├── .DS_Store ├── CAF.png ├── CODE_OF_CONDUCT.md ├── LICENSE ├── LICENSE-CODE ├── README.md ├── SECURITY.md ├── SalesEnablement ├── Cloud Adoption Framework - Governance Workshop_partner.pptx ├── Cloud Adoption Framework - Overview_partner.pptx ├── Cloud Adoption Framework_Strategy-Plan-Ready Workshop_partner.pptx └── Kubernetes on Azure Pitch Deck.pptx └── TechnicalEnablement ├── AKS Resources.docx ├── AKS-adoption-aligned-to-cloud-adoption-framework.md ├── AKS_Best practices.docx ├── AKS_CAF_DevOps_Project_TaskList.zip ├── AKS_CAF_Governance_Security_Policy.xlsx ├── AKS_CAF_Project_TaskList.xlsx ├── AKS_Decision Tree.docx ├── AKS_Prerequisites.docx ├── CAF-Application Gateway Ingress Controller.docx ├── README.md ├── aks-appgw-ingress-controller.md ├── aks-decision-tree.md ├── aks-getting-started.md ├── aks-resources.md ├── eBook_AKS_Adoption_Aligned_to_Cloud_Adoption_Framework.docx └── media ├── appgw-ingress-controller.png ├── best-practice-aad.png ├── cloud-adoption-framework.png ├── docker-desktop.png ├── docker-kubernetes.png ├── prereq-register-resources-1.png ├── prereq-register-resources-10.png ├── prereq-register-resources-11.png ├── prereq-register-resources-12.png ├── prereq-register-resources-13.png ├── prereq-register-resources-14.png ├── prereq-register-resources-15.png ├── prereq-register-resources-2.png ├── prereq-register-resources-3.png ├── prereq-register-resources-4.png ├── prereq-register-resources-5.png ├── prereq-register-resources-6.png ├── prereq-register-resources-7.png ├── prereq-register-resources-8.png ├── prereq-register-resources-9.png ├── prometheus.png ├── skaffold.png └── vscode-extension-kubernetes.png /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/.DS_Store -------------------------------------------------------------------------------- /CAF.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/CAF.png -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Microsoft Open Source Code of Conduct 2 | 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 4 | 5 | Resources: 6 | 7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) 8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) 9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More_considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution 4.0 International Public License 58 | 59 | By exercising the Licensed Rights (defined below), You accept and agree 60 | to be bound by the terms and conditions of this Creative Commons 61 | Attribution 4.0 International Public License ("Public License"). To the 62 | extent this Public License may be interpreted as a contract, You are 63 | granted the Licensed Rights in consideration of Your acceptance of 64 | these terms and conditions, and the Licensor grants You such rights in 65 | consideration of benefits the Licensor receives from making the 66 | Licensed Material available under these terms and conditions. 67 | 68 | 69 | Section 1 -- Definitions. 70 | 71 | a. Adapted Material means material subject to Copyright and Similar 72 | Rights that is derived from or based upon the Licensed Material 73 | and in which the Licensed Material is translated, altered, 74 | arranged, transformed, or otherwise modified in a manner requiring 75 | permission under the Copyright and Similar Rights held by the 76 | Licensor. For purposes of this Public License, where the Licensed 77 | Material is a musical work, performance, or sound recording, 78 | Adapted Material is always produced where the Licensed Material is 79 | synched in timed relation with a moving image. 80 | 81 | b. Adapter's License means the license You apply to Your Copyright 82 | and Similar Rights in Your contributions to Adapted Material in 83 | accordance with the terms and conditions of this Public License. 84 | 85 | c. Copyright and Similar Rights means copyright and/or similar rights 86 | closely related to copyright including, without limitation, 87 | performance, broadcast, sound recording, and Sui Generis Database 88 | Rights, without regard to how the rights are labeled or 89 | categorized. For purposes of this Public License, the rights 90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 91 | Rights. 92 | 93 | d. Effective Technological Measures means those measures that, in the 94 | absence of proper authority, may not be circumvented under laws 95 | fulfilling obligations under Article 11 of the WIPO Copyright 96 | Treaty adopted on December 20, 1996, and/or similar international 97 | agreements. 98 | 99 | e. Exceptions and Limitations means fair use, fair dealing, and/or 100 | any other exception or limitation to Copyright and Similar Rights 101 | that applies to Your use of the Licensed Material. 102 | 103 | f. Licensed Material means the artistic or literary work, database, 104 | or other material to which the Licensor applied this Public 105 | License. 106 | 107 | g. Licensed Rights means the rights granted to You subject to the 108 | terms and conditions of this Public License, which are limited to 109 | all Copyright and Similar Rights that apply to Your use of the 110 | Licensed Material and that the Licensor has authority to license. 111 | 112 | h. Licensor means the individual(s) or entity(ies) granting rights 113 | under this Public License. 114 | 115 | i. Share means to provide material to the public by any means or 116 | process that requires permission under the Licensed Rights, such 117 | as reproduction, public display, public performance, distribution, 118 | dissemination, communication, or importation, and to make material 119 | available to the public including in ways that members of the 120 | public may access the material from a place and at a time 121 | individually chosen by them. 122 | 123 | j. Sui Generis Database Rights means rights other than copyright 124 | resulting from Directive 96/9/EC of the European Parliament and of 125 | the Council of 11 March 1996 on the legal protection of databases, 126 | as amended and/or succeeded, as well as other essentially 127 | equivalent rights anywhere in the world. 128 | 129 | k. You means the individual or entity exercising the Licensed Rights 130 | under this Public License. Your has a corresponding meaning. 131 | 132 | 133 | Section 2 -- Scope. 134 | 135 | a. License grant. 136 | 137 | 1. Subject to the terms and conditions of this Public License, 138 | the Licensor hereby grants You a worldwide, royalty-free, 139 | non-sublicensable, non-exclusive, irrevocable license to 140 | exercise the Licensed Rights in the Licensed Material to: 141 | 142 | a. reproduce and Share the Licensed Material, in whole or 143 | in part; and 144 | 145 | b. produce, reproduce, and Share Adapted Material. 146 | 147 | 2. Exceptions and Limitations. For the avoidance of doubt, where 148 | Exceptions and Limitations apply to Your use, this Public 149 | License does not apply, and You do not need to comply with 150 | its terms and conditions. 151 | 152 | 3. Term. The term of this Public License is specified in Section 153 | 6(a). 154 | 155 | 4. Media and formats; technical modifications allowed. The 156 | Licensor authorizes You to exercise the Licensed Rights in 157 | all media and formats whether now known or hereafter created, 158 | and to make technical modifications necessary to do so. The 159 | Licensor waives and/or agrees not to assert any right or 160 | authority to forbid You from making technical modifications 161 | necessary to exercise the Licensed Rights, including 162 | technical modifications necessary to circumvent Effective 163 | Technological Measures. For purposes of this Public License, 164 | simply making modifications authorized by this Section 2(a) 165 | (4) never produces Adapted Material. 166 | 167 | 5. Downstream recipients. 168 | 169 | a. Offer from the Licensor -- Licensed Material. Every 170 | recipient of the Licensed Material automatically 171 | receives an offer from the Licensor to exercise the 172 | Licensed Rights under the terms and conditions of this 173 | Public License. 174 | 175 | b. No downstream restrictions. You may not offer or impose 176 | any additional or different terms or conditions on, or 177 | apply any Effective Technological Measures to, the 178 | Licensed Material if doing so restricts exercise of the 179 | Licensed Rights by any recipient of the Licensed 180 | Material. 181 | 182 | 6. No endorsement. Nothing in this Public License constitutes or 183 | may be construed as permission to assert or imply that You 184 | are, or that Your use of the Licensed Material is, connected 185 | with, or sponsored, endorsed, or granted official status by, 186 | the Licensor or others designated to receive attribution as 187 | provided in Section 3(a)(1)(A)(i). 188 | 189 | b. Other rights. 190 | 191 | 1. Moral rights, such as the right of integrity, are not 192 | licensed under this Public License, nor are publicity, 193 | privacy, and/or other similar personality rights; however, to 194 | the extent possible, the Licensor waives and/or agrees not to 195 | assert any such rights held by the Licensor to the limited 196 | extent necessary to allow You to exercise the Licensed 197 | Rights, but not otherwise. 198 | 199 | 2. Patent and trademark rights are not licensed under this 200 | Public License. 201 | 202 | 3. To the extent possible, the Licensor waives any right to 203 | collect royalties from You for the exercise of the Licensed 204 | Rights, whether directly or through a collecting society 205 | under any voluntary or waivable statutory or compulsory 206 | licensing scheme. In all other cases the Licensor expressly 207 | reserves any right to collect such royalties. 208 | 209 | 210 | Section 3 -- License Conditions. 211 | 212 | Your exercise of the Licensed Rights is expressly made subject to the 213 | following conditions. 214 | 215 | a. Attribution. 216 | 217 | 1. If You Share the Licensed Material (including in modified 218 | form), You must: 219 | 220 | a. retain the following if it is supplied by the Licensor 221 | with the Licensed Material: 222 | 223 | i. identification of the creator(s) of the Licensed 224 | Material and any others designated to receive 225 | attribution, in any reasonable manner requested by 226 | the Licensor (including by pseudonym if 227 | designated); 228 | 229 | ii. a copyright notice; 230 | 231 | iii. a notice that refers to this Public License; 232 | 233 | iv. a notice that refers to the disclaimer of 234 | warranties; 235 | 236 | v. a URI or hyperlink to the Licensed Material to the 237 | extent reasonably practicable; 238 | 239 | b. indicate if You modified the Licensed Material and 240 | retain an indication of any previous modifications; and 241 | 242 | c. indicate the Licensed Material is licensed under this 243 | Public License, and include the text of, or the URI or 244 | hyperlink to, this Public License. 245 | 246 | 2. You may satisfy the conditions in Section 3(a)(1) in any 247 | reasonable manner based on the medium, means, and context in 248 | which You Share the Licensed Material. For example, it may be 249 | reasonable to satisfy the conditions by providing a URI or 250 | hyperlink to a resource that includes the required 251 | information. 252 | 253 | 3. If requested by the Licensor, You must remove any of the 254 | information required by Section 3(a)(1)(A) to the extent 255 | reasonably practicable. 256 | 257 | 4. If You Share Adapted Material You produce, the Adapter's 258 | License You apply must not prevent recipients of the Adapted 259 | Material from complying with this Public License. 260 | 261 | 262 | Section 4 -- Sui Generis Database Rights. 263 | 264 | Where the Licensed Rights include Sui Generis Database Rights that 265 | apply to Your use of the Licensed Material: 266 | 267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 268 | to extract, reuse, reproduce, and Share all or a substantial 269 | portion of the contents of the database; 270 | 271 | b. if You include all or a substantial portion of the database 272 | contents in a database in which You have Sui Generis Database 273 | Rights, then the database in which You have Sui Generis Database 274 | Rights (but not its individual contents) is Adapted Material; and 275 | 276 | c. You must comply with the conditions in Section 3(a) if You Share 277 | all or a substantial portion of the contents of the database. 278 | 279 | For the avoidance of doubt, this Section 4 supplements and does not 280 | replace Your obligations under this Public License where the Licensed 281 | Rights include other Copyright and Similar Rights. 282 | 283 | 284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 285 | 286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 296 | 297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 306 | 307 | c. The disclaimer of warranties and limitation of liability provided 308 | above shall be interpreted in a manner that, to the extent 309 | possible, most closely approximates an absolute disclaimer and 310 | waiver of all liability. 311 | 312 | 313 | Section 6 -- Term and Termination. 314 | 315 | a. This Public License applies for the term of the Copyright and 316 | Similar Rights licensed here. However, if You fail to comply with 317 | this Public License, then Your rights under this Public License 318 | terminate automatically. 319 | 320 | b. Where Your right to use the Licensed Material has terminated under 321 | Section 6(a), it reinstates: 322 | 323 | 1. automatically as of the date the violation is cured, provided 324 | it is cured within 30 days of Your discovery of the 325 | violation; or 326 | 327 | 2. upon express reinstatement by the Licensor. 328 | 329 | For the avoidance of doubt, this Section 6(b) does not affect any 330 | right the Licensor may have to seek remedies for Your violations 331 | of this Public License. 332 | 333 | c. For the avoidance of doubt, the Licensor may also offer the 334 | Licensed Material under separate terms or conditions or stop 335 | distributing the Licensed Material at any time; however, doing so 336 | will not terminate this Public License. 337 | 338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 339 | License. 340 | 341 | 342 | Section 7 -- Other Terms and Conditions. 343 | 344 | a. The Licensor shall not be bound by any additional or different 345 | terms or conditions communicated by You unless expressly agreed. 346 | 347 | b. Any arrangements, understandings, or agreements regarding the 348 | Licensed Material not stated herein are separate from and 349 | independent of the terms and conditions of this Public License. 350 | 351 | 352 | Section 8 -- Interpretation. 353 | 354 | a. For the avoidance of doubt, this Public License does not, and 355 | shall not be interpreted to, reduce, limit, restrict, or impose 356 | conditions on any use of the Licensed Material that could lawfully 357 | be made without permission under this Public License. 358 | 359 | b. To the extent possible, if any provision of this Public License is 360 | deemed unenforceable, it shall be automatically reformed to the 361 | minimum extent necessary to make it enforceable. If the provision 362 | cannot be reformed, it shall be severed from this Public License 363 | without affecting the enforceability of the remaining terms and 364 | conditions. 365 | 366 | c. No term or condition of this Public License will be waived and no 367 | failure to comply consented to unless expressly agreed to by the 368 | Licensor. 369 | 370 | d. Nothing in this Public License constitutes or may be interpreted 371 | as a limitation upon, or waiver of, any privileges and immunities 372 | that apply to the Licensor or You, including from the legal 373 | processes of any jurisdiction or authority. 374 | 375 | 376 | ======================================================================= 377 | 378 | Creative Commons is not a party to its public 379 | licenses. Notwithstanding, Creative Commons may elect to apply one of 380 | its public licenses to material it publishes and in those instances 381 | will be considered the “Licensor.” The text of the Creative Commons 382 | public licenses is dedicated to the public domain under the CC0 Public 383 | Domain Dedication. Except for the limited purpose of indicating that 384 | material is shared under a Creative Commons public license or as 385 | otherwise permitted by the Creative Commons policies published at 386 | creativecommons.org/policies, Creative Commons does not authorize the 387 | use of the trademark "Creative Commons" or any other trademark or logo 388 | of Creative Commons without its prior written consent including, 389 | without limitation, in connection with any unauthorized modifications 390 | to any of its public licenses or any other arrangements, 391 | understandings, or agreements concerning use of licensed material. For 392 | the avoidance of doubt, this paragraph does not form part of the 393 | public licenses. 394 | 395 | Creative Commons may be contacted at creativecommons.org. -------------------------------------------------------------------------------- /LICENSE-CODE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Azure Kubernetes Service(AKS) Solution Factory Aligned to Cloud Adoption Framework # 2 | The AKS CAF Solution Factory has contents to help deployment of Kubernetes to Azure in alignment to Cloud Adoption Framework. 3 | 4 | The AKS CAF Solution Factory is collection of eBook, TaskList in DevOps Project and Excel, Security Policies suggestions that can help Microsoft customers and partners to deploy and manage AKS in alignment to Cloud Adoption Framework (CAF). 5 | 6 | The Azure Cloud Adoption Journey 7 | ![CAF](/CAF.png) 8 | 9 | ## AKS CAF Solution Factory Contents 10 | 11 | ## Pre-Sales Contents 12 | * [AKS CAF PreSales](https://github.com/faridabharmal/AKS_CAF_SolutionFactory/blob/master/TechnicalEnablement) 13 | Sell-To and Sell-Through guidance on customer and partner business model including licensing and pricing driving the sales motions with cost savings. 14 | * [Cloud Adoption Framework - Overview Deck](https://github.com/faridabharmal/AKS_CAF_SolutionFactory/blob/master/SalesEnablement/Cloud%20Adoption%20Framework%20-%20Overview_partner.pptx) 15 | This presentation is designed to provide a brief introduction to the Cloud Adoption Framework for Azure. 16 | * [Cloud Adoption Framework - Governance Workshop partner](https://github.com/faridabharmal/AKS_CAF_SolutionFactory/blob/master/SalesEnablement/Cloud%20Adoption%20Framework%20-%20Governance%20Workshop_partner.pptx) 17 | * [Cloud Adoption Framework_Strategy-Plan-Ready Workshop partner](https://github.com/faridabharmal/AKS_CAF_SolutionFactory/blob/master/SalesEnablement/Cloud%20Adoption%20Framework_Strategy-Plan-Ready%20Workshop_partner.pptx) 18 | * [Kubernetes on Azure Pitch Deck](https://github.com/faridabharmal/AKS_CAF_SolutionFactory/blob/master/SalesEnablement/Kubernetes%20on%20Azure%20Pitch%20Deck.pptx): Provide overview of Kubernetes on Azure and articulate the differentiators as well as benefits 19 | 20 | ## Technical Contents 21 | * [AKS Adoption Aligned To Cloud Adoption Framework](TechnicalEnablement/AKS-adoption-aligned-to-cloud-adoption-framework.md): 22 | Guidance about what one needs to do in each of the Cloud Adoption phases for AKS Deployment starting from Strategy, Plan, Ready, Adopt, Govern and Manage. We have supplied detailed step by step guidance(from our experiences) that will provide the steps necessary to go from zero to a complete AKS deployment and management aligned to the Cloud Adoption Framework methodology. 23 | 24 | * [AKS CAF Project DevOps Project TaskList](TechnicalEnablement/AKS_CAF_DevOps_Project_TaskList.zip): 25 | When you go through the AKS deployment, there are multiple tasks that needs to completed. We have supplied Azure DevOps Project that will provide the steps necessary to go from zero to a complete AKS deployment and management. 26 | 27 | Steps to import the DevOps Project: 28 | * Sign in to the [Azure DevOps Demo Generator site](https://azuredevopsdemogenerator.azurewebsites.net/) 29 | * Provide project name, select your Org, and choose the "AKS_CAF_DevOps_Project_TaskList.zip" template from this GitHub Repo 30 | 31 | * [AKS CAF Project TaskList](TechnicalEnablement/AKS_CAF_Project_TaskList.xlsx): 32 | In case if you are not leveraging Azure DevOps for project management, no worries...We have provided all the necessary steps in an excel sheet which can be leveraged as is or imported into your own project management tool of choice. 33 | 34 | * [AKS CAF Governance Security_Policy](TechnicalEnablement/AKS_CAF_Governance_Security_Policy.xlsx): 35 | One common question that we get is what are the security considerations for AKS Deployment. So we have provided guidance about how to leverage the Azure policies to secure your environment. This can act as a good starting point for your security consideration. 36 | 37 | * [Application Gateway Ingress Controller](TechnicalEnablement/aks-appgw-ingress-controller.md) 38 | The Application Gateway Ingress Controller (AGIC) enables exposing applications running within AKS to the Internet by leveraging Azure’s native Application Gateway L7 load-balancer. This document details out this implementation. 39 | This document speaks to the security best practices around AKS. 40 | * [AKS Deployment Guide](TechnicalEnablement/aks-getting-started.md): This document details out the deployment guide for a sample AKS cluster. 41 | * [Decision Tree](TechnicalEnablement/aks-decision-tree.md): A decision tree document that talks to some of the major decision points when deciding an AKS cluster deployment. 42 | 43 | ## Additional Links 44 | 45 | * [Azure Cloud Adoption Framework Documentation](https://azure.microsoft.com/en-us/cloud-adoption-framework) 46 | * [Additional Cloud Adoption Framework Resources](https://www.microsoft.com/azure/partners/b/enable/cloud-adoption-framework) 47 | * [AKS Documentation](https://docs.microsoft.com/en-us/azure/aks/) 48 | 49 | ## Additional CAF Solution Factories 50 | * [WVD CAF Solution Factory](https://github.com/Azure/CAF_WVD_SolutionFactory) 51 | * [SQL CAF Solution Factory](https://github.com/Azure/SQL_CAF_SolutionFactory) 52 | * [ServerMigration CAF Solution Factory](https://github.com/Azure/ServerMigration_CAF_SolutionFactory) 53 | 54 | ## Key Contributors 55 | Thanks to our contributors: 56 | Microsoft AKS Content Team: Ali Hussain, Tommy Falgout 57 | Microsoft CAF Solution Factory Leads: Farida Bharmal, Manish Dhall 58 | We have leveraged help from Microsoft Partner [Fyrsoft](https://www.fyrsoft.com/) to create the contents. 59 | 60 | ## Support for future scenarios 61 | The contents are provided as-is. We periodically update and enhance the contents. 62 | 63 | 64 | ## Disclaimer 65 | MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers. © 2016 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 66 | 67 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd). 40 | 41 | -------------------------------------------------------------------------------- /SalesEnablement/Cloud Adoption Framework - Governance Workshop_partner.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/SalesEnablement/Cloud Adoption Framework - Governance Workshop_partner.pptx -------------------------------------------------------------------------------- /SalesEnablement/Cloud Adoption Framework - Overview_partner.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/SalesEnablement/Cloud Adoption Framework - Overview_partner.pptx -------------------------------------------------------------------------------- /SalesEnablement/Cloud Adoption Framework_Strategy-Plan-Ready Workshop_partner.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/SalesEnablement/Cloud Adoption Framework_Strategy-Plan-Ready Workshop_partner.pptx -------------------------------------------------------------------------------- /SalesEnablement/Kubernetes on Azure Pitch Deck.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/SalesEnablement/Kubernetes on Azure Pitch Deck.pptx -------------------------------------------------------------------------------- /TechnicalEnablement/AKS Resources.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/AKS Resources.docx -------------------------------------------------------------------------------- /TechnicalEnablement/AKS-adoption-aligned-to-cloud-adoption-framework.md: -------------------------------------------------------------------------------- 1 | 2 | # AKS Adoption Aligned to Cloud Adoption Framework 3 | 4 | This document is designed to review adoption of AKS that is aligned to the Cloud Adoption Framework. 5 | 6 | # Table of Contents 7 | 8 | - [AKS Adoption Aligned to Cloud Adoption Framework](#aks-adoption-aligned-to-cloud-adoption-framework) 9 | - [Table of Contents](#table-of-contents) 10 | - [Introduction](#introduction) 11 | - [Establishing Strategy](#establishing-strategy) 12 | - [Understanding Business Motivations](#understanding-business-motivations) 13 | - [AKS Business Outcomes](#aks-business-outcomes) 14 | - [AKS Business Justification](#aks-business-justification) 15 | - [Faster Time to Market](#faster-time-to-market) 16 | - [Optimized IT Costs](#optimized-it-costs) 17 | - [Improved Scalability & Availability](#improved-scalability--availability) 18 | - [Multi-Cloud Flexibility](#multi-cloud-flexibility) 19 | - [Seamless Cloud Migration](#seamless-cloud-migration) 20 | - [Plan](#plan) 21 | - [AKS Adoption Steps](#aks-adoption-steps) 22 | - [Networking](#networking) 23 | - [Azure Virtual Networks](#azure-virtual-networks) 24 | - [Ingress Controllers](#ingress-controllers) 25 | - [Network Security Groups](#network-security-groups) 26 | - [Network Policy](#network-policy) 27 | - [Storage](#storage) 28 | - [Azure Disks](#azure-disks) 29 | - [Azure Files](#azure-files) 30 | - [Security](#security) 31 | - [Scaling](#scaling) 32 | - [Digital Estate](#digital-estate) 33 | - [Application Assessment](#application-assessment) 34 | - [Monolithic Architecture](#monolithic-architecture) 35 | - [Microservices Architecture](#microservices-architecture) 36 | - [Microservices vs. Monolithic](#microservices-vs-monolithic) 37 | - [Accelerated Application Development](#accelerated-application-development) 38 | - [Supports Agile Project Management](#supports-agile-project-management) 39 | - [Enable Security and Compliance](#enable-security-and-compliance) 40 | - [Safeguard the Cluster](#safeguard-the-cluster) 41 | - [Enable Kubernetes RBAC](#enable-kubernetes-rbac) 42 | - [Enable API Server Firewall](#enable-api-server-firewall) 43 | - [Block Pod Access to Host/VM Instance Metadata](#block-pod-access-to-hostvm-instance-metadata) 44 | - [Increase Node Security](#increase-node-security) 45 | - [Limit Node SSH Access](#limit-node-ssh-access) 46 | - [Firewall Ingress to Apps](#firewall-ingress-to-apps) 47 | - [Deploy Service Mesh](#deploy-service-mesh) 48 | - [Pod Security Policy (PSP)](#pod-security-policy-psp) 49 | - [Resources on Demand](#resources-on-demand) 50 | - [Auto Scaling](#auto-scaling) 51 | - [Horizontal Pod Autoscaler (HPA)](#horizontal-pod-autoscaler-hpa) 52 | - [Cluster Autoscaler (CA)](#cluster-autoscaler-ca) 53 | - [On-Demand Fast Scaling](#on-demand-fast-scaling) 54 | - [Availability & Costs](#availability--costs) 55 | - [Speed & Agility of Innovation Drives Customer Experience](#speed--agility-of-innovation-drives-customer-experience) 56 | - [Enabling Digital Transformation Using Containers](#enabling-digital-transformation-using-containers) 57 | - [AKS Adoption Plan](#aks-adoption-plan) 58 | - [Skill Readiness Plan](#skill-readiness-plan) 59 | - [Gap Plan](#gap-plan) 60 | - [Ready](#ready) 61 | - [Organize](#organize) 62 | - [Resources](#resources) 63 | - [Adopt](#adopt) 64 | - [Migrate](#migrate) 65 | - [Innovate](#innovate) 66 | - [Govern](#govern) 67 | - [Automation of AKS deployments:](#automation-of-aks-deployments) 68 | - [Manage](#manage) 69 | - [AKS Migration Best Practices](#aks-migration-best-practices) 70 | - [Groups of Users / Personas](#groups-of-users--personas) 71 | - [Licensing and Entitlements](#licensing-and-entitlements) 72 | - [Pricing](#pricing) 73 | - [Business Continuity and Disaster Recovery](#business-continuity-and-disaster-recovery) 74 | 75 | 76 | # Introduction 77 | 78 | Let's start by understanding what Cloud Adoption Framework is. Cloud 79 | Adoption Framework is a collection of documentation, implementation 80 | guidance, best practices, and tools that are proven guidance from 81 | Microsoft designed to accelerate your cloud adoption journey. Below 82 | diagram shows the different phases of Cloud Adoption Framework Journey. 83 | In this document we explain what needs to happen for AKS deployment and 84 | management in each phase of the cloud adoption framework. 85 | 86 | ![](media/cloud-adoption-framework.png) 87 | 88 | # Establishing Strategy 89 | 90 | Business transformations can be implemented with the help of the AKS 91 | Strategy. The current section defines the business agility, market 92 | demands, and various rationalizing factors associated with the adoption 93 | of the AKS that would enable business to evolve. The documentation 94 | facilitates the stakeholders in understanding the benefits that result 95 | from utilizing the AKS Adoption Framework. The rationalizing factors 96 | that would be discussed in this section are: 97 | 98 | - Understanding Business Motivations 99 | - AKS Business Outcomes 100 | - AKS Business Justification 101 | - Faster Time to Market 102 | - Optimized IT Costs 103 | - Improved Scalability and Availability 104 | - Multi cloud Flexibility 105 | - Seamless Cloud Migration 106 | 107 | ## Understanding Business Motivations 108 | 109 | Outlining the outcomes of a business is critical as they enable in 110 | defining a versatile strategy. This would empower the business to be 111 | scaled accordingly, while affecting the performance as well. 112 | Stakeholders are required to be a part in establishing the appropriate 113 | business outcomes. Business motivations for AKS adoption are classified 114 | into the following categories. 115 | 116 | 117 | | Critical business events | Migration | Innovation | 118 | | :----------------| ---------- | :----------- | 119 | | Datacenter Consolidation | Cost saving | Equipping for latest technical capabilities| 120 | |Merger, acquisition, or divestiture | Reduction in vendor or technical complexity | Developing technical offerings | 121 | |Reduction in capital expenses | Optimization of internal operations | Scaling to accommodate the ever-growing requirements | 122 | |End of support for mission-critical technologies | Increase in business agility | Transforming to cater to geographic needs | 123 | |Response to regulatory compliance changes | Preparation for new technical capabilities | Improved customer experiences and engagements | 124 | |New data sovereignty requirements | Evolving to cater market demands | Transformation of products or services | 125 | |Reduction of disruptions and improvement of IT stability | Scaling to meet geographic demands | Create market disruption with innovative products/services | 126 | 127 | Reasons to adapt to AKS are as following: 128 | 129 | - Adopting industry standard cloud native technologies 130 | - Enables granular control and monitoring 131 | - Offers flexibility of auto-scaling 132 | - Easy flexible networking like public IPs, DNS, and SS 133 | - Facilitates multiple multi-container deployments 134 | - Implementing a multi-cloud strategy 135 | - Improving the density of workloads within the infrastructure 136 | - Easier to recruit engineering talent from industry by adopting modern technologies 137 | 138 | ## AKS Business Outcomes 139 | 140 | Designing a comprehensive AKS adoption strategy is essential in order to 141 | evaluate the business motivations and examine the likely future 142 | outcomes. 143 | 144 | The classification of business outcomes varies in five different 145 | categories. It is important for anticipated business outcomes to be 146 | ranked according to priority: from high, to mid, to low priority. Make 147 | sure to include stakeholders and the business drivers behind a specific 148 | outcome, associate what KPIs and capabilities are required in order to 149 | achieve the desired outcome. The following categories are used to 150 | identify and segregate desired business outcomes 151 | 152 | - **Infrastructure:** End to end cloud native architecture 153 | - **Consistency:** Uniform architecture across multiple cloud platform 154 | - **Technology**: Higher density of workloads within infrastructure leading to reduction of cost 155 | - **Agility:** Time-to-Market and provision time to respond to changes 156 | - **Reach:** Global access and data sovereignty 157 | - **Workforce Engagement:** Improved customer experience 158 | - **Fiscal**: Cost savings on desktop computing, increase revenue and drive profits 159 | - **Performance:** Ensuring highly availability of business applications 160 | - **Security & Compliance Regulations:** Addressed and implemented. 161 | 162 | ## AKS Business Justification 163 | 164 | Here are five fundamental business capabilities that AKS can drive in an 165 | enterprise 166 | 167 | ## Faster Time to Market 168 | 169 | AKS enables a "microservices" approach to building apps. Now development 170 | team can be broken into smaller teams that focus on a single, smaller 171 | microservice. These teams are smaller and more agile because each team 172 | has a focused function. APIs between these microservices minimize the 173 | amount of cross-team communication required to build and deploy. So, 174 | ultimately, multiple small teams can be scaled up of specialized experts 175 | who each help support a fleet of thousands of machines. 176 | 177 | Kubernetes also allows IT teams to manage large applications across many 178 | containers more efficiently by handling many of the nitty-gritty details 179 | of maintaining the container-based apps. For example, Kubernetes handles 180 | service discovery, helps containers talk to each other, and arranges 181 | access to storage from various providers such as AWS, Microsoft Azure. 182 | 183 | ## Optimized IT Costs 184 | 185 | AKS can help the business, cut infrastructure costs quite drastically if 186 | operating at a massive scale. Kubernetes makes a container-based 187 | architecture feasible by packing together apps optimally using cloud and 188 | hardware investments. Before Kubernetes, administrators often 189 | over-provisioned their infrastructure to conservatively handle 190 | unexpected spikes, or simply because it was difficult and time consuming 191 | to manually scale containerized applications. Kubernetes intelligently 192 | schedules and tightly packs containers, considering the available 193 | resources. It also automatically scales the application to meet business 194 | needs, thus freeing up human resources to focus on other productive 195 | tasks. 196 | 197 | There are many examples of customers who have seen dramatic improvements 198 | in cost optimization using K8s. 199 | 200 | ## Improved Scalability & Availability 201 | 202 | The success of today's applications does not depend only on features, 203 | but also on the scalability of the application. After all, if an 204 | application cannot scale well, it will be highly non-performant at its 205 | best, and totally unavailable, at the worst case. 206 | 207 | As an orchestration system, AKS is a critical management system to 208 | "auto-magically" scale and improve app performance. Suppose there is a 209 | service which is CPU-intensive and with dynamic user load that changes 210 | based on business conditions (for example, an event ticketing app that 211 | will see dramatic users and loads prior to the event and low usage at 212 | other times). In the instance there is a need for a solution that can 213 | scale up the app and its infrastructure so that new machines are 214 | automatically spawned up as the load increases (more users are buying 215 | tickets), while scaling it down when the load subsides. AKS offers just 216 | that capability by scaling up the application as the CPU usage goes 217 | above a defined threshold which for example, is 90 percent on the 218 | current machine, then it is automatically scaled up. And when the load 219 | reduces, AKS can scale back the application, thus optimizing the 220 | infrastructure utilization. The AKS auto-scaling is not limited to just 221 | infrastructure metrics; any type of metric\--resource utilization 222 | metrics - even custom metrics can be used to trigger the scaling 223 | process. 224 | 225 | ## Multi-Cloud Flexibility 226 | 227 | One of the biggest benefits of AKS managed containers is that it helps 228 | in realizing the promise of hybrid and multi-cloud. Enterprises today 229 | are already running multi-cloud environments and will continue to do so 230 | in the future. Kubernetes makes it much easier is to run any app on any 231 | public cloud service or any combination of public and private clouds. 232 | 233 | This allows to put the right workloads on the appropriate cloud and 234 | helps avoid vendor lock-in. Getting the best fit, using the right 235 | features, and having the leverage to migrate when it makes sense, all 236 | help to realize more ROI (short and longer term) from the IT 237 | investments. 238 | 239 | ## Seamless Cloud Migration 240 | 241 | Whether a client is rehosting (lift and shift of the app), 242 | replat-forming (make some basic changes to the way it runs), or 243 | refactoring (the entire app and the services that support it are 244 | modified to better suit the new compartmentalized environment), AKS 245 | makes sure the aspects are covered. 246 | 247 | Since Kubernetes runs consistently across all environments, on-premise 248 | and public cloud, Kubernetes provides a more seamless and prescriptive 249 | path to port the application from on-premise to cloud environments. 250 | Rather than deal with all the variations and complexities of the cloud 251 | environment, enterprises can follow a more prescribed path: 252 | 253 | - **Migrate apps to Kubernetes on-premise** Here focus is more on replat-forming the apps to containers and bringing them under Kubernetes orchestration. 254 | 255 | - **Move to a cloud-based Kubernetes instance.** Many options are available here: Run Kubernetes natively or choose a managed Kubernetes environment from the cloud vendor. 256 | 257 | - Now that the application is in the cloud, **optimizing the application to the cloud environment and its services** can be started  258 | 259 | # Plan 260 | 261 | ## AKS Adoption Steps 262 | 263 | Here provision can be made to configure the AKS that will support 264 | workloads. 265 | 266 | Evaluating and determining the best approach to containerizing the 267 | digital assets using AKS. After determining an approach and aggregated 268 | an inventory, rationalization can begin. As a part of the planning 269 | exercise the following factors are needed to be taken into 270 | consideration: 271 | 272 | - Networking 273 | - Storage 274 | - Security 275 | - Scaling 276 | 277 | In the below given sections of the document the various aspects are 278 | discussed in detail. 279 | 280 | ### Networking 281 | 282 | In the AKS approach to the application development, components must work 283 | together to process their tasks. The various vital factors to be studied 284 | are as follows: 285 | 286 | #### Azure Virtual Networks 287 | 288 | In the container based micro services, a cluster can be deployed by 289 | employing one of the below given network models. 290 | 291 | - [Kubenet](https://kubernetes.io/docs/concepts/cluster-administration/network-plugins/#kubenet) networking: The network resources are created and configured while AKS cluster is deployed 292 | 293 | - [Azure Container Networking Interface (CNI)](https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md) 294 | networking: The AKS cluster is linked to the already existing 295 | virtual network resources and configurations 296 | 297 | The choice of which network plugin to use for AKS cluster is a balance 298 | between flexibility and advanced configuration needs. The following 299 | considerations helps outline which network model may be well suited. 300 | 301 | - **Kubernetes** 302 | - Conserves IP address space 303 | - Uses Kubernetes internal or external load balancer to reach pods 304 | from outside of the cluster 305 | - User-defined routes (UDRs) must be manually managed and maintained 306 | - Maximum of 400 nodes per cluster 307 | 308 | - **Azure CNI** 309 | - Pods get full virtual network connectivity and can be directly 310 | reached via their private IP address from connected networks 311 | - Requires more IP address space 312 | 313 | #### Ingress Controllers 314 | 315 | An ingress controller is a piece of software that provides reverse 316 | proxy, configurable traffic routing, and TLS termination for Kubernetes 317 | services. Using an ingress controller and ingress rules, a single IP 318 | address can be used to route traffic to multiple services in a 319 | Kubernetes cluster. 320 | 321 | The different features that makes the Ingress controller a wise pick is 322 | given below: 323 | 324 | - In AKS, an Ingress resource can be created using something like 325 | NGINX, or use the AKS HTTP application routing feature. For more 326 | information, refer to the [deploy HTTP application 327 | routing](https://docs.microsoft.com/bs-latn-ba/azure/aks/http-application-routing) 328 | - Another common feature of Ingress is SSL/TLS termination. In order 329 | to configuring an Ingress controller, check the [Ingress and 330 | TLS](https://docs.microsoft.com/bs-latn-ba/azure/aks/ingress) 331 | - AGIC which is another option, aids in eliminating the need to have 332 | another load balancer/public IP in front of the AKS cluster, while 333 | preventing the multiple hops in the data path. Check the given 334 | [link](https://github.com/faridabharmal/AKS_CAF_SolutionFactory/blob/master/TechnicalEnablement/CAF-Application%20Gateway%20Ingress%20Controller.docx?raw=true) 335 | for more details: 336 | 337 | #### Network Security Groups 338 | 339 | The Azure network security group can be employed to filter network 340 | traffic to and from Azure resources in an Azure virtual network. 341 | 342 | The various uses of the Network security groups are mentioned below that 343 | help in evaluating the traffic by priority: 344 | 345 | - The network security group segregates the traffic for VMs, such as 346 | the AKS nodes 347 | 348 | - As the Services like a LoadBalancer are established, the Azure 349 | platform automatically configures any network security group rules 350 | that are needed 351 | 352 | - Any required ports can be defined and forwarded as a part of the 353 | Kubernetes Service manifests, while allowing the Azure platform 354 | create or update the appropriate rules 355 | 356 | #### Network Policy 357 | 358 | Network Policy is a Kubernetes specification that defines access 359 | policies for communication between Pods. The Azure Network Policy 360 | implementation supports the standard Kubernetes Network Policy 361 | specification. To know more about the network policies, view 362 | the [Kubernetes 363 | documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/). 364 | 365 | To improve security, rules or the network policies can be defined to 366 | control the flow of traffic. 367 | 368 | Network policies can be included as part of a wider manifest (e.g, YAML) 369 | that also creates a deployment or service. 370 | 371 | There are few network policy options that can be implemented while 372 | defining an AKS cluster that Azure allows, which help in establishing a 373 | secure network. The policy option cannot be changed after the cluster is 374 | created. 375 | 376 | - Azure\'s own implementation, called Azure Network Policies 377 | 378 | - Calico Network Policies, an open-source network and network security 379 | solution founded by [Tigera](https://www.tigera.io/) 380 | 381 | ### Storage 382 | 383 | Persistent storage plays a vital role in micro services architecture in 384 | which data must be decoupled from the pod lifecycle. AKS supports 385 | multiple options for configuring persistent storage including Azure 386 | Disks, Azure Files, and Azure NetApp Files. The various properties and 387 | features are given in the following sections. 388 | 389 | #### Azure Disks 390 | 391 | Persistent volumes for pods in AKS can be created with Azure Disks, 392 | which uses Azure premium or standard storage. The following 393 | considerations helps outline which storage model is ideal for the 394 | deployment: 395 | 396 | - Premium storage provides performance levels at the same level as 397 | SSDs, and standard storage provides HDD-level performance 398 | 399 | - While the former is ideal for production workloads with higher IOPS 400 | requirements, while HDD storage is more suited for test and 401 | development environments 402 | 403 | - Persistent volumes created from Azure Disks can, however, be mounted 404 | to just one pod at a time and do not support use cases that 405 | require shared storage 406 | 407 | #### Azure Files 408 | 409 | Azure Files is a managed file share service for creating SMB and NFS 410 | file shares accessible to workloads hosted on-premises or in Azure. The 411 | various features that help in evaluating the storage needs as per the 412 | requirements are stated below: 413 | 414 | - The service can be used to create persistent volumes for pods 415 | deployed in AKS clusters 416 | 417 | - The Azure Files also support SSD and HDD capabilities through 418 | premium and standard storage options. AKS cluster versions, 419 | however, must be higher than 1.13 in order to use premium storage 420 | 421 | - Storage volumes created from Azure Files can be accessed 422 | simultaneously from multiple pods in the cluster 423 | 424 | ### Security 425 | 426 | Security operations maintain the assurances of the system as adversaries 427 | attack it. The different features that facilitate a secure system are 428 | given as follows: 429 | 430 | - AKS integrates with Active Directory to manage AKS cluster access 431 | 432 | - The service principal configured is integrated with AD to delegate 433 | access to other Azure resources 434 | 435 | - The role-based access control in the cluster is enabled in ordered 436 | to provide granular access to cluster resources that help develop 437 | a safe system 438 | 439 | ### Scaling 440 | 441 | Scaling is one way to maximize the benefits. Azure Kubernetes service 442 | includes node CPU and memory monitoring at no additional cost. At the 443 | cluster creation, the container monitoring can be enabled. The various 444 | features that need to be examined while scaling the ecosystem are given 445 | below: 446 | 447 | - The [container 448 | monitoring](https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-overview) sends 449 | additional metrics and logs using Log Analytics, which has fees 450 | based on the amount of data ingested. Simply enable container 451 | monitoring and then select or create a log analytics workspace to 452 | store the AKS data. 453 | 454 | - CPU and memory usage per node, controller, or the pod usage can be 455 | controlled with the container monitoring enabled. The metrics can 456 | be viewed with the Azure Monitor that is not available, unless 457 | authorized. 458 | 459 | - A Prometheus integration with container insights helps close the gap 460 | on monitoring for many use cases, while the system is scaled 461 | accordingly. 462 | 463 | ## Digital Estate 464 | 465 | Based on the requirement of the digital estate, a plan need to be 466 | constructed. The digital estate is an abstract reference to a collection 467 | of tangible owned assets such as - VMs, servers, applications, data, 468 | etc. In other words, a digital estate is the collection of IT assets 469 | that power the business processes and supporting operations. From the 470 | AKS perspective, it is important to know the applications and workloads 471 | that are desired to be used in the cloud in which case environment as 472 | well as the applications need to be assessed. 473 | 474 | - Decision tree need to be created, on what applications are going to 475 | be moved to AKS. The decision tree is explained in detail in the 476 | [given link](https://github.com/faridabharmal/AKS_CAF_SolutionFactory/blob/master/TechnicalEnablement/AKS_Decision%20Tree.docx). 477 | 478 | - Questions that the business need to ask themselves regarding their 479 | data and applications in order to get the best possible start to a 480 | new AKS project? 481 | 482 | ### Application Assessment 483 | 484 | Application assessments provides the current performance and usage 485 | details like OS, CPU, etc., by classifying users into Personas (task 486 | workers, power users, knowledge worker etc.), the applications, the 487 | various workloads accessed by the users and related, and Azure costs 488 | involved. 489 | 490 | It is important to understand the required compute of core applications 491 | & data in order to size the VMs, use the correct Operating System, etc. 492 | For understanding the importance of user groups or Personas or workloads 493 | they need to be classified. 494 | 495 | Some of the different workloads are discussed below in detail: 496 | 497 | - **Stateless Workloads**: A stateless application is one that neither 498 | reads nor stores information about its state from one time that it 499 | is run to the next \"State\" in this case can refer to any 500 | changeable condition, including the results of internal 501 | operations, interactions with other applications or services, 502 | user-set preferences, environment variables, the contents of 503 | memory or temporary storage, or files opened, read from, or 504 | written to. 505 | 506 | - **Stateful Workloads**: A stateful application, can remember at 507 | least some things about its state each time that it runs. The 508 | actual state data that it stores may depend on the application and 509 | on the conditions under which it operates. State 510 | requires persistent storage. An application can only be stateful 511 | if it has somewhere to store information about its state, and if 512 | that information will be available for it to read later. 513 | 514 | **This brings into consideration if the containers should be Stateful or 515 | not. The various reasons why a certain state must be chosen are given 516 | below:** 517 | 518 | - The originally designed containers couldn\'t save state information 519 | as there was no provision for persistent storage, and so holding 520 | state wasn\'t possible. They were supposed to only perform 521 | operations which did not require state, leaving such things as 522 | persistent storage and saved state data to other parts of the 523 | system. Advocates of purely stateless containers maintain that 524 | this is still the best and cleanest approach, and that attempts to 525 | bring state to container deployment are merely evidence of 526 | obsolete ways of thinking. 527 | 528 | - If all containers follow the stateless ideal, the only persistent 529 | state data will be that which is stored and used by the host 530 | operating system. Developers need not worry about where to save 531 | container state data, or how to make containers interact with 532 | persistent storage. 533 | 534 | - As containers have come into wider use, however the limits to pure 535 | container statelessness have become all too apparent. Many of the 536 | applications now being deployed in containers are not written from 537 | scratch with containerization in mind; they are existing 538 | applications. These applications are typically stateful, and they 539 | are likely to rely heavily on state data. 540 | 541 | - Making such an application stateless may require a complete redesign 542 | on the level of fundamental architecture, even beyond that 543 | required for refactoring. And depending on the nature and purpose 544 | of the application, even designed-from-scratch container-based 545 | software may lend itself more naturally to state than 546 | statelessness. 547 | 548 | - The advantage of statelessness is that it is simple. State, on the 549 | other hand, does require at least some overhead: persistent 550 | storage, and more likely, a state management system. This means 551 | more software to install, manage, and configure, and more 552 | programming time to connect to it via API. 553 | 554 | - Session-based state data need to be maintained and read at the 555 | container level. Environment-based state data (such as IP address, 556 | database access, cluster configuration, etc.) can typically be 557 | handled at the host level. It may be necessary to store other 558 | kinds of state data using an independent file system which can 559 | remain available if the host shuts down. 560 | 561 | - For applications which were designed for containers, a question at 562 | the microservice level can be asked. It may turn out that only a 563 | handful of containers need to store state data, allowing the rest 564 | to be run stateless. 565 | 566 | When the applications are designed, it consists of different 567 | architectures. Various architectures are discussed below: 568 | 569 | #### Monolithic Architecture 570 | 571 | Monolithic architecture is where the applications are built as a single 572 | unit. It is a traditional app-building technique with a client-side 573 | interface, a server-side interface, and a database. 574 | 575 | A database for the enterprise-level app is usually multiple tables 576 | organized in a relational database management system. The client-side 577 | interface relates to the HTML pages and JavaScript running in a browser. 578 | Contrarily, the server-side interface of monolithic applications, 579 | handles the HTTP requests, implement domain-specific logic, collect and 580 | update information from the database, and more. 581 | 582 | Monolithic applications are a single entity with all functions managed 583 | and served in one place. This type of architecture poses several 584 | challenges. In that, it lacks modularity and, with one codebase, 585 | upscaling is also tricky as developers need to start from scratch. 586 | 587 | #### Microservices Architecture 588 | 589 | Microservice structure with cloud technologies, integration, and API 590 | management, are an alternative to the traditional monolithic 591 | architecture. 592 | 593 | The name 'micro' is a bit misleading. The services may be smaller in 594 | size than the average monolith, but they are not tiny. 595 | 596 | Microservices vs. monolithic architecture is a development approach to 597 | designing an app with each feature representing micro services, 598 | operating independently. It means all services act on a separate logic, 599 | with a distinct database and specific functions. 600 | 601 | A key feature of micro services architecture is that the app function is 602 | split into independent modules, but APIs keep intercommunication open. 603 | The deployment, scalability, and updating is autonomous for each part. 604 | 605 | #### Microservices vs. Monolithic 606 | 607 | Microservices is thought to be an enhancement to the traditional 608 | app-building techniques. But the ideology of loosely connected services 609 | with distinct boundaries has been around for decades. 610 | 611 | Furthermore, the monolithic structure was never considered a good 612 | strategy. Instead, it is the convenience and simplicity of the monolith 613 | servers that raised its worth in the app development industry. 614 | Additionally, microservices architecture sometimes adds an unnecessary 615 | complication in the delivery of the app. 616 | 617 | An organization requires long term vision and strategy while deciding 618 | upon the different critical aspects that are explained below: 619 | 620 | ***About Moving Monolith to AKS:*** 621 | 622 | While many monolithic applications can be moved to AKS using 623 | \"lift-shift\" strategy from on-prem to a single container, however the 624 | short-sighted strategy fails as the application grows in functionality 625 | and performance degrades. Hence, one should carefully align monolith 626 | migration to AKS, with their long-term vision of application 627 | architecture and technology choices. 628 | 629 | For example, containerizing a large monolithic application will create 630 | issues in deployment and runtime since the container stack is not made 631 | for these type of use cases. Refactoring monolith application into 632 | smaller logical services, will provide real benefit in terms of better 633 | speed of deployment, resilience, and updatability. 634 | 635 | One can think of microservices or take a microservice-like approach. In 636 | this regard, thinking of application decomposition instead of moving to 637 | containers or AKS will provide the real gains in speed of delivery, 638 | allowing evolution of architecture, and all of the other reasons for 639 | moving to AKS are realized not from that movement, but the (refactored) 640 | architecture which enabled it. 641 | 642 | One of issues while moving a monolith to container using a 643 | lift-and-shift strategy is application logs, or typical legacy apps use 644 | local logs to store troubleshooting and other information. If the 645 | application goes down, operations teams will often log into the machine 646 | and look through the logs. In the container world, if the container is 647 | down there's nothing to log into. 648 | 649 | Hence it is extremely important to keep in mind some of the things like 650 | performance and observability, telemetry, and monitoring when thinking 651 | of moving a monolith to AKS. 652 | 653 | ***About Moving Monolith to a VM:*** 654 | 655 | A VM is a completely isolated abstraction of an entire computes, hence a 656 | monolithic application can easily be moved to a VM. However, a VM 657 | require lots more resources than a Container, thus there is a limit on 658 | how many VMs can fit on a server. As the monolithic application grows, 659 | so will the VMs resource requirements on a server. At some 660 | point, application re architecture/factoring will be required.  For more 661 | information on Container versus VM, refer to 662 | this [document](https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/containers-vs-vm). 663 | 664 | ***About Microservices & AKS:*** 665 | 666 | The primary benefit of Kubernetes is to increase infrastructure 667 | utilization through the efficient sharing of computing resources across 668 | multiple processes. Kubernetes enables dynamic allocation of compute 669 | resources to meet the demand, thus enabling organizations to avoid 670 | spending on computing resources that are not being used. 671 | 672 | By breaking a monolithic application into separate, loosely coupled 673 | microservices, the architecture teams gain more autonomy and freedom, 674 | but they still have to closely cooperate when interacting with the 675 | infrastructure to address challenges like: 676 | 677 | Quantifying the compute resources for each microservice under different 678 | loads, infrastructure partitioning for each microservice and enforcing 679 | resource restrictions. 680 | 681 | Managed Kubernetes service (AKS) provides a common framework to 682 | describe, inspect and reason about infrastructure resource sharing and 683 | utilization thus enabling microservice re-architecture of monolithic 684 | applications a reality. 685 | 686 | AKS depends on Azure Managed Services (MySQL, redis, MongoDB (CosmosDB, 687 | AD etc.,): 688 | 689 | Digital transformation requires applications to deal with heterogenous 690 | data (text/non-relational, relational, binary/streams etc.) requiring 691 | different data store for different types of data, based on specific 692 | workload or usage. Polyglot persistence is used to describe solutions 693 | that use a [mix of data 694 | store](https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/data-store-overview) technologies 695 | and AKS hosted applications/microservices enable seamless integration 696 | between [Azure SQL IaaS vs SQL 697 | PaaS](https://docs.microsoft.com/en-us/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview#:~:text=IaaS%20enables%20you%20to%20shut,invest%20to%20administer%20the%20database.) services and [Azure 698 | Active 699 | Directory](https://azure.microsoft.com/en-in/services/active-directory/)  (for 700 | identity management services). [Azure 701 | DevOps](https://azure.microsoft.com/en-in/services/devops/) enables AKS 702 | cluster deployment as part of an integrated continuous integration and 703 | continuous delivery (CI/CD) experience and enterprise-grade security and 704 | governance, along with host of other services including for speedier 705 | seamless application development experience with Azure Dev Spaces 706 | including integration with Visual Studio Code Kubernetes tools. 707 | 708 | Customers can choose between [Azure IaaS or 709 | PaaS](https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/compute-decision-tree) deployment 710 | model based on their workload and business and technology strategy. 711 | 712 | Accelerated Application Development 713 | ----------------------------------- 714 | 715 | AKS containerized applications provide segregated isolation that remove 716 | much of the time-sink of debugging, by handling the following aspects of 717 | the *development* infrastructure: 718 | 719 | - Auto upgrades 720 | - Patching 721 | - Self-healing 722 | 723 | AKS **simplifies container orchestration**, optimizing time and 724 | increasing the developer's productive. This helps with the application 725 | development by combatting the developer's biggest time-sinks. 726 | 727 | Supports Agile Project Management 728 | --------------------------------- 729 | 730 | Agile projects tender robust results which are typically more successful 731 | than traditional projects. 732 | 733 | Another key advantage of adoption of AKS - it **supports agile development** using integration with Azure DevOps, ACR, Azure Active 734 | Directory and Monitoring. An illustration is that when the developer 735 | places a container into a repository, moves the builds into Azure 736 | Container Registry (ACR), and then uses AKS to launch the workload. 737 | 738 | Enable Security and Compliance 739 | ------------------------------ 740 | 741 | Cyber security is a key thrust of businesses. Any security related 742 | issues are a very common scenario in the regulated industries. 743 | 744 | AKS **protects business** by enabling administrators to have customized 745 | access to Azure Active Directory (AD) identities and group identities. 746 | When the personnel have personalized access that they require, then the 747 | threat from the internal teams is drastically lowered. The other aspects 748 | are discussed below in detail: 749 | 750 | ### Safeguard the Cluster 751 | 752 | To make AKS clusters more secure requires a design that reduces the 753 | threat. Good understanding of the fundamentals of Kubernetes security 754 | and specific AKS security options will make it easier to protect and 755 | manage them. 756 | 757 | Some of the critical AKS security features can only be enabled at 758 | cluster creation phase. In the case of existing clusters initially 759 | created without those features, it is recommended to build new clusters 760 | and migrate the existing workloads into them. 761 | 762 | Consistent configurations across all clusters will also make them easier 763 | to manage and prevent issues stemming from an incorrect assumption that 764 | all clusters have the same protections. Best Practice is to automate the 765 | creation of AKS clusters, thus ensuring consistent configuration across 766 | all clusters. 767 | 768 | ### Enable Kubernetes RBAC 769 | 770 | Kubernetes Role-Based Access Control allows controlling authorization 771 | for a cluster's Kubernetes API, this applies to users and to workloads 772 | in the cluster. AKS integrates Kubernetes RBAC with Azure Active 773 | Directory, which can be enabled at any time for a cluster. 774 | 775 | ### Enable API Server Firewall 776 | 777 | In Kubernetes, to create resources or scale the number of nodes, the API 778 | server receives requests to perform actions in the cluster. The API 779 | server is the central way to interact with and manage a cluster. The API 780 | server should only be accessible from a limited set of IP address ranges 781 | to improve cluster security and minimize attacks. 782 | 783 | By default, AKS cluster's API server is exposed on a public IP with no 784 | restrictions. To add a layer of filtering (until AKS Private Clusters go 785 | GA), use API server authorized IP address ranges to limit which IP 786 | addresses and CIDRs can access the control plane. 787 | 788 | ### Block Pod Access to Host/VM Instance Metadata 789 | 790 | The Azure VM instance metadata endpoint, when accessed from an Azure VM, 791 | returns a great deal of information about the VM's configuration, and 792 | the Azure Active Directory tokens. This endpoint is accessible by any 793 | AKS container on the node by default. Most workloads will not need this 794 | information and having access to that information can carry substantial 795 | risks. 796 | 797 | To disable this access, add a network policy in all user namespaces to 798 | block pod egress to the metadata endpoint. 799 | 800 | ### Increase Node Security 801 | 802 | The Azure platform automatically applies OS security patches to Linux 803 | nodes on a regular basis. If a Linux OS security update requires a host 804 | reboot, that reboot is not automatically performed, requires manually 805 | reboot of Linux nodes, or a common approach is to use Kured, an 806 | open-source reboot daemon for Kubernetes. Kured runs as a DaemonSet and 807 | monitors each node for the presence of a file indicating that a reboot 808 | is required. 809 | 810 | ### Limit Node SSH Access 811 | 812 | By default, the SSH port on the nodes is open to all pods running in the 813 | cluster. Preventing direct SSH access from the pod network to the nodes 814 | helps limit the potential blast radius of damage if a container in a pod 815 | is compromised. 816 | 817 | Block pod access to the nodes' SSH ports can be blocked using a 818 | Kubernetes Network Policy, if enabled in cluster. However, the 819 | Kubernetes Network Policy API does not support cluster-wide egress 820 | policies; network policies are namespace-scoped, which requires making 821 | sure a policy is added for each namespace, which requires ongoing 822 | vigilance. 823 | 824 | ### Firewall Ingress to Apps 825 | 826 | It is required to always use a Firewall in front of AKS Load balancers 827 | to filter the traffic and safeguard the applications from the known 828 | attacks. 829 | 830 | Azure Gateway Ingress Controller, which is the GA, allows the use of a 831 | single Application Gateway Ingress Controller to control multiple AKS 832 | clusters. It also helps eliminate the need to have another load 833 | balancer/public IP in front of AKS cluster and avoids multiple hops 834 | before requests reach the AKS cluster. Application Gateway talks to pods 835 | directly using their private IP and does not require NodePort or 836 | KubeProxy services. This also increases the deployment's performance. 837 | 838 | ### Deploy Service Mesh 839 | 840 | A service mesh provides capabilities like traffic management, 841 | resiliency, policy, security, strong identity, and observability to 842 | workloads. Application is then decoupled from these operational 843 | capabilities and the service mesh moves them out of the application 844 | layer, and down to the infrastructure layer. 845 | 846 | There are numerous utilizations of a service mesh, below are the ones 847 | specific to securing the workloads 848 | 849 | Encrypt all traffic in cluster: Enable mutual TLS between specified 850 | services in the cluster. This can be extended to ingress and egress at 851 | the network perimeter. Provides a secure by default option with no 852 | changes needed for application code and infrastructure. 853 | 854 | **Observability**: Gain insight into how the services are connected by 855 | the traffic that flows between them. Obtain metrics, logs, and traces 856 | for all traffic in cluster, and ingress/egress aides in tracing the 857 | abilities of the applications 858 | 859 | ### Pod Security Policy (PSP) 860 | 861 | Pod Security Policy for AKS enables fine-grained authorization of pod 862 | creation and updates. It allows to set up policies to validate requests 863 | to pods and define a set of conditions, which a pod must run with in 864 | order to be scheduled on the AKS cluster 865 | 866 | - Pod Security Policies address several critical security issues, 867 | including the following 868 | - Preventing containers from running with privileged flag - this type 869 | of container will have most of the capabilities available to the 870 | underlying host 871 | - Preventing sharing of host PID/IPC namespace, networking, and 872 | ports - this step ensures proper isolation between Docker 873 | containers and the underlying host 874 | 875 | ## Resources on Demand 876 | 877 | AKS is a **fully flexible** system that adapts to utilize only necessary 878 | resources, thereby eliminating the need of extra assets. The AKS cloud 879 | solution can adjust the resources according to the number of 880 | applications in use. 881 | 882 | As the applications increase or decrease there are various instances 883 | taken into consideration. There as follows: 884 | 885 | - The first dimension is the number of instances of a specific service 886 | or pods. This involves increasing the number of instances of a 887 | service that is under pressure. By having a Kubernetes cluster 888 | that has multiple computation units (VM nodes), we can balance the 889 | various services based on the need, without having to spin-up new 890 | nodes 891 | - The second dimension is the cluster size. Each Kubernetes cluster 892 | contains multiple VM nodes. When the load on the physical or 893 | virtual nodes is high, increase the cluster size by adding 894 | additional nodes 895 | 896 | There are different ways in which the applications in Kubernetes are 897 | scaled. They are mentioned below: 898 | 899 | ### Auto Scaling 900 | 901 | Auto scaling inside AKS involves with two dimensions of scaling that can 902 | automatize with features. One is controlled by AKS and Kubernetes and is 903 | joined to the replicas inside Kubernetes. The second one is the cluster 904 | size, where one can add or remove nodes dynamically based on different 905 | counters and formulas that are defined and controlled. 906 | 907 | ### Horizontal Pod Autoscaler (HPA) 908 | 909 | Horizontal Pod Autoscaler (HPA) monitors the load of pods and resources 910 | and decides to increase or decrease the number of replicas for each pod. 911 | The HPA is the same version that can have any Kubernetes cluster with 912 | version 1.8 or higher. It checks the load on the pods and replicas every 913 | 30 seconds, and decides to decrease or increase the number of replicas. 914 | The Metric Server collects the counter information from workers and can 915 | provide input for the HPA (e.g., CPU, memory, network). 916 | 917 | When the need to collect or use custom metrics arises, install and 918 | configure other monitoring systems like Prometheus. It is widely used 919 | mainly when the custom metrics are used to archive auto-scaling at pod 920 | level. The metrics from Prometheus are exposed in the same format as 921 | Metric Server and can be consumed by the HPA over an adapter (Prometheus 922 | Adapter) that is able to push metrics to HPA. 923 | 924 | ### Cluster Autoscaler (CA) 925 | 926 | Cluster auto scaling is more Azure specific functionality. Every 10 927 | seconds the cluster load is checked and if the number of nodes of the 928 | cluster needs to be adjusted accordingly. 929 | 930 | Integration with HPA enables CA to release unused nodes if no pods are 931 | running on nodes for more than 10 minutes. CA checks HPA if there are 932 | enough nodes for pods and increase the number of nodes if there are not 933 | enough nodes for pods. There are not enough resources to increase the 934 | number of pods, which HPA has specific metrics/flag that can read by CA. 935 | 936 | ### On-Demand Fast Scaling 937 | 938 | In a standard Kubernetes deployment, if nodes are not physically 939 | available there is nothing much to do. Inside Azure, systems like CA can 940 | increase the number of nodes automatically, but with latency. 941 | 942 | For this kind of situations, Microsoft gives us the ability to extend 943 | the cluster inside Azure Container Instances (ACI). ACI is a SaaS 944 | solution inside Azure to host and run the micro-services. By integrating 945 | ACI with AKS cluster can be scaled out in just a few seconds inside ACI. 946 | 947 | ## Availability & Costs 948 | 949 | AKS is a free Azure service, which implies that there is no charge for 950 | Kubernetes cluster management. However, AKS users are billed for the 951 | underlying compute, storage, networking, and other cloud resources 952 | consumed by the containers that facilitate the application to continue 953 | operating within the Kubernetes cluster. 954 | 955 | ## Speed & Agility of Innovation Drives Customer Experience 956 | 957 | In the present world, most enterprises rely on various software to run 958 | the business smoothly, while creating a seamless customer experience. 959 | 960 | A seamless customer experience requires constant innovation. This 961 | necessitates DevSecOps to continually work and release secure updates to 962 | implement improvements, fix issues, develop new features and 963 | capabilities. Companies with increased deployment frequency result in 964 | releasing code faster than the low performers (companies that deploy 965 | once a month or twice a year). 966 | 967 | The need for "speed and agility of innovation" is steering the way 968 | companies are building, running and securing their modern applications. 969 | This is the cause of the transformation in the software architecture 970 | into micro-services that accelerates the all-round change. 971 | Micro-services depend on containerized application and orchestration \-- 972 | automation \-- to speed deployment of improvements and new capabilities 973 | which are critical to maintain secure customer experiences. 974 | 975 | ## Enabling Digital Transformation Using Containers 976 | 977 | While the business benefit of digital transformation and software 978 | innovation are clearly understood, the IT capabilities needed to deliver 979 | these benefits are still evolving. What is very clear is that containers 980 | are becoming a must-have platform in the IT architecture. Containers 981 | offer benefits of immutable infrastructure with predictable, repeatable, 982 | faster development and deployments. With these capabilities, Containers 983 | change the way applications are being architected, designed, developed, 984 | packaged, delivered, and managed, while paving the way to better 985 | applications that create a seamless experience. 986 | 987 | ## AKS Adoption Plan 988 | 989 | There are various decisions and data points that help align with the 990 | specific plans for adoption. The following activities support alignment 991 | of the cloud adoption plan: 992 | 993 | - Prerequisites: Confirm that all prerequisite steps have been 994 | compiled with, before a plan is created. The various requirements 995 | are discussed in detail in the [mentioned link](https://github.com/faridabharmal/AKS_CAF_SolutionFactory/blob/master/TechnicalEnablement/AKS_Prerequisites.docx) 996 | 997 | - Define and prioritize workloads: Prioritize the first 10 workloads 998 | to establish an initial adoption backlog 999 | 1000 | - Align assets to workloads: Identify which assets (proposed or 1001 | existing) are required to support the prioritized workloads 1002 | 1003 | - Review rationalization decisions: Review rationalization decisions 1004 | to refine adoption-path decisions: Migrate or Innovate 1005 | 1006 | - Establish iterations and release plans: Iterations are the time 1007 | blocks allocated to do work. Releases are the definition of the 1008 | work to be done before triggering a change to production processes 1009 | 1010 | - Estimate timelines: Establish rough timelines for release 1011 | planning purposes, based on initial estimates 1012 | 1013 | The other factors that need to be considered during deployment are 1014 | mentioned below: 1015 | 1016 | ***Kubernetes AKS cluster performance in general:*** 1017 | 1018 | AKS cluster and applications are configured based on the workloads that 1019 | are required to run in Kubernetes. For workloads with 1020 | network-intense, the cluster must have better network throughput and low 1021 | latencies. For stateful workload, the focus would be on the storage 1022 | options configured in the cluster. 1023 | 1024 | AKS cluster Performance is a continuous process where one depends on the 1025 | type of feedback collected. In Kubernetes, the recommended way to 1026 | understand the resource usage and performance of the applications is 1027 | through cAdvisor. The cAdvisor as a StatefulSets in Kubernetes can be 1028 | installed to collect metrics in each worker node of the cluster. 1029 | 1030 | ***AKS cluster performance resource requests and limits:*** 1031 | 1032 | Configuring the requests and limits for the pods is going to help the 1033 | scheduler to orchestrate the workloads more efficiently. Requests and 1034 | limits are the numbers Kubernetes uses to control resources in the 1035 | cluster, such as CPU and memory. Limits are the numbers that Kubernetes 1036 | needs to control and restrict resources in the cluster for the pod. 1037 | 1038 | In the case that pods don't come with requests and limits, configure 1039 | resources at the namespace level when sharing the cluster with different 1040 | groups or applications. ResourceQuota is the object, which is required 1041 | to create in order to request and limit the resources for all the pods 1042 | in a specific namespace. 1043 | 1044 | ***Worker nodes affinity, taints, and tolerations:*** 1045 | 1046 | Once the resources for each pod have been identified and defined, it's 1047 | time to do the math and determine how many worker nodes are required in 1048 | the cluster. It is better to choose a node with the minimum number of 1049 | resources, while avoiding the extremely smaller or larger nodes.  1050 | 1051 | One can then flag the nodes to dedicate them for specific workloads. For 1052 | example, the node affinity can be used to schedule pods in a node that 1053 | has SSD storage or co-schedule pods in the same node. Or configure 1054 | taints or toleration in the nodes to deny pods from being scheduled in 1055 | certain nodes. For example, dedicated nodes in the cluster for front-end 1056 | applications and other nodes for back-end applications. 1057 | 1058 |  Currently, AKS is working on allowing one to have multiple node pools 1059 | for the same cluster. This will create a node pool with GPUs, and 1060 | another node pool with fewer resources for non-critical workloads. 1061 | 1062 | ***Closest Region for the Customers:*** 1063 | 1064 | A Kubernetes cluster should be in a region close to the customers. If 1065 | one has customers located in multiple locations, then it's recommended 1066 | to keep a cluster in each location. This type of architecture allows 1067 | reduced latency, but also facilitates switching of traffic in case of a 1068 | regional failure. In Azure, the best option is to choose two paired 1069 | regions, which are two regions near to each other physically. Azure will 1070 | prioritize recovery in case of failure, or coordinate maintenance 1071 | without affecting the paired region. 1072 | 1073 | Traffic manager is the service that will help to route traffic between 1074 | different AKS clusters. It is possible to route traffic based on 1075 | latency, geography, or failure. Users will hit a DNS endpoint that 1076 | routes to the traffic manager, and then the traffic manager will return 1077 | the AKS endpoint that the user can connect to directly. 1078 | 1079 | When there are clusters in multiple regions, it is required to replicate 1080 | data near the cluster---for example, the container images repositories, 1081 | data volumes, or databases.  1082 | 1083 | ***Network Configuration*** 1084 | 1085 | There are two ways to configure networking in AKS: 1086 | 1087 | - Basic, where AKS has a new VNet with default values 1088 | - Advanced, where AKS uses an existing VNet 1089 | 1090 | The AKS cluster can be connected with a current resource either in Azure 1091 | or on premises, choose the advanced option. The basic model requires one 1092 | to create a route to connect to other networks. This reduces the network 1093 | performance and results in a complicated configuration. 1094 | 1095 | Furthermore, make sure that the subnet assigned to the AKS cluster 1096 | doesn't overlap with any other network range in the organization. The 1097 | address space needs to be sufficient because each pod will have an IP 1098 | address from the subnet. When AKS creates more pods, more IP addresses 1099 | will be required, so plan accordingly in order to avoid issues with the 1100 | application workloads. 1101 | 1102 | ***Storage Types*** 1103 | 1104 | The workloads might be stateless and do not require need volumes to be 1105 | configured. Having a suitable storage type will help to improve AKS 1106 | cluster performance, while retrieving the images from the container 1107 | registry. 1108 | 1109 | For production environments, use SSD storage. And in case the need to 1110 | have concurrent connections arises, use a network storage type. In 1111 | Azure, storage types translate into using Azure Files, Azure managed 1112 | disks (SSD), dysk (preview), or blobfuse (preview). 1113 | 1114 | Note that each node has a limit for how many disks it can have attached. 1115 | Furthermore, the node size could determine the storage performance of 1116 | the cluster. The CPU and memory are the resource types which are needed 1117 | to consider while choosing the node size. For more information, visit 1118 | the VMs docs site in Azure. 1119 | 1120 | ## Skill Readiness Plan 1121 | 1122 | Develop the skills needed to prepare an actionable migration plan. This 1123 | includes business justification and other required business-planning 1124 | skills. 1125 | 1126 | **Plan**: Acquire the skills needed to put in order an actionable 1127 | migration plan. This includes business justification and other required 1128 | business-planning skills. 1129 | 1130 | **Ready**: Develop the skills in order to prepare the business, culture, 1131 | people, and environment for eminent changes. 1132 | 1133 | As the organization paves the way for the AKS adoption effort, each team 1134 | should document staff concerns as they rise by identifying: 1135 | 1136 | - The type of concern. For example, workers might be resistant to the 1137 | changes in job duties that come with the adoption effort. 1138 | - The impact if the concern isn\'t addressed. For example, resistance 1139 | to adoption might result in workers being slow to execute the 1140 | required changes. 1141 | - The area equipped to address the concern. For example, the best 1142 | equipped skill to address any concern is the Certified Kubernetes 1143 | Application Developer (CKAD) program 1144 | - The Certified Kubernetes Application Developer (CKAD) program has 1145 | been developed by the Cloud Native Computing Foundation (CNCF), in 1146 | collaboration with The Linux Foundation, to help expand the 1147 | Kubernetes ecosystem through standardized training and 1148 | certification. 1149 | 1150 | - The Cloud Native Computing Foundation is committed to expanding the 1151 | community of Kubernetes-knowledgeable application developers, 1152 | thereby enabling continued growth across the broad set of 1153 | organizations a using the technology 1154 | 1155 | - Certification is a key step in that process, allowing certified 1156 | application developers to quickly establish their credibility and 1157 | value in the job market, while also allowing companies to hire 1158 | high-quality teams to support their growth 1159 | 1160 | - The Certified Kubernetes Application Developer exam certifies that 1161 | the users can design, build, configure, and expose cloud native 1162 | applications for Kubernetes. 1163 | 1164 | - A Certified Kubernetes Application Developer can define application 1165 | resources and use core primitives to build, monitor, and 1166 | troubleshoot scalable applications and tools in Kubernetes. 1167 | 1168 | - The successful candidate will be comfortable using an OCI-Compliant 1169 | Container Runtime, such as Docker or rkt, Cloud native application 1170 | concepts and architectures, and the programming language, such as 1171 | Python, Node.js, Go, or Java. 1172 | 1173 | The certification program allows users to demonstrate their competence 1174 | in a hands-on, command-line environment. The purpose of the Certified 1175 | Kubernetes Application Developer (CKAD) program is to provide assurance 1176 | that CKADs have the skills, knowledge, and competency to perform the 1177 | responsibilities of Kubernetes application developers. 1178 | 1179 | ### Gap Plan 1180 | 1181 | These items are meant as inspiration when this is created. 1182 | 1183 | - Enumerate the responsibilities that come with the digital 1184 | transformation. Emphasize new responsibilities and existing 1185 | responsibilities to be retired. 1186 | 1187 | - Identify the area that aligns with each responsibility. For each new 1188 | responsibility, check how closely it aligns with the area. Some 1189 | responsibilities might span several areas. This crossover 1190 | represents an opportunity for better alignment that should 1191 | document as a concern. In the case where no area is identified as 1192 | being responsible, document this gap. 1193 | 1194 | - Identify the skills necessary to support each responsibility, and 1195 | check if the enterprise has existing resources with those skills. 1196 | Where there are no existing resources, determine the training 1197 | programs or talent acquisition necessary to fill the gaps. Also 1198 | determine the deadline by which each responsibility to keep the 1199 | digital transformation on schedule. 1200 | 1201 | - Identify the roles that will execute these skills. Some of the 1202 | existing workforce will assume parts of the roles. In other cases, 1203 | entirely new roles might be necessary. 1204 | 1205 | # Ready 1206 | 1207 | To start the adoption of AKS, create a sandbox cluster to host the 1208 | workloads that are planned to be built in the cloud or migrated to the 1209 | cloud. This includes a series of steps that are mentioned in the AKS 1210 | setup guide, following the best practices, creating the sandbox cluster 1211 | and then expanding the sandbox environment into production. The 1212 | requirements have been explained in detail in the [**mentioned 1213 | link**](https://github.com/faridabharmal/AKS_CAF_SolutionFactory/blob/master/TechnicalEnablement/AKS_Prerequisites.docx). 1214 | 1215 | ## Organize 1216 | 1217 | Cloud services (in this case AKS) adoption cannot take place without 1218 | well-organized people. Successful cloud services adoption is the result 1219 | of the highly skilled workforce performing the given tasks, in alignment 1220 | with the clearly defined business goals, and in a well-managed 1221 | environment. To deliver an effective cloud operating model, it\'s 1222 | important to establish the right organizational structures. Here we have 1223 | outlined an approach to establish and maintain the proper organizational 1224 | structures. 1225 | 1226 | - **Organization alignment exercises:** The exercises act as a guide, 1227 | in process of creating a landing zone to support Azure cloud 1228 | services (AKS) adoption. 1229 | 1230 | - **Structure type:** Define the type of organizational structure that 1231 | best fits the operating model. 1232 | 1233 | - **Cloud capabilities:** Understand the cloud capabilities required 1234 | to adopt and operate the cloud. 1235 | 1236 | - **Establish teams:** Define the teams that will be providing various 1237 | cloud capabilities. Multiple best practice options are listed for 1238 | reference. 1239 | - **RACI matrix:** Clearly defined roles are an important aspect of any operating model. Use the provided RACI matrix to map responsibility, accountability, consulted, and informed roles to each of the teams for various functions of the cloud operating model. 1240 | 1241 | ## Resources 1242 | 1243 | The Azure Cloud Adoption Framework includes tools that help in implementing technical change. These tools, templates, and assessments are used to accelerate cloud adoption. The Azure Cloud Adoption framework resources can assist in each phase of adoption. Some of the tools and templates assist in multiple phases. The different aspects of the various resources are discussed in detail in the given document that can be referred using the mentioned [**link**](https://github.com/faridabharmal/AKS_CAF_SolutionFactory/blob/master/TechnicalEnablement/AKS%20Resources.docx). 1244 | 1245 | # Adopt 1246 | 1247 | ## Migrate 1248 | 1249 | Any enterprise-scale cloud adoption plan will include workloads that do 1250 | not warrant significant investments in the creation of a new business 1251 | logic. The workloads could be moved to the cloud through any number of 1252 | approaches: lift and shift; lift and optimize; or modernize. Each of 1253 | these approaches is considered a migration. The exercises will help 1254 | establish the iterative processes to assess, migrate, optimize, secure, 1255 | and manage those workloads. 1256 | 1257 | In the process of migration one can choose either Kubernetes (basic) or 1258 | CNI (Container Network Interface) for networking. In case more 1259 | information is required, refer to AKS 1260 | Networking [document](https://docs.microsoft.com/en-us/azure/aks/concepts-network). 1261 |  As the workloads are migrated, the cluster can be scaled manually or by 1262 | using Horizontal Pod Scaler (HPA), Cluster Auto scaler or by using Azure 1263 | Container Instance (ACI) or by integration with AKS. To learn more about 1264 | each of the scaling methods, check the AKS Scale 1265 | Concept [document](https://docs.microsoft.com/en-us/azure/aks/concepts-scale). 1266 | 1267 | ## Innovate 1268 | 1269 | Once workloads are migrated, deployments can be finetuned by using AKS 1270 | toolsets and best practices. The lifecycle components include business 1271 | value, using established guidelines and toolsets, best practices and 1272 | feedback loops during each iteration, along with the solutions under 1273 | development offer a way for the teams to learn alongside customers. Fast 1274 | and accurate feedback from the customers helps to test better, measure, 1275 | learn, and ultimately reduce the time to impact the market. 1276 | 1277 | # Govern 1278 | 1279 | Governance refers to a set of rules summarized as policies aimed at 1280 | minimizing risk, controlling costs and driving efficiency, transparency 1281 | and accountability for an environment. The managed services create new 1282 | paradigms for the technologies that support the business. Cloud 1283 | governance is an iterative process. As the digital estate changes over 1284 | time, so do their governance processes and policies. 1285 | 1286 | In order to provide granular filtering of the actions that users can 1287 | perform, Kubernetes uses role-based access controls (RBAC). This control 1288 | mechanism allows one to assign users, or groups of users, permission to 1289 | do things like create or modify resources, or view logs from running 1290 | application workloads. These permissions can be scoped to a single 1291 | namespace, or granted across the entire AKS cluster. With Kubernetes 1292 | RBAC, the roles *are created* to define permissions, and then those 1293 | roles to be assigned to users with role bindings. 1294 | 1295 | Kubernetes workloads require a broad and robust governance and 1296 | operational framework that can help the workforce to gain visibility and 1297 | control over these dynamic environments. 1298 | 1299 | The Azure Policy enforces and safeguards the clusters in a unified, 1300 | steady manner. This policy helps in managing and reporting the 1301 | compliance state of the clusters. 1302 | 1303 | *In the AKS cluster the pod security policy* is the controller solution 1304 | which validates a pod specification, in order to meet the defined 1305 | requirements. These requirements limit the use of privileged containers, 1306 | access to certain types of storage, or the user or group the container 1307 | can run. The ability to control what pods can be scheduled in the AKS 1308 | cluster prevents some possible security vulnerabilities or privilege 1309 | escalations, thus enabling a safe environ. 1310 | 1311 | Containerized applications with the help of a fully managed Kubernetes 1312 | service involving orchestration makes deploying easy. Orchestration 1313 | refers to automating lot of things at once, including deploying and 1314 | starting the services, Kubernetes is the preferred orchestration 1315 | platform. Containerization is one way to deploy and run the application 1316 | anywhere without requiring an entire VM for each app. Application 1317 | Containerization provides efficiency, consistency and version control. 1318 | Developing a containerized application is an ability to bring in the 1319 | automation via DevOps, i.e., CI/CD, which includes CI (Continuous 1320 | Integration or Build Pipeline) and CD (Continuous Delivery or Release 1321 | Pipeline) especially while leveraging Cloud Native services. 1322 | 1323 | ## Automation of AKS deployments: 1324 | 1325 | AKS as managed Kubernetes container orchestration service is ideal for 1326 | simplifying the deployment and management of applications based on 1327 | microservices. A Kubernetes cluster contains a master node and set of 1328 | worker nodes. Azure provides following services to enable automation of 1329 | the AKS cluster deployment: 1330 | 1331 | [Azure Container 1332 | Registry](https://azure.microsoft.com/en-in/services/container-registry/) is 1333 | a managed, private Docker registry service based on the open source 1334 | docker registry 2.0. It allows one to build, store and manage images for 1335 | all type of container deployments. 1336 | 1337 | [Azure 1338 | DevOps](https://azure.microsoft.com/en-in/services/devops/) provides 1339 | developer services to support teams to plan work, collaborate on code 1340 | development, and build and deploy applications. Includes: 1341 | 1342 | **[Azure 1343 | Repos](https://azure.microsoft.com/en-in/services/devops/repos/): **It 1344 | provides Git repositories or Team Foundation Version Control (TFVC) for 1345 | source control of the code. Git in Azure Repos is standard Git. Public 1346 | and private Git repositories can be created. 1347 | 1348 | [Azure 1349 | Pipelines](https://azure.microsoft.com/en-in/services/devops/pipelines/)** **is 1350 | a cloud service, which can be used to automatically build and test code 1351 | projects. It combines continuous integration (CI) and continuous 1352 | delivery (CD) to constantly and consistently test and build code and 1353 | send it to any target. 1354 | 1355 | [Azure Test 1356 | Plans](https://azure.microsoft.com/en-in/services/devops/test-plans/) enables 1357 | testing of the codebase using manual and exploratory testing tools. 1358 | 1359 | [Azure 1360 | Artifacts](https://azure.microsoft.com/en-in/services/devops/artifacts/)  1361 | create, host and share packages with teams using Maven, NPM, NuGet and 1362 | Python package feeds from public and private sources etc., 1363 | 1364 | [Azure 1365 | Boards](https://azure.microsoft.com/en-in/services/devops/boards/)  1366 | enable tracking of work with Kanban boards, backlogs, team dashboards 1367 | and custom reporting 1368 | 1369 | **Helm:** The goal of automation of deployment is that in each time 1370 | developer pushes new commit to the app's source code, a new package will 1371 | be created during the CI pipeline. And that package will be deployed 1372 | during the CD pipeline. The CI/CD pipelines are at the end a sort of 1373 | sequence of command lines, here 1374 | [Helm](https://docs.microsoft.com/en-us/azure/aks/kubernetes-helm) plays 1375 | critical role in creating the deployment package(s). 1376 | 1377 | [Azure DevOps](https://azure.microsoft.com/en-in/services/devops/) tools 1378 | automatically takes the updated code from a repository (Git/TFVC) to the 1379 | dev/test even production environment running on AKS cluster with a 1380 | minimal manual intervention. 1381 | 1382 | *Key Benefits of various Azure services* 1383 | 1384 | - Azure DevOps toolkit provides complete automation for application development, deployment and maintenance on AKS. 1385 | - Simplifies Server Management and reduces complexity and self-healing. 1386 | - Controls resources costing. 1387 | 1388 | Alternatively, one can use automation with the Azure CLI in [Azure Cloud 1389 | Shell](https://azure.microsoft.com/en-us/features/cloud-shell/) to build 1390 | the Azure Cluster, but this will be a time taking process. CLI should 1391 | ideally be used to interact with the AKS cluster for checking and 1392 | managing its health. 1393 | 1394 | # Manage 1395 | 1396 | The operation of the digital assets that deliver tangible business 1397 | outcomes need to be managed. Without a plan for reliable, well-managed 1398 | operations of the deployed workloads, these efforts yield any 1399 | significant value. The following help in developing the technical 1400 | approaches that are necessary to provide cloud management that powers 1401 | the operations. The different considerations are given below: 1402 | 1403 | - Multi-tenancy: This is a common architecture for organizations that 1404 | have multiple applications running in the same environment. The 1405 | various practices implemented by the operator to configure the AKS 1406 | clusters in this scenario include logical isolation, usage of pod 1407 | disruption budget. It also comprises of employing taints, node 1408 | selectors while integrating with AAD. 1409 | 1410 | - **Security: In order to minimize the risk to the workloads, various 1411 | exercises need to be put place that comprise of securing access to 1412 | the API, managing upgrades, limiting the credential exposure, 1413 | protecting the automated builds against the threat, and reduction 1414 | in container access.** 1415 | 1416 | - **Network & Storage: The different applications need to be stored as 1417 | well as require to be connected accordingly. The exercises that 1418 | can be performed consists of various network models,** usage of 1419 | ingress and web application firewalls, choosing the appropriate 1420 | storage type, dynamically provisioning volumes, and data backups 1421 | 1422 | - Development Experience: The developer can streamline and outline the 1423 | application performance needs by enabling a few practices. These 1424 | practices consist of defining pod resource limits, configuring 1425 | development tools while securing the access to the digital key 1426 | vaults 1427 | 1428 | For more information about the different practices that can be 1429 | implemented to create a seamless experience, refer to the given 1430 | [link](https://github.com/faridabharmal/AKS_CAF_SolutionFactory/blob/master/TechnicalEnablement/AKS_Best%20practices.docx). 1431 | 1432 | # AKS Migration Best Practices 1433 | 1434 | ## Groups of Users / Personas 1435 | 1436 | There are many types of workers within the same departments, and it is 1437 | of vast importance to classify them correctly, if optimized AKS 1438 | workloads are to be deployed successfully, furthermore, begin with 1439 | outlining the number of seats that is required, based on the User 1440 | Groups. Examples of user groups could be: 1441 | 1442 | - Frontline workers 1443 | - Core Engineers 1444 | - Office Staff 1445 | - Remote Workers 1446 | 1447 | Then analyze the core application and data usage that is required by the 1448 | user groups in order to remain productive. Requirements could be data 1449 | security if they are handling sensitive data then it is important to 1450 | take the necessary precautions. Taking all these requirements into 1451 | consideration, decide how each group of users connect to their sessions. 1452 | 1453 | ## Licensing and Entitlements  1454 | 1455 | To interact with Azure APIs, an AKS cluster requires either an Azure 1456 | Active Directory (AD) service principal or a managed identity. A service 1457 | principal or managed identity is required to dynamically create and 1458 | manage other Azure resources such as an Azure load balancer or container 1459 | registry (ACR). 1460 | 1461 | ## Pricing  1462 | 1463 | Azure Kubernetes Service (AKS) is a free container service that 1464 | simplifies the deployment, management and operations of Kubernetes as a 1465 | fully managed container orchestrated service. Paying for only the 1466 | virtual machines, associated storage and networking resources consumed 1467 | makes AKS the most efficient and cost-effective container service in the 1468 | market. 1469 | 1470 | - Free Cluster Management 1471 | - There is no charge for cluster management. 1472 | - Pricing for nodes - only pay for what is used 1473 | 1474 | To estimate the cost of the required resources, refer to the Container 1475 | Services calculator. 1476 | 1477 | ## Business Continuity and Disaster Recovery 1478 | 1479 | As clusters are managed in Azure Kubernetes Service (AKS), application 1480 | uptime becomes a critical parameter. By default, AKS provides high 1481 | availability by using multiple nodes in a Virtual Machine Scale Set 1482 | (VMSS). But these multiple nodes do not protect the system from a region 1483 | failure. To maximize the uptime, plan in advance to maintain business 1484 | continuity and prepare for disaster recovery. 1485 | 1486 | This plan for business continuity and disaster recovery in AKS 1487 | includes: 1488 | - Plan for AKS clusters in multiple regions 1489 | - Route traffic across multiple clusters by using Azure Traffic Manager 1490 | - Use geo-replication for the container image registries 1491 | - Plan for application state across multiple clusters 1492 | - Replicate storage across multiple regions 1493 | -------------------------------------------------------------------------------- /TechnicalEnablement/AKS_Best practices.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/AKS_Best practices.docx -------------------------------------------------------------------------------- /TechnicalEnablement/AKS_CAF_DevOps_Project_TaskList.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/AKS_CAF_DevOps_Project_TaskList.zip -------------------------------------------------------------------------------- /TechnicalEnablement/AKS_CAF_Governance_Security_Policy.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/AKS_CAF_Governance_Security_Policy.xlsx -------------------------------------------------------------------------------- /TechnicalEnablement/AKS_CAF_Project_TaskList.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/AKS_CAF_Project_TaskList.xlsx -------------------------------------------------------------------------------- /TechnicalEnablement/AKS_Decision Tree.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/AKS_Decision Tree.docx -------------------------------------------------------------------------------- /TechnicalEnablement/AKS_Prerequisites.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/AKS_Prerequisites.docx -------------------------------------------------------------------------------- /TechnicalEnablement/CAF-Application Gateway Ingress Controller.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/CAF-Application Gateway Ingress Controller.docx -------------------------------------------------------------------------------- /TechnicalEnablement/README.md: -------------------------------------------------------------------------------- 1 | # Technical Enablement 2 | 3 | These docs are designed to walk you through the technical enablement for creating an [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) Practice aligned to the [Cloud Adoption Framework](https://azure.microsoft.com/en-us/cloud-adoption-framework/). 4 | 5 | ## Sections 6 | 7 | - [Getting Started](aks-getting-started.md) 8 | - [AKS Adoption](AKS-adoption-aligned-to-cloud-adoption-framework.md) 9 | - [Decision Tree](aks-decision-tree.md) 10 | - [Application Gateway Ingress Controller](aks-appgw-ingress-controller.md) 11 | - [Resources](aks-resources.md) 12 | 13 | -------------------------------------------------------------------------------- /TechnicalEnablement/aks-appgw-ingress-controller.md: -------------------------------------------------------------------------------- 1 | # Application Gateway Ingress Controller 2 | 3 | The Application Gateway Ingress Controller (AGIC) enables exposing applications running within AKS to the Internet by leveraging Azure's native Application Gateway L7 load-balancer. AGIC monitors the Kubernetes cluster on which it is hosted and continuously updates an Application Gateway so that selected services are exposed to the Internet. The most notable features are 4 | 5 | - URL routing 6 | - Cookie-based affinity 7 | - Secure Sockets Layer (SSL) termination 8 | - End-to-end SSL 9 | - Support for public, private, and hybrid web sites 10 | - Integrated web application firewall 11 | 12 | The App Gateway Ingress Controller architecture looks as follows. The Ingress Resource as defined in a YAML file specifies routing rules. The App Gateway Ingress Controller runs as a pod that takes the ingress resource and configures the Azure App Gateway so that ingress traffic can go to the appropriate application and pods. The AGIC needs to have the appropriate permission to configure the App Gateway. 13 | 14 | ![](media/appgw-ingress-controller.png) 15 | 16 | The Application Gateway Ingress Controller can achieve up to 50 percent lower network latency than in-cluster ingress controllers. App Gateway can be shared with other Azure resources such as a VM and/or Azure App Service. Therefore, making it more cost effective as it is being shared. -------------------------------------------------------------------------------- /TechnicalEnablement/aks-decision-tree.md: -------------------------------------------------------------------------------- 1 | # Decision Tree 2 | 3 | 4 | ## [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale) 5 | 6 | - Why 7 | - HPA changes the shape of your Kubernetes workload by automatically increasing or decreasing the number of Pods in response to the workload's CPU or memory consumption, or in response to custom metrics reported from within Kubernetes or external metrics from sources outside of your cluster 8 | - Alternatives 9 | - Manually or programmatically monitor and alert on pod CPU utilization or [custom metrics](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics) and adjusting the [ReplicaSet](https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/) via the Kubernetes API 10 | - Limitations : 11 | - Do not use HPA together with Vertical Pod Autoscaling (VPA) on CPU or memory. However, you can use HPA with VPA if HPA evaluates metrics other than CPU or memory 12 | - If you have a Deployment, don't configure HPA on the ReplicaSet or Replication Controller backing it. When you perform a rolling update on the Deployment or Replication Controller, it is effectively replaced by a new Replication Controller. Instead configure HPA on the Deployment itself 13 | - HPA cannot be used for workloads that cannot be scaled, such as DaemonSets. 14 | 15 | ## Cluster Autoscaler 16 | 17 | - Why 18 | - The Kubernetes Cluster Autoscaler automatically adjusts the number of nodes in your cluster when the pods fail to launch due to lack of resources or when nodes in the cluster are underutilized and their pods can be rescheduled onto other nodes in the cluster. When demand is high, cluster autoscaler adds nodes to the node pool. When demand is low, cluster autoscaler scales back down to a minimum size that you designate. This can increase the availability of your workloads when you need it, while controlling costs 19 | - Limitations 20 | - Local PersistentVolumes. 21 | - Scaling up a node group of size 0, for Pods requesting resources beyond CPU, memory and GPU (ex. ephemeral-storage) 22 | - Cluster autoscaler supports up to 5000 nodes running 30 Pods each. For more details on scalability guarantees, refer to [Scalability report](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/proposals/scalability_tests.md) 23 | - When scaling down, cluster autoscaler honors a graceful termination period of 10 minutes for rescheduling the node's Pods onto a different node before forcibly terminating the node 24 | - Occasionally, cluster autoscaler cannot scale down completely and an extra node exists after scaling down. This can occur when required system Pods are scheduled onto different nodes, because there is no trigger for any of those Pods to be moved to a different node. See [I have a couple of nodes with low utilization, but they are not scaled down. Why?](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#i-have-a-couple-of-nodes-with-low-utilization-but-they-are-not-scaled-down-why). To work around this limitation, you can configure a [Pod disruption budget](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/) 25 | - Custom scheduling with altered Filters is not supported 26 | - Considerations 27 | - Enable [logging of the Cluster Autoscaler](https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler#retrieve-cluster-autoscaler-logs-and-status) so you can understand why it is autoscaling…or not. 28 | - Alternatives 29 | - Manually or programmatically monitor and alert on Kubernetes scheduler failures or node CPU/RAM utilization and [adjusting the node count](https://docs.microsoft.com/en-us/azure/aks/scale-cluster) via the Azure CLI or Azure Portal 30 | 31 | ## CNI (vs kubenet) 32 | 33 | - Why 34 | - Kubenet is a very basic, simple network plugin, on Linux only. It does not, of itself, implement more advanced features like cross-node networking or network policy. It is typically used together with a cloud provider that sets up routing rules for communication between nodes, or in single-node environments. 35 | - With kubenet, nodes get an IP address from the Azure Virtual Network subnet. Pods receive an IP address from a logically different address space (POD CIDR - POD Classless Inter-Domain Routing) to the Azure Virtual Network Subnet of the nodes. Network address translation (NAT) is then configured so that the pods can reach resources on the Azure Virtual Network. The source IP address of the traffic is NAT'd to the node's primary IP address. NAT is under Layer 3 operations. This approach greatly reduces the number of IP addresses that you need to reserve in your network space for pods to use. 36 | 37 | - [Alternatives](https://docs.microsoft.com/en-us/azure/aks/concepts-network#compare-network-models) 38 | 39 | - Use kubenet when: 40 | 41 | - You have limited IP address space. 42 | - Most of the pod communication is within the cluster. 43 | - You don't need advanced AKS features such as virtual nodes or Azure Network Policy. Use Calico network policies. 44 | 45 | - Use Azure CNI when: 46 | 47 | - You have available IP address space. 48 | - Most of the pod communication is to resources outside of the cluster. 49 | - You don't want to manage the UDRs. 50 | - You need AKS advanced features such as virtual nodes or Azure Network Policy. Use Calico network policies. 51 | - You need a nodepool for Windows Containers. 52 | 53 | ## [Azure Monitor for Containers](https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-overview) 54 | 55 | - Why 56 | 57 | - Azure Monitor for containers collects lots of data to effectively monitor Kubernetes clusters. Full observability into your applications, infrastructure, and network. It provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications 58 | 59 | - Store and analyze operational telemetry, advanced analytic engine ,interactive query language, allows you to configure charts, dashboards, alerting and [triggering](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/action-groups#create-an-action-group-by-using-the-azure-portal) of Automation Runbook, Azure Function, Email Azure Resource Manager Role, Email/SMS/Push/Voice, ITSM, Logic App, Secure Webhook, Webhook 60 | 61 | - Alternatives 62 | 63 | - There are a wide range of other tools to consider: 64 | 65 | - [Loki](https://grafana.com/oss/loki/) - a horizontally-scalable, highly-available, multi-tenant log aggregation system inspired by Prometheus. 66 | - [Prometheus](https://prometheus.io/docs/introduction/overview/) - is an open-source systems monitoring and alerting toolkit 67 | - [Grafana](https://grafana.com/grafana/) - allows you to query, visualize, alert on and understand your metrics no matter where they are stored. Create, explore, and share dashboards with your team and foster a data driven culture. 68 | - Splunk 69 | - Journald 70 | 71 | - Logging considerations 72 | - Why 73 | - Diagnostic logs should be enabled when needed - as excessive logging can hurt performance. 74 | - However, we recommend enabling logging for the following components: 75 | - [Cluster Autoscaler](https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler#retrieve-cluster-autoscaler-logs-and-status) - understand why it is autoscaling…or not 76 | - [KubeControllerManager](https://kubernetes.io/docs/tasks/debug-application-cluster/debug-cluster/#master) - visibility into the replication controller and any impact of using Azure Policy -------------------------------------------------------------------------------- /TechnicalEnablement/aks-getting-started.md: -------------------------------------------------------------------------------- 1 | - [Prerequisites:](#prerequisites) 2 | - [Register required resources in the subscription](#register-required-resources-in-the-subscription) 3 | 4 | # Prerequisites: 5 | 6 | 1. An [Azure](https://azure.microsoft.com/en-us/) account with a [subscription](https://theithollow.com/2016/07/11/azure-subscriptions/) 7 | 2. [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) installed and configured 8 | 3. Kubernetes command-line tool [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) installed 9 | 4. Lastly, make sure the Azure subscription you use has the following required resources: Storage, Compute, Networking, and ContainerService 10 | 11 | ## Register required resources in the subscription 12 | 13 | Go to the subscription page by clicking on the "All services" link (1) in the top-left panel, then click on the "Subscriptions" link (2). You can see the steps indicated in the screenshot below. 14 | 15 | ![](media/prereq-register-resources-1.png) 16 | 17 | Select the subscription to to create the AKS cluster. 18 | 19 | ![](media/prereq-register-resources-2.png) 20 | 21 | 22 | Scroll down and click on the "Resource providers" link to register or review the resources needed. 23 | 24 | ![](media/prereq-register-resources-3.png) 25 | 26 | Search (1) for the resources listed before: Storage, Compute, Networking, and ContainerService. If it's not registered, click on the "Register" (2) link and wait. 27 | 28 | ![](media/prereq-register-resources-4.png) 29 | 30 | There are two methods that can be followed, which are given below: 31 | 32 | Method 1: Creating an AKS/Azure Container Service cluster using the Azure Portal 33 | It is recommended to check the official AKS documents before proceeding further. 34 | Create a new Azure resource 35 | Go to your Azure portal and in the top-left panel, click the “Create a resource” (1) button. Then select “Containers” (2) and click on the “Kubernetes Service” (3) link. 36 | 37 | 38 | ![](media/prereq-register-resources-5.png) 39 | 40 | Fill In the Basics configuration: 41 | 42 | ![](media/prereq-register-resources-6.png) 43 | 44 | 45 | Choose your subscription and use an existing resource group, but for our use let us just create a new one. A resource group is a way for Azure to keep all the related resources together so that you can make templates, share permissions and policies, or clean out everything by simply deleting the resource group. So choose “Create new” and name it—I put “coolapp” (2). 46 | 47 | Choose a name for the cluster. I went with “coolk8s” (3). Choose a region where the cluster should be created (4). Ideally, it should be one that’s physically near your users (so if your users are based in the US, you want to create your virtual machine in a US region). 48 | 49 | Select the latest version of Kubernetes (5) cluster. Then, write a DNS name (6) to identify your cluster—this should be unique for all the Azure users, so if you’re getting an error, it could be because someone else has already chosen the name you are trying to use. Go to the “Authentication” tab to see this: 50 | 51 | 52 | ![](media/prereq-register-resources-7.png) 53 | 54 | Azure has made the service principal integration simpler—in case you're just starting out, you can leave this option on default. A [service principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-application-objects) is needed so that AKS can interact securely with Azure to create resources like load balancers. Kubernetes' services will sometimes need to be configured as load balancers, so AKS will create a real load balancer from Azure. In case you want to have more control and reuse a service principal, you can [create your own, too](https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal). 55 | 56 | Now it's time to select which type of instance the cluster will use. You might see an error screen like this: 57 | 58 | ![](media/prereq-register-resources-8.png) 59 | 60 | If you are having an "error," I can tell you it happened to me, too. Don't worry, it doesn't necessarily mean that you' are doing something wrong, it can also be because g—it might just be because your subscription has some limitations. The reason can be It could also mean that you' have reached the instances limit or that creating the cluster will put you over the limit. All you need to do is to get rid of the error message is click on the "Change size" link and choose a different instance type. 61 | 62 | Node Size: 63 | 64 | When I was creating my cluster, I was having problems and I didn't know why. Azure support guys are amazing, seriously—DM them and they will help you. Otherwise, you can post your question on Stack Overflow and the community there will help you. I was having problems While creating the cluster, because if I was using a small instance for AKS, then it can cause an error. According to the support guys, yIn this scenario ouone would be required need to select an instance with at least 3.5 GB of memory. If not, otherwise the cluster would not be created.n't come up Tand you'll see weird errors. 65 | 66 | Even if you don't have this error, let's change the size so that you don't spend too much on this test. heThe givenfollowing screen should be followed for helpshould appear: 67 | 68 | ![](media/prereq-register-resources-9.png) 69 | 70 | Type "a2" (1) so that the " **Standard A2\_v2″** instance type appears and click it. Next, click on the blue "Select" (2) button. It will take you back to the previous screen. 71 | 72 | ![](media/prereq-register-resources-10.png) 73 | 74 | Set "Node count" option to 2. Once done, click on the "Next: Networking" button. 75 | 76 | 3. Fill in the networking configuration 77 | 78 | Networking is one of the most important things to configure when you start integrating services, or if you want to create a VPN tunnel. This is the part where where you need to avoid any networking conflict to access the Kubernetes nodes that AKS configures. Click on the "Networking" tab.You should now beable to view the below seeing thismentioned screen: 79 | 80 | ![](media/prereq-register-resources-11.png) 81 | 82 | You can leave this section as default and continue with those settings., but let me explain a few things iIn case you want to do something specific with networking, then follow the given steps:. 83 | 84 | Start with the HTTP application routing (1). When you create a Kubernetes "LoadBalancer" service type, a public IP address is assigned to you. At some point, you may encounter a few issues might have problems whenwhile creating a new service because you've reached an Azure [limit](https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits). Kubernetes has "a collection of rules that allow inbound connections to reach the cluster services" called Ingress, as indicated in the [official docs](https://kubernetes.io/docs/concepts/services-networking/ingress/). Ingress will allow you to have SSL termination and DNS endpoints for your services. 85 | 86 | If you want to dive deeper into the subject, you can [check out this post](https://pascalnaber.wordpress.com/2017/10/27/configure-ingress-on-kubernetes-using-azure-container-service/). 87 | 88 | For networking configuration (2), choose "Basic" for now and let Azure configure the networking for you. This is where you can'll define network ranges to allocate IPs—usually known as [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). This section is crucial for avoiding network conflicts with your on-prem network or other network resources in Azure. Click on the "Next: Monitoring" button to continue. 89 | 90 | 4. Fill in the monitoring configuration 91 | 92 | There's not a lot for me to say in this section other than, "This is freaking awesome!" 93 | 94 | By default, AKS will give you metrics about the performance of the cluster, and if you choose (which I highly recommend you do!), you can get performance metrics for containers. You may access all the can also get logs to troubleshoot. These monitoring features are invaluable extremely useful when you are integratinge [APM](https://stackify.com/avoid-apm-vanity-metrics/) into your application. 95 | 96 | ![](media/prereq-register-resources-12.png) 97 | 98 | Finally, cIf you'd like to get an idea of what your monitoring results might look like, take a look at this document. Let's not worry about the tags section for now, so click on the blue "Review + create" button to continue. 99 | 100 | 5. Review and create 101 | 102 | We're almost there! 103 | 104 | Azure will start creating the service principal and will validate the information you have entered. , so the following screen should appear:The image given below may be used for reference: 105 | 106 | ![](media/prereq-register-resources-13.png) 107 | 108 | Click on the blue "Create" button to create the cluster. Now's the time to pause and refill your cup with fresh coffee. It will take a little time for Azure to finish creating the cluster—mine took twenty minutes. 109 | 110 | ![](media/prereq-register-resources-14.png) 111 | 112 | Congratulations! You've created a Kubernetes-managed cluster is created in Azure. 113 | 114 | Method 2: Creating an Azure Container Service cluster using the command line 115 | 116 | The UI has been changing throughout is changing all the time, but the command line has stayed pretty is constant. I find it valuable to use tThe GUI because it gives me us a chance to understand visually how to create the cluster. On the other hand, using the CLI will helps you to automate theis process or use tools like [Terraform](https://stackify.com/setup-an-elasticsearch-cluster-on-azure-w-terraform/)Terraform. 117 | 118 | Before we start creating the cluster using the command line e, make sure you have all of the prerequisites that I described above. Also, if you created a cluster using the portal from the previous steps, make sure you delete it or change the names of the resources in the commands you have used earlier.run. 119 | 120 | 1. Create a new resource group 121 | 122 | As I said before, aA resource group is a way for Azure to keep all related resources together so that you can make templates, share permissions and policies, or clean out everything by simply deleting the resource group. So run the following command to create it: 123 | 124 | `az group create --name coolapp --location eastus` 125 | 126 | 2. Create the AKS cluster 127 | 128 | Run the following command to create the cluster: 129 | 130 | `az aks create --resource-group coolapp --name coolk8s --node-count 2--node-vm-size Standard_A2_v2--generate-ssh-keys` 131 | 132 | So what exactly did we just do? Let's explore the parameters and values we entered here:The parameters used are explained below: 133 | 134 | - – **resource-group** is the name of the resource group we just created. 135 | - – **name** is the name of the cluster to identify it. 136 | - – **node-count** is the number of nodes we want for our cluster. 137 | - – **node-vm-size** is the name of the instance type we choose. It's better to be specific here to avoid potential problems with the limitations of our subscription. 138 | - – **generate-ssh-keys** will generate SSH keys on your local machine so it's easier for you to connect to any node if need be. 139 | 140 | Specifying only those arguments means that Azure will use the default values for things like networking or monitoring that we saw when creating the cluster in the portal. . Let's keep it simple for now, but in case you want to explore the other arguments, you can take a look at the [docs](https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-create). 141 | 142 | Finally In the meantime, Azure will create the cluster.. Mine took twenty minutes or so to finish. And that's it! You created the cluster with just two commands. Now let's make sure the cluster is actually working. 143 | 144 | Accessing the Kubernetes UI locally 145 | 146 | Whether you created the cluster using the portal, the command line, or both, the following instructions will are to be followedwork to access the Kubernetes dashboard. It is required This is where you need to have the latest version of [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) and [kubetcl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) installed and configured. 147 | 148 | 1. Download cluster credentials 149 | 150 | Firstly Start by ddownloading the cluster credentials to your computer by running the below givenis command: 151 | 152 | `az aks get-credentials --resource-group=coolapp --name=coolk8s` 153 | 154 | Specify the resource group with the **–resource-group** parameter and the name of the cluster with the **–name** parameter. Doing thisThis makes it easy to togglinge between different Kubernetes clusters effortless.that you've connected previously (for example, a local version of Kubernetes). 155 | 156 | 2. Browse the cluster 157 | 158 | Run the following command. A new browser tab or window will open with the Kubernetes dashboard automatically. 159 | 160 | `az aks browse --resource-group coolapp --name coolk8s` 161 | 162 | Wait a few more seconds, and the Kubernetes dashboard will appear: 163 | 164 | ![](media/prereq-register-resources-15.png) 165 | 166 | If the your screen appears similar to the one mentioned above, then the cluster is functioninglooks like this one, congratulations! That means your cluster works and you can connect to it with ease. 167 | 168 | Clean up your resources 169 | 170 | Delete the AKS cluster by running the following command and then confirming the delete : 171 | 172 | az aks delete--resource-group coolapp --name coolk8s 173 | 174 | It will take some time to finish, but please keep an eye on the results of the command. The cluster might not be deleted, and you'll end up [paying](https://azure.microsoft.com/en-us/pricing/details/container-service/) until you delete it. If you want to delete the resource group, run the below givenis command: 175 | 176 | az group delete -n coolapp -------------------------------------------------------------------------------- /TechnicalEnablement/aks-resources.md: -------------------------------------------------------------------------------- 1 | # AKS Resources 2 | 3 | - [AKS Resources](#aks-resources) 4 | - [**Visual Studio Code**](#visual-studio-code) 5 | - [**Docker for Windows**](#docker-for-windows) 6 | - [Minikube](#minikube) 7 | - [**Command Line Interface (CLI)**](#command-line-interface-cli) 8 | - [Docker](#docker) 9 | - [Docker Compose](#docker-compose) 10 | - [Minikube](#minikube-1) 11 | - [Kubectl](#kubectl) 12 | - [Helm](#helm) 13 | - [Git](#git) 14 | - [Azure CLI](#azure-cli) 15 | - [**VS Code Extension** : **Azure Resource Manager Tools**](#vs-code-extension--azure-resource-manager-tools) 16 | - [**VS Code Extension** : Kubernetes](#vs-code-extension--kubernetes) 17 | - [Skaffold](#skaffold) 18 | - [Istio as a service mesh](#istio-as-a-service-mesh) 19 | - [Prometheus for monitoring](#prometheus-for-monitoring) 20 | 21 | - [Skaffold](#skaffold) 22 | - [Istio as a service mesh](#istio-as-a-service-mesh) 23 | - [Prometheus for monitoring](#prometheus-for-monitoring) 24 | 25 | Machine operating system is Windows 10 26 | 27 | ## [**Visual Studio Code**](https://code.visualstudio.com/docs) 28 | 29 | Lightweight but powerful source code editor. Free. 30 | [https://code.visualstudio.com/download](https://code.visualstudio.com/download) 31 | 32 | This tool as it is very light weight and very popular in the general developer community and not just with Microsoft-centric communities and its plugin extensions. Alternative IDEs, are any code editor you choose, including the latest version [Visual Studio](https://visualstudio.microsoft.com/) which has more rich capabilities. 33 | 34 | ## [**Docker for Windows**](https://docs.docker.com/docker-for-windows/) 35 | 36 | Docker is a full development platform to build, run, and share containerized applications. Docker Desktop is the best way to get started with Docker on a Windows machine. 37 | 38 | ![](media/docker-desktop.png) 39 | 40 | Docker Desktop has Kubernetes [integrated](https://www.docker.com/blog/docker-windows-desktop-now-kubernetes/). So you have a simple local Kubernetes cluster. 41 | 42 | ![](media/docker-kubernetes.png) 43 | 44 | Using docker for windows is a main starting point for a developer to build and test containerized applications in your local machine. 45 | 46 | ## [Minikube](https://github.com/kubernetes/minikube) 47 | 48 | Minikube implements a local Kubernetes cluster on macOS, Linux, and Windows. minikube's primary goals are to be the best tool for local Kubernetes application development and to support all Kubernetes features that fit. 49 | 50 | This is another option to Docker Desktop's OOTB Kubernetes cluster. I found this initially tricky to install and setup, especially with the hyper-v virtual switch on my windows 10 machine. This is solely for local development scenarios and not production. I tried this setup on an Azure VM and I don't think it is supported well, so don't bother trying. 51 | 52 | ## **Command Line Interface (CLI)** 53 | 54 | CLIs are text-based interfaces to execute commands against an application or system. 55 | 56 | ### [Docker](https://docs.docker.com/engine/reference/commandline/cli/) 57 | 58 | This is installed as part of Docker for Windows. Here is a [Docker cheat sheet](https://www.docker.com/sites/default/files/d8/2019-09/docker-cheat-sheet.pdf) 59 | 60 | Example commands 61 | 62 | Build an image from the Docker file in the current directory 63 | `docker build -t helloworldimage:1.0` 64 | 65 | Run a container from the image 66 | `docker container run –name myApp -p 5000:80 helloworldimage:1.0` 67 | 68 | ### [Docker Compose](https://docs.docker.com/compose/) 69 | 70 | Compose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application's services. I typically use this for testing the app locally and is optional as part of the Kubernetes app lifecycle. 71 | 72 | Compose has commands for managing the whole lifecycle of your application: 73 | 74 | - Start, stop, and rebuild services 75 | - View the status of running services 76 | - Stream the log output of running services 77 | - Run a one-off command on a service 78 | 79 | Example command: 80 | 81 | Starts and runs your multi-container app based on the yaml file in the current directory 82 | `docker-compose up` 83 | 84 | ### [Minikube](https://minikube.sigs.k8s.io/docs/examples/) 85 | 86 | Minikube has its own CLI. 87 | 88 | Example commands: 89 | 90 | Start a cluster 91 | `minikube start` 92 | 93 | Access the Kubernetes Dashboard running within the minikube cluster 94 | `minikube dashboard` 95 | 96 | minikube makes it easy to open this exposed endpoint in your browser 97 | `minikube service hello-minikube` 98 | 99 | ### [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl-on-windows) 100 | 101 | Helps manage and configure a kubernetes cluster, including Azure Kubernetes Service (AKS). 102 | 103 | For the commands cheat sheet read [https://kubernetes.io/docs/reference/kubectl/cheatsheet/](https://kubernetes.io/docs/reference/kubectl/cheatsheet/) 104 | 105 | Example commands: 106 | 107 | List all services in the namespace 108 | `kubectl get services` 109 | 110 | Show pods 111 | `kubectl get pods` 112 | 113 | Create a Kubernetes resource 114 | `kubectl apply -f ./my-manifest.yaml` 115 | 116 | Knowing kubectl is core to being a kubernetes developer or engineer. 117 | 118 | ### [Helm](https://helm.sh/) 119 | 120 | Helm helps you manage Kubernetes applications — Helm Charts help you define, install, and upgrade even the most complex Kubernetes application. Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. 121 | 122 | ![](RackMultipart20200714-4-i3szmq_html_fdce5468f81883cf.png) 123 | 124 | Use Helm to: 125 | 126 | - Find and use popular software packaged as Helm Charts to run in Kubernetes 127 | - Share your own applications as Helm Charts 128 | - Create reproducible builds of your Kubernetes applications 129 | - Intelligently manage your Kubernetes manifest files 130 | - Manage releases of Helm packages 131 | 132 | Helm is integral in packaging up your applications for deployment. It is fairly easy to work with, but have to understand its syntax and really useful to deploy applications freely available. A good example would be the nginx controller when setting up a kubernetes cluster. 133 | 134 | ### [Git](https://git-scm.com/) 135 | 136 | For source control management. This is a standard tool these days. 137 | 138 | ### [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/get-started-with-azure-cli?view=azure-cli-latest) 139 | 140 | Designed to get you working quickly and efficiently with Azure services, with an emphasis on automation. 141 | 142 | For managing Azure Kubernetes, most examples lean towards Azure CLI vs Azure PowerShell. They both work well. 143 | 144 | You can find the azure aks related commands at [https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest](https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest) 145 | 146 | Example command 147 | 148 | Creating an AKS cluster 149 | 150 | ``` 151 | az aks create -g MyResourceGroup -n MyManagedCluster –kubernetes-version 1.13.9 –vm-set-type AvailabilitySet 152 | ``` 153 | 154 | [ARM Templates](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) 155 | 156 | To implement infrastructure as code for your Azure solutions, use Azure Resource Manager templates. The template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. This is typically when you built your AKS cluster manually and have a good idea on the settings and relationships with other azure resources such as ACR, virtual networks and load balancers, that you want to build ARM templates to have an automated and repeatable deployment across dev, test and production environments. 157 | 158 | You can find sample ARM templates related to AKS at [https://github.com/Azure/azure-quickstart-templates/tree/master/101-aks](https://github.com/Azure/azure-quickstart-templates/tree/master/101-aks). You can find other AKS related samples in this repo. At first it is a learning curve to get going and understand the syntax and how it all works. In my experiences it works well. 159 | 160 | ### **VS Code Extension** : [**Azure Resource Manager Tools**](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools) 161 | 162 | Provides language support for Azure Resource Manager deployment templates and template language expressions. This is used to provide a better developer experience in VS Code when building out ARM Templates for AKS and its dependent azure resources such as virtual networks. 163 | 164 | ### **VS Code Extension** : [Kubernetes](https://marketplace.visualstudio.com/items?itemName=ms-kubernetes-tools.vscode-kubernetes-tools) 165 | 166 | The extension for developers building applications to run in Kubernetes clusters and for DevOps staff troubleshooting Kubernetes applications. 167 | 168 | ![](media/vscode-extension-kubernetes.png) 169 | 170 | Works with any Kubernetes anywhere (Azure, Minikube, AWS, GCP and more!). 171 | 172 | ### [Skaffold](https://skaffold.dev/) 173 | 174 | Skaffold handles the workflow for building, pushing and deploying your application, allowing you to focus on what matters most: writing code. 175 | 176 | ![](media/skaffold.png) 177 | 178 | This tool is more for the app developer in a dev environment. A scenario that is cool is when a developer makes a change in the code, scaffold will build an image and can deploy the helm chart into your development Kubernetes environment. It basically streamlines the process from code to running app in Kubernetes. It is a mini CI/CD pipeline, although it an integrate into a rigorous CI/CD pipeline tool such as Azure DevOps Pipelines. 179 | 180 | ### [Istio](https://istio.io/docs/concepts/what-is-istio/) as a service mesh 181 | 182 | Istio helps reduce the complexity of these deployments, and eases the strain on your development teams. It is a completely open source service mesh that layers transparently onto existing distributed applications. It is also a platform, including APIs that let it integrate into any logging platform, or telemetry or policy system. 183 | 184 | ### [Prometheus](https://prometheus.io/docs/introduction/overview/) for monitoring 185 | 186 | Prometheus is a popular open source monitoring and alerting toolkit. Prometheus can integrate with [Azure Monitor for containers](https://azure.microsoft.com/en-ca/blog/azure-monitor-for-containers-with-prometheus-now-in-preview/). 187 | 188 | ![](media/prometheus.png) 189 | 190 | Typically, to use Prometheus you need to setup and manage a Prometheus server with a database. With the Azure Monitor integration, no Prometheus server is needed. -------------------------------------------------------------------------------- /TechnicalEnablement/eBook_AKS_Adoption_Aligned_to_Cloud_Adoption_Framework.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/eBook_AKS_Adoption_Aligned_to_Cloud_Adoption_Framework.docx -------------------------------------------------------------------------------- /TechnicalEnablement/media/appgw-ingress-controller.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/appgw-ingress-controller.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/best-practice-aad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/best-practice-aad.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/cloud-adoption-framework.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/cloud-adoption-framework.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/docker-desktop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/docker-desktop.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/docker-kubernetes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/docker-kubernetes.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-1.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-10.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-11.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-12.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-13.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-14.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-15.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-2.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-3.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-4.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-5.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-6.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-7.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-8.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prereq-register-resources-9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prereq-register-resources-9.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/prometheus.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/prometheus.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/skaffold.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/skaffold.png -------------------------------------------------------------------------------- /TechnicalEnablement/media/vscode-extension-kubernetes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/AKS_CAF_SolutionFactory/6987c23a6276d59511b2cc35cb0ef8644045568e/TechnicalEnablement/media/vscode-extension-kubernetes.png --------------------------------------------------------------------------------