AKS From Zero To Hero - Part 3

Welcome to the Third post in a series of "AKS From Zero To Hero".
In the first post, we talked about AKS in general. In this post, we will continue the discussion around AKS.

In this post, I will try to exaplind what is and Why AKS.

What is AKS?
Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. Since Kubernetes masters are managed by Azure, you only manage and maintain the agent nodes. Thus, AKS is free; you only pay for the agent nodes within your clusters, not for the masters.

What is the benefits of using AKS?

• Scalability: add additional compute nodes if/when needed
• No need to worry about master node since they are managed by azure
• Reduce the initial setup and operation complexity of K8S for production workload
• Removes Complexities and Reduces Expenditure: AKS helps in removing the complexities with regard to implementing, installing, maintaining and securing Kubernetes in Azure
• Run any Workload in the Cloud
• Faster End-to-end Development and Integration
• Security and Compliance: AKS protects your business by enabling administrators to tailor access to Azure Active Directory (AD) and identity and group identities. When people are provided only the access that they need, the threat is greatly reduced. AKS is also, totally compliant

Managed Kubernetes empowers you to achieve more

AKS Nodes: Node pools are used to group nodes in your AKS cluster. You specify the VM size and OS type for each node in the node pool based on your app requirements

• System node pools serve the primary purpose of hosting critical system pods.
  
• User node pools serve the primary purpose of hosting your application pods.
  

By default, an AKS cluster will have a Linux node pool in system mode but you always add more.
New nodes created in the node pool will always be the same size as you specified when you created the node pool. You can change the node count later in the cluster's configuration panel.

AKS Networking - The Basic
A Kubernetes cluster blocks all external communications by default and has two network availability abstractions: services and ingresses.
A service acts as a load balancer and redirects traffic to the specific ports by using port-forwarding rules.

ClusterIP: Exposes the app internally only

LoadBalancer: Exposes the app externally by using Azure’s load balancing solution

NodePort: Exposes the app externally

ExternalName: Maps the app by using a DNS resolution through a CNAME record.

Ingress: An ingress exposes routes (It is a collection of rules) for HTTP and HTTPS traffic from outside a cluster to services inside the cluster. You define ingress routes by using ingress rules
AKS allows you to overcome the complexity of setting up an ingress by enabling what's called HTTP application routing (not recommended for production workload)

We have two main type of ingress in Azure:

• Nginx ingress controller: ingress-nginx is an Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
• Application Gateway Ingress Controller (AGIC): which makes it possible for Azure Kubernetes Service (AKS) customers to leverage Azure's native Application Gateway L7 load-balancer to expose cloud software to the Internet. AGIC monitors the Kubernetes cluster it is hosted on and continuously updates an App
  

AGIC helps eliminate the need to have another load balancer/public IP in front of the AKS cluster and avoids multiple hops in your datapath before requests reach the AKS cluster. Application Gateway talks to pods using their private IP directly and does not require NodePort or KubeProxy services. This also brings better performance to your deployments.
Ingress Controller is supported exclusively by Standard_v2 and WAF_v2 SKUs, which also brings you autoscaling benefits. Application Gateway can react in response to an increase or decrease in traffic load and scale accordingly, without consuming any resources from your AKS cluster.
Using Application Gateway in addition to AGIC also helps protect your AKS cluster by providing TLS policy and Web Application Firewall (WAF) functionality.

As we explained before Kubernetes API is the entry point to the cluster, so how to protect it on azure, you can easily do that on azure by using one of the following options:

• Reverse Proxy Server: Nginx, HAProxy, and Traefik are popular reverse proxy servers that support features such as load balancing, SSL termination, and layer 7 routing. They can run on dedicated virtual machines or as ingress controllers on a Kubernetes cluster.
  
• Service Mesh Ingress Controller: If you are using a service mesh such as Open Service Mesh, Linkerd, and Istio, consider the features that are provided by the ingress controller for that service mesh. For example, the Istio ingress controller supports layer 7 routing, HTTP redirects, retries, and other features.
• Azure Application Gateway: Azure Application Gateway is a regional, fully-managed load balancing service that can perform layer-7 routing and SSL termination. It also provides a Web Access Firewall and an ingress controller for Kubernetes. For more information
• Azure Front Door: Azure Front Door is a global layer 7 load balancer that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications. It supports features such as SSL termination, response caching, WAF at the edge, URL-based routing, rewrite and redirections, it support multiple routing methods such as priority routing and latency-based routing.
• Azure API Management: API Management is a turnkey solution for publishing APIs to both external and internal customers. It provides features that are useful for managing a public-facing API, including rate limiting, IP restrictions, and authentication and authorization using Azure Active Directory or other identity providers

so, when to use AKS, as per Microsoft the below are Top scenarios for Kubernetes on Azure

What's next?
This was part two of the article. In the next part, we will continue this discussion with AKS.
Continue Reading: AKS From Zero To Hero - Part 4