Regardless of your organization’s size or industry, migrating to the public cloud and Kubernetes is burdened with business and technical risk. Managing Kubernetes clusters, applying blueprint to clusters and adding requisite governance and control are just a few hurdles that can stall your application modernization journey.
Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading much of the complexity and operational overhead.
In this session, you will learn:
- Introduction and architecture of AKS
- Best practices in adopting Azure Kubernetes Service
- How to monitor and optimize AKS
3. 1 Introduction and overview of AKS
2 Best practices in adopting AKS
3 How to monitor and optimize AKS
4 Q&A
Agenda
Agenda
4. 1 Introduction and overview of AKS
2 Best practices in adopting AKS
3 How to monitor and optimize AKS
4 Q&A
Agenda
Agenda
5. Kubernetes Start
Microservices
architecture?
Greenfield or
brownfield? Greenfield
Can be
containerized
Lift-and-shift Cloud optimized
Web/API App?
(ASP.NET, >node.js etc)
No
Choose from
Azure Container
hosting options
https://azure.microsoft.com/o
verview/containers/
Yes
Do you require full
control and/or
portability
Virtual
Machines
Yes
HPC workloads Azure Batch
Yes
App Service
No
Azure Functions
Yes
Service Fabric
Yes
Container
Instances
No
AKS
No
Needs .NET
integration or fully
supported MS
technology stack
Yes
Lift-and-shift or
cloud optimized Brownfield
No
No
Event-driven
workload w/ short
lived processes
Yes
Needs full-fledged
orchestration
No
App Service
Yes
Virtual
Machines
No
6. Velocity
Faster development cycle due to
declarative configuration and immutability
Self-healing
Continuous action to maintain desired state
leads to self-healing when issues arise
Scalability
Easier to scale manually
or automatically
Infrastructure abstraction
Applications can be developed
independent of the environment
Declarative configuration
Declare the desired state and have
Kubernetes manage it for you
Scheduling
No need to schedule
each container manually
Benefits of Kubernetes
7. Cost saving
without refactoring
your app
Lift and shift
to containers
Agility
Faster application
development
Microservices
Automation
Deliver code faster and
securely at scale
Secure
DevOps
Performance
Low latency
processing
Machine
learning
Portability
Build once,
run anywhere
IoT
Analytics
Real-time data
collection and streaming
Data
streaming
Top scenarios for Kubernetes
8. Security - securing
Kubernetes is that it’s
complex and easily
vulnerable to hackers
Kubernetes - A
centralized logging
and monitoring system
is critical
Lack of
Kubernetes skills
Managing Resource
Constraints -
Configuring Kubernetes
to request resources on
each pod Storage is major
challenge concern for
on-prem containers for
servers
DevOps - Kubernetes is known
to be a complex platform itself
for implementation and
managing DevOps aspects
Creating Network
Policy resources -
amounts to
configuration files
Complexity of
implementation and
maintenance
Kubernetes Challenges
9. api-server
replication, namespace,
serviceaccounts, etc.
controller-
manager scheduler
etcd
Control plane
Agent node
kube-proxy
Container
runtime
Pods Pods
Containers Containers
Agent node
kube-proxy
Container
runtime
Pods Pods
Containers Containers
Internet
Internet
User
kubelet
kubelet
Agent pools
Kubernetes is complex
1. Control Plane: manages the agent nodes
and the pods in the cluster
• api-server: front end of the Kubernetes
control plane; exposes Kubernetes API
• controller-manager: runs the controller
processes
• scheduler: tracks newly created pods and
selects node to run them on
• etcd: stores the state of the cluster (config,
running workloads status, etc.)
2. Agent nodes: run your application
workloads
• Pods: a collection of containers co-located
on a single machine
• kube-proxy: a network proxy that runs on
each node in a cluster
• kubelet: agent that runs on each node in a
cluster; ensures containers are running in a
pod
• Containers: software responsible for
running containers
10. api-server
-controller-
manager -scheduler
etcd
Control plane
Container runtime
Pods Pods
Containers Containers
Agent nodes
Container runtime
Pods Pods
Containers Containers
Azure managed control plane
• Automated upgrades, patches
• High reliability, availability
• Easy, secure cluster scaling
• Self-healing
• API server monitoring
• At no charge*
*Higher SLA guarantees available as an optional uptime SLA paid feature
Managed Kubernetes handles the complexity for
you
11. Kubernetes on Azure
Enterprise-grade by design
Developer productivity
Easily bootstrap, develop,
deploy, and debug
containerized applications
from dev laptop to cloud
Multi-layer security
Hardened security and
layers of isolation across
compute resources, data,
and networking
Operational efficiency
Automated provisioning,
repair, monitoring, and
scaling gets you up and
running quickly and
minimizes infrastructure
maintenance
Unified management
Consistent configuration
and governance across on
premises, multi cloud,
multi-cluster, hybrid, and
edge
Built for enterprises
World-class developer tools and a broad ecosystem to meet the diverse needs of enterprises
12. Developer productivity
Zero to sixty in seconds
• Quickly bootstrap containerized applications with Draft
(preview)
• Easily create extensible CI/CD pipelines with GitHub
actions
Common tasks made simple
• Auto-complete K8s manifests in VS Code
• Easily expose HTTPS endpoints with Web App Routing
(preview)
• Scale on app-centric metrics via KEDA
Optimized for microservices
• Leverage hardened microservice patterns with Dapr
• Debug microservices locally without mocks using
Bridge to Kubernetes
Developer
productivity
Multi-layer
security
Operational
efficiency
Unified
management
13. Multi-layer
security
Operational
efficiency
Unified
management
Multi-layer security
• Build: Automatic image vulnerability scanning in CI
• Registry: Ongoing scans of images in ACR
• Cluster: Fine-grained identity and access control using
AAD (including JIT), integrated secrets from Azure Key
Vault, built-in and custom enterprise policies via OPA,
active threat detection with Microsoft Defender
• Node: Disk encryption with customer keys, FIPS and CIS
compliance, automatic OS patching
• Application: Scanning of running images
Azure VNet
Cluster
Private
Link
Control Plane
controller-manager scheduler
Active
Directory
Enterprise
system
Express
Route
Agent Node
Namespace
Agent Node
Network
policy
Databases
Active
Directory
Microsoft
Defender
Policy
api-server etcd
Pods
Containers
Persistent
Volumes
Pods
Containers
Persistent
Volumes
App Gateway
w/ WAF &
ingress
controller
Developer
productivity
AKS Managed
Identity
14. Operational
efficiency
Operational efficiency
Multi-layer
security
Unified
management
Developer
productivity
Fully managed and up-to-date
• Automatic node repair
• Automatic upgrade (GA) with planned maintenance windows (preview)
• Automatic scale via HPA, cluster autoscaler, and KEDA, and virtual nodes
• Support for latest upstream K8s minor versions (N-2)
Easy to monitor and troubleshoot
• Detailed insights via Azure Monitor or Azure-managed Prometheus/Grafana (preview)
• Real-time personalized recommendations with Azure Advisor
Highly reliable and cost effective
• 99.95% API server uptime with a financially-backed SLA
• Cross-AZ deployment for HA
• Support for Spot VMs (GA), Reservations (GA), and ARM-based VMs (preview)
• Stop dev/test clusters when not in use
Azure Kubernetes Service
Microservices
Availability
Auto
scaling
Auto
repair
Auto
upgrade
Trusted
Advisor
Pods
Virtual
node
Monitor Disaster recovery
15. Unified
management
Unified management
• Central inventory and monitoring of assets
running anywhere
• Consistently apply policies & role-based-access-
controls (RBAC)
• Deploy resources using GitOps-based workflow
• Use Flux operator for automatic sync
Multi-layer
security
Operational
excellence
Developer
productivity
Identity
RBAC
Monitoring
Policy
Azure Kubernetes
Service
Developer
GitHub
repo
Flux
operator
commit sync apply/delete
Azure Arc
Kubernetes
Azure Stack On-premises Multi-cloud Edge
17. 1 Introduction and overview of AKS
2 Best practices in adopting AKS
3 How to monitor and optimize AKS
4 Q&A
Agenda
Agenda
18. Customers adoption – how AKS helps
Container
Orchestration
Deployed in production
environments as a
container orchestration
Cloud Native
Applications
Core infrastructure for
managing cloud native
applications
CI/CD
Kubernetes deployment to
manage applications
deployed using the
existing CI/CD toolchain
Building greenfield
applications
Managing the new breed
of microservices-based
cloud native applications
through advanced
scenarios such as rolling
upgrades and canary
deployments
19. Azure Kubernetes Service Best Practices
• Multi-tenant design
(clusters/namespaces, multi-cluster
handling, zonal/regional)
• Upgrade policy (node and
containers, pod disruption budget),
• Ingress (load balancers)
• External service access policy (db,
cache etc.)
Cluster
Architecture Design
• Pod design (using pod design
patterns)
• Lifecycle (health check, graceful
termination),
• Scaling (resource request,
autoscaling)
• Application types
(stateful/stateless/batch/Big
Data/ML)
Application
Design
• Access control (rbac)
• Image validation (binary
authorization, vulnerability
scanning)
• Secure clusters (private cluster,
firewall)
• Define the appropriate networking
topology for secure communication
Security &
Networking
20. Scaling AKS Workloads Best Practices
Use an up-to-date version of
the Autoscaler object
Scaling
Kubernetes
Keep requests close to the
actual usage
Node groups instances with
similar capacity
Define resources requests
and limits for each POD
Specify disruption budgets
for all PODS
21. Securing AKS Workloads Best Practices
•Azure Firewall is a cloud-native, intelligent network
firewall security service that provides threat protection for
cloud workloads that run in Azure.
•Key Vault stores and controls access to secrets like API
keys, passwords, certificates, and cryptographic keys with
improved security.
•Azure Bastion is a fully managed platform as a service
(PaaS) that you provision inside your virtual network.
•Azure Virtual Network is the fundamental building block
for Azure private networks.
•Virtual Network Interfaces enable Azure VMs to
communicate with the internet, Azure, and on-premises
resources.
•Private Link enables you to access Azure PaaS services
(for example, Blob Storage and Key Vault) over a private
endpoint in your virtual network.
Azure security baseline for AKS
22. 1 Introduction and overview of AKS
2 Best practices in adopting AKS
3 How to monitor and optimize AKS
4 Q&A
Agenda
Agenda
23. Azure Kubernetes Service - Cost Management
Like other cloud services, Microsoft Azure’s container service also works on a
pay-as-you-go basis. This means that you pay only for the costs of the
resources that you use, such as:
• VMs
• Associated storage
• Networking resources
• 1-year reserved VM instances
• 3-year reserved VM instances
• Savings plan (based on $ commit)
• Spot Virtual Machines
Cost saving options in AKS
• Follow cost optimization design principles
• Right size your VMs
• Take advantage of autoscaling
• Use preset AKS cluster configuration
• Set resources requests and limits
• Stop clusters that don’t need to be running
• Automate Spot VMs
Top 7 strategies to halve your AKS
cluster costs
26. Why Partner with WinWire
to start your AKS journey
Awards
Winner
MSUS 2021
Partner
Award
Healthcare
Finalist
2021 Microsoft
Partner of the
Year Award
Healthcare &
Cloud App
Modernization
Overview Solution Partner
• 16+ Year Consulting Partner
with 7 Global Offices
• 100+ Customers
• Deep Microsoft Cloud
expertise
• Application Innovation
• Product Engineering
• Data and AI Practice
Why customers
choose us
• True Partnership
• Delivery Excellence
• Complex Execution
• Time to Market
• Agility & Scale
• Solution Accelerators
28. Kubernetes Concepts - Reference
Cluster
A collectionofhoststhataggregatetheiravailable
resourcesincludingcpu,ram,disk, andtheirdevicesintoa
usablepool.
Master
Themaster(s)representacollectionofcomponentsthat
makeupthecontrolplaneof Kubernetes. These
components are responsible for all cluster decisions
including both scheduling& respondingto cluster event
Node
A singlehost,physicalorvirtualcapableofrunningpods.A
nodeismanagedbymaster(s),andataminimumrunsboth
kubelet and kube-proxytobeconsideredpartofcluster.
Name
space
A logicalclusterorenvironment.Primarymethodof
dividingaclusteror scopingaccess
Label
Key-valuepairsthatareusedtoidentify,describeandgroup
togetherrelatedsetsof objects.Labelshaveastrictsyntax
andavailablecharacterset.*
Annotation
Key-value pairs that contain non-identifying info or
metadata. Annotationsdonothave syntaxlimitations as
labelsandcancontainstructuredor unstructured data
Selector
Selectorsuselabels to filteror selectobjects. Both
equality-based (=,==,!=)or simplekey-valuematching
selectorsaresupported.
Pods
Smallest deployment unit in K8s Collection of
containers that run on a worker node. Each has its own
IP. Pod shares a PID namespace, network, and
hostname
Replication
controller
Ensures availability and scalability. Maintains the
number of pods as requested by user. Uses a template
that describes specifically what each pod should
contain
Service
Collections of pods exposed as an endpoint.
Information stored in the K8s cluster state and
networking info propagated to all worker nodes
29. Things to know about Kubernetes
Intelligent
Scheduling
Open source
ecosystem friendly
Decouple distributed
system application
development
Service discovery &
load balancing
Self-healing and
scalability
Standardized API for
infra abstractions
Secret and configuration
management
Automated rollouts
and rollbacks