

Rs 5000 To Rs 34384 Cr Journey Of Rakesh Jhunjhunwala

Will India Have A Revenge Shopping Spree Too

The Curious Case Of Adani Stocks Sell Off

Yeh Baarish Ka Mausam Aur Stock Market Ka Connection

2 4 Million Stunning Free Images To Use Anywhere Pixabay

What Is The Best Way To Send Money From India To Australia

»Services

Dreamoztech Portal Post Services In India

Dreamoztech Portal Web Services In India

Dreamoztech Portal Renewal Services In India

Dreamoztech Portal Token Services In India

Buy Domain Name With Ssl Certificate For 1 Year 1700 Rs

Basic Website Renewal Package From 2000 Rs

Buy Bitcoin In India

Buy Litecoin In India

Buy Ethereum In India

Buy Dogecoin In India

Microservices architecture on Azure Kubernetes Service (AKS)

Web Azure Microservices Kubernetes DreamozTech

☰ Leave a message

This reference architecture shows a microservices application deployed to Azure Kubernetes Service (AKS).

Microservices Architecture On Azure Kubernetes Service

Components

The architecture consists of the following components.

Azure Kubernetes Service (AKS). AKS is a managed Kubernetes cluster hosted in the Azure cloud. When using AKS, Azure manages the Kubernetes API service, and you only need to manage the agent nodes.

Virtual network. By default, AKS creates a virtual network into which agent nodes are connected. You can create the virtual network first for more advanced scenarios, which lets you control things like subnet configuration, on-premises connectivity, and IP addressing. For more information, see Configure advanced networking in Azure Kubernetes Service (AKS).

Ingress. An ingress server exposes HTTP(S) routes to services inside the cluster. For more information, see the section API Gateway below.

Azure Load Balancer. After creating an AKS cluster, the cluster is ready to use the load balancer. Then, once the NGINX service is deployed, the load balancer will be configured with a new public IP that will front your ingress controller. This way, the load balancer routes internet traffic to the ingress.

External data stores. Microservices are typically stateless and write state to external data stores, such as Azure SQL Database or Cosmos DB.

Azure Active Directory. AKS uses an Azure Active Directory (Azure AD) identity to create and manage other Azure resources such as Azure load balancers. Azure AD is also recommended for user authentication in client applications.

Azure Container Registry. Use Container Registry to store private Docker images, which are deployed to the cluster. AKS can authenticate with Container Registry using its Azure AD identity. Note that AKS does not require Azure Container Registry. You can use other container registries, such as Docker Hub.

Azure Pipelines. Azure Pipelines are part of the Azure DevOps Services and run automated builds, tests, and deployments. You can also use third-party CI/CD solutions such as Jenkins.

Helm. Helm is a package manager for Kubernetes, a way to bundle and generalize Kubernetes objects into a single unit that can be published, deployed, versioned, and updated.

Azure Monitor. Azure Monitor collects and stores metrics and logs, application telemetry, and platform metrics for the Azure services. Use this data to monitor the application, set up alerts, dashboards, and perform root cause analysis of failures. Azure Monitor integrates with AKS to collect metrics from controllers, nodes, and containers.

Design considerations

This reference architecture is focused on microservices architectures, although many of the recommended practices apply to other workloads running on AKS.

Microservices

A microservice is a loosely coupled, independently deployable unit of code. Microservices typically communicate through well-defined APIs and are discoverable through some form of service discovery. The service should always be reachable even when the pods move around. The Kubernetes Service object is a natural way to model microservices in Kubernetes.

API gateway

API gateways are a general microservices design pattern. An API gateway sits between external clients and the microservices. It acts as a reverse proxy, routing requests from clients to microservices. It may also perform various cross-cutting tasks such as authentication, SSL termination, and rate-limiting. For more information, see:

Using API gateways in microservices
Choosing a gateway technology

In Kubernetes, the functionality of an API gateway is primarily handled by an Ingress controller. The considerations are described in the Ingress section.

Data storage

In a microservices architecture, services should not share data storage solutions. Each service should manage its own data set to avoid hidden dependencies among services. Data separation helps avoid unintentional coupling between services, which can happen when services share the same underlying data schemas. Also, when services manage their own data stores, they can use the right data store for their particular requirements.

For more information, see Designing microservices: Data considerations.

Avoid storing persistent data in local cluster storage because that ties the data to the node. Instead, use an external service such as Azure SQL Database or Cosmos DB. Another option is to mount a persistent data volume to a solution using Azure Disks or Azure Files.

For more information, see Storage options for application in Azure Kubernetes Service.

Service object

The Kubernetes Service object provides a set of capabilities that match the microservices requirements for service discoverability:

IP address. The Service object provides a static internal IP address for a group of pods (ReplicaSet). As pods are created or moved around, the service is always reachable at this internal IP address.

Load balancing. Traffic sent to the service's IP address is load balanced to the pods.

Service discovery. Services are assigned internal DNS entries by the Kubernetes DNS service. That means the API gateway can call a backend service using the DNS name. The same mechanism can be used for service-to-service communication. The DNS entries are organized by namespace, so if your namespaces correspond to bounded contexts, then the DNS name for a service will map naturally to the application domain.

Ingress

In Kubernetes, the Ingress controller might implement the API gateway pattern. In that case, Ingress and Ingress controller work in conjunction to provide these features:

Route client requests to the right backend services. This provides a single endpoint for clients, and helps to decouple clients from services.

Aggregate multiple requests into a single request, to reduce chattiness between the client and the backend.

Offload functionality from the backend services, such as SSL termination, authentication, IP restrictions, or client rate limiting (throttling).

Ingress abstracts the configuration settings for a proxy server. You also need an Ingress controller, which provides the underlying implementation of the Ingress. There are Ingress controllers for Nginx, HAProxy, Traefik, and Azure Application Gateway, among others.

The Ingress resource can be fulfilled by different technologies. To work together, they need to be deployed as the Ingress controller inside the cluster. It operates as the edge router or reverse proxy. A reverse proxy server is a potential bottleneck or single point of failure, so always deploy at least two replicas for high availability.

Often, configuring the proxy server requires complex files, which can be hard to tune if you aren't an expert. So, the Ingress controller provides a nice abstraction. The Ingress controller also has access to the Kubernetes API, so it can make intelligent decisions about routing and load balancing. For example, the Nginx ingress controller bypasses the kube-proxy network proxy.

On the other hand, if you need complete control over the settings, you may want to bypass this abstraction and configure the proxy server manually. For more information, see Deploying Nginx or HAProxy to Kubernetes.

For AKS, you can also use Azure Application Gateway, using the Application Gateway Ingress Controller. This option requires CNI networking to be enabled when you configure the AKS cluster, because Application Gateway is deployed into a subnet of the AKS virtual network. Azure Application Gateway can perform layer-7 routing and SSL termination. It also has built-in support for web application firewall (WAF).

For information about load-balancing services in Azure, see Overview of load-balancing options in Azure.

TLS/SSL encryption

In common implementations, the Ingress controller is used for SSL termination. So, as part of deploying the Ingress controller, you need to create a TLS certificate. Only use self-signed certificates for dev/test purposes. For more information, see Create an HTTPS ingress controller and use your own TLS certificates on Azure Kubernetes Service (AKS).

For production workloads, get signed certificates from trusted certificate authorities (CA). For information about generating and configuring Let's Encrypt certificates, see Create an ingress controller with a static public IP address in Azure Kubernetes Service (AKS).

You may also need to rotate your certificates as per the organization's policies. For information, see, Rotate certificates in Azure Kubernetes Service (AKS).

Namespaces

Use namespaces to organize services within the cluster. Every object in a Kubernetes cluster belongs to a namespace. By default, when you create a new object, it goes into the default namespace. But it's a good practice to create namespaces that are more descriptive to help organize the resources in the cluster.

First, namespaces help prevent naming collisions. When multiple teams deploy microservices into the same cluster, with possibly hundreds of microservices, it gets hard to manage if they all go into the same namespace. In addition, namespaces allow you to:

Apply resource constraints to a namespace, so that the total set of pods assigned to that namespace cannot exceed the resource quota of the namespace.

Apply policies at the namespace level, including RBAC and security policies.

For a microservices architecture, considering organizing the microservices into bounded contexts, and creating namespaces for each bounded context. For example, all microservices related to the "Order Fulfillment" bounded context could go into the same namespace. Alternatively, create a namespace for each development team.

Place utility services into their own separate namespace. For example, you might deploy Elasticsearch or Prometheus for cluster monitoring, or Tiller for Helm.

Health probes

Kubernetes defines two types of health probe that a pod can expose:

Readiness probe: Tells Kubernetes whether the pod is ready to accept requests.

Liveness probe: Tells Kubernetes whether a pod should be removed and a new instance started.

When thinking about probes, it's useful to recall how a service works in Kubernetes. A service has a label selector that matches a set of (zero or more) pods. Kubernetes load balances traffic to the pods that match the selector. Only pods that started successfully and are healthy receive traffic. If a container crashes, Kubernetes kills the pod and schedules a replacement.

Sometimes, a pod may not be ready to receive traffic, even though the pod started successfully. For example, there may be initialization tasks, where the application running in the container loads things into memory or reads configuration data. To indicate that a pod is healthy but not ready to receive traffic, define a readiness probe.

Liveness probes handle the case where a pod is still running, but is unhealthy and should be recycled. For example, suppose that a container is serving HTTP requests but hangs for some reason. The container doesn't crash, but it has stopped serving any requests. If you define an HTTP liveness probe, the probe will stop responding and that informs Kubernetes to restart the pod.

Here are some considerations when designing probes:

If your code has a long startup time, there is a danger that a liveness probe will report failure before the startup completes. To prevent this, use the initialDelaySeconds setting, which delays the probe from starting.

A liveness probe doesn't help unless restarting the pod is likely to restore it to a healthy state. You can use a liveness probe to mitigate against memory leaks or unexpected deadlocks, but there's no point in restarting a pod that's going to immediately fail again.

Sometimes readiness probes are used to check dependent services. For example, if a pod has a dependency on a database, the probe might check the database connection. However, this approach can create unexpected problems. An external service might be temporarily unavailable for some reason. That will cause the readiness probe to fail for all the pods in your service, causing all of them to be removed from load balancing, and thus creating cascading failures upstream. A better approach is to implement retry handling within your service, so that your service can recover correctly from transient failures.

Resource constraints

Resource contention can affect the availability of a service. Define resource constraints for containers, so that a single container cannot overwhelm the cluster resources (memory and CPU). For non-container resources, such as threads or network connections, consider using the Bulkhead Pattern to isolate resources.

Use resource quotas to limit the total resources allowed for a namespace. That way, the front end can't starve the backend services for resources or vice-versa.

Role-based access control (RBAC)

Kubernetes and Azure both have mechanisms for role-based access control (RBAC):

Azure RBAC controls access to resources in Azure, including the ability to create new Azure resources. Permissions can be assigned to users, groups, or service principals. (A service principal is a security identity used by applications.)

Kubernetes RBAC controls permissions to the Kubernetes API. For example, creating pods and listing pods are actions that can be authorized (or denied) to a user through Kubernetes RBAC. To assign Kubernetes permissions to users, you create roles and role bindings:

A Role is a set of permissions that apply within a namespace. Permissions are defined as verbs (get, update, create, delete) on resources (pods, deployments, etc.).

A RoleBinding assigns users or groups to a Role.

There is also a ClusterRole object, which is like a Role but applies to the entire cluster, across all namespaces. To assign users or groups to a ClusterRole, create a ClusterRoleBinding.

AKS integrates these two RBAC mechanisms. When you create an AKS cluster, you can configure it to use Azure AD for user authentication. For details on how to set this up, see Integrate Azure Active Directory with Azure Kubernetes Service.

Once this is configured, a user who wants to access the Kubernetes API (for example, through kubectl) must sign in using their Azure AD credentials.

By default, an Azure AD user has no access to the cluster. To grant access, the cluster administrator creates RoleBindings that refer to Azure AD users or groups. If a user doesn't have permissions for a particular operation, it will fail.

If users have no access by default, how does the cluster admin have permission to create the role bindings in the first place? An AKS cluster actually has two types of credentials for calling the Kubernetes API server: cluster user and cluster admin. The cluster admin credentials grant full access to the cluster. The Azure CLI command az aks get-credentials --admin downloads the cluster admin credentials and saves them into your kubeconfig file. The cluster administrator can use this kubeconfig to create roles and role bindings.

Because the cluster admin credentials are so powerful, use Azure RBAC to restrict access to them:

The "Azure Kubernetes Service Cluster Admin Role" has permission to download the cluster admin credentials. Only cluster administrators should be assigned to this role.

The "Azure Kubernetes Service Cluster User Role" has permission to download the cluster user credentials. Non-admin users can be assigned to this role. This role does not give any particular permissions on Kubernetes resources inside the cluster — it just allows a user to connect to the API server.

When you define your RBAC policies (both Kubernetes and Azure), think about the roles in your organization:

Who can create or delete an AKS cluster and download the admin credentials?
Who can administer a cluster?
Who can create or update resources within a namespace?

It's a good practice to scope Kubernetes RBAC permissions by namespace, using Roles and RoleBindings, rather than ClusterRoles and ClusterRoleBindings.

Finally, there is the question of what permissions the AKS cluster has to create and manage Azure resources, such as load balancers, networking, or storage. To authenticate itself with Azure APIs, the cluster uses an Azure AD service principal. If you don't specify a service principal when you create the cluster, one is created automatically. However, it's a good security practice to create the service principal first and assign the minimal RBAC permissions to it. For more information, see Service principals with Azure Kubernetes Service.

Secrets management and application credentials

Applications and services often need credentials that allow them to connect to external services such as Azure Storage or SQL Database. The challenge is to keep these credentials safe and not leak them.

For Azure resources, one option is to use managed identities. The idea of a managed identity is that an application or service has an identity stored in Azure AD, and uses this identity to authenticate with an Azure service. The application or service has a Service Principal created for it in Azure AD, and authenticates using OAuth 2.0 tokens. The executing process calls a localhost address to get the token. That way, you don't need to store any passwords or connection strings. You can use managed identities in AKS by assigning identities to individual pods, using the aad-pod-identity project.

Currently, not all Azure services support authentication using managed identities. For a list, see Azure services that support Azure AD authentication.

Even with managed identities, you'll probably need to store some credentials or other application secrets, whether for Azure services that don't support managed identities, third-party services, API keys, and so on. Here are some options for storing secrets securely:

Azure Key Vault. In AKS, you can mount one or more secrets from Key Vault as a volume. The volume reads the secrets from Key Vault. The pod can then read the secrets just like a regular volume. For more information, see the secrets-store-csi-driver-provider-azure project on GitHub.

The pod authenticates itself by using either a pod identity (described above) or by using an Azure AD Service Principal along with a client secret. Using pod identities is recommended because the client secret isn't needed in that case.

HashiCorp Vault. Kubernetes applications can authenticate with HashiCorp Vault using Azure AD managed identities. See HashiCorp Vault speaks Azure Active Directory. You can deploy Vault itself to Kubernetes, consider running it in a separate dedicated cluster from your application cluster.

Kubernetes secrets. Another option is simply to use Kubernetes secrets. This option is the easiest to configure but has some challenges. Secrets are stored in etcd, which is a distributed key-value store. AKS encrypts etcd at rest. Microsoft manages the encryption keys.

Using a system like HashiCorp Vault or Azure Key Vault provides several advantages, such as:

Centralized control of secrets.
Ensuring that all secrets are encrypted at rest.
Centralized key management.
Access control of secrets.
Auditing

Container and Orchestrator security

These are recommended practices for securing your pods and containers:

Threat Monitoring – Monitor for threats using Azure Defender for container registries and Azure Defender for Kubernetes (or 3rd party capabilities). If you are hosting containers on a VM, use Azure Defender for servers or a 3rd party capability. Additionally, you can integrate logs from Container Monitoring solution in Azure Monitor to Azure Sentinel or an existing SIEM

Vulnerability monitoring - Continuously monitor images and running containers for known vulnerabilities using Azure Security Center or a 3rd party solution available through the Azure Marketplace.

Automate image patching using ACR Tasks, a feature of Azure Container Registry. A container image is built up from layers. The base layers include the OS image and application framework images, such as ASP.NET Core or Node.js. The base images are typically created upstream from the application developers, and are maintained by other project maintainers. When these images are patched upstream, it's important to update, test, and redeploy your own images, so that you don't leave any known security vulnerabilities. ACR Tasks can help to automate this process.

Store images in a trusted private registry such as Azure Container Registry or Docker Trusted Registry. Use a validating admission webhook in Kubernetes to ensure that pods can only pull images from the trusted registry.

Apply Least Privilege principle

Don't run containers in privileged mode. Privileged mode gives a container access to all devices on the host.
When possible, avoid running processes as root inside containers. Containers do not provide complete isolation from a security standpoint, so it's better to run a container process as a non-privileged user.

DevOps considerations

This reference architecture provides an [Azure Resource Manager template][arm-template] for provisioning the cloud resources, and its dependencies. With the use of [Azure Resource Manager templates][arm-template] you can use [Azure DevOps Services][az-devops] to provision different environments in minutes, for example to replicate production scenarios. This allows you save cost and provision load testing environment only when needed.

Consider following the workload isolation criteria to structure your ARM template, a workload is typically defined as an arbitrary unit of functionality; you could, for example, have a separate template for the cluster and then other for the dependant services. Workload isolation enables DevOps to perform continuous integration and continuous delivery (CI/CD), since every workload is associated and managed by its corresponding DevOps team.

Deployment (CI/CD) considerations

Here are some goals of a robust CI/CD process for a microservices architecture:

Each team can build and deploy the services that it owns independently, without affecting or disrupting other teams.
Before a new version of a service is deployed to production, it gets deployed to dev/test/QA environments for validation. Quality gates are enforced at each stage.
A new version of a service can be deployed side by side with the previous version.
Sufficient access control policies are in place.
For containerized workloads, you can trust the container images that are deployed to production.

To learn more about the challenges, see CI/CD for microservices architectures.

For specific recommendations and best practices, see CI/CD for microservices on Kubernetes.

Cost considerations

Use the Azure pricing calculator to estimate costs. Other considerations are described in the Cost section in Microsoft Azure Well-Architected Framework.

Here are some points to consider for some of the services used in this architecture.

Azure Kubernetes Service (AKS)
There are no costs associated for AKS in deployment, management, and operations of the Kubernetes cluster. You only pay for the virtual machines instances, storage, and networking resources consumed by your Kubernetes cluster.

To estimate the cost of the required resources please see the Container Services calculator.

Azure Load balancer
You are charged only for the number of configured load-balancing and outbound rules. Inbound NAT rules are free. There is no hourly charge for the Standard Load Balancer when no rules are configured.

See Azure Load Balancer Pricing for more information.

Azure Pipelines
This reference architecture only uses Azure Pipelines. Azure offers the Azure Pipeline as an individual Service. You are allowed a free Microsoft-hosted job with 1,800 minutes per month for CI/CD and 1 self-hosted job with unlimited minutes per month, extra jobs have charges. For more information, see Azure DevOps Services Pricing.

Azure Monitor
For Azure Monitor Log Analytics, you are charged for data ingestion and retention. For more information, see Azure Monitor Pricing for more information.

Microservices architecture on Azure Kubernetes Service

Dreamoz Technologies Web and Mobile Apps

DreamozTech

Are you looking to create valuable SEO content at an affordable price? Our SEO platform allows you to be creative, while still helping you boost your SEO ranking. Sign up today to find out more.

Leave a message

Full Name

* *

* Invalid Email

Mobile

Description