Merge pull request #271326 from chasewilson/chase/concept/services

v-dirichards · web-flow · commit dbd77ce87f9f · 2024-04-10T15:52:55.000-05:00
[AKS] Split Services Newtorking Conceptual Docs
diff --git a/articles/aks/TOC.yml b/articles/aks/TOC.yml
@@ -136,6 +136,8 @@
           href: concepts-network.md
         - name: CNI networking
           href: azure-cni-overview.md
+        - name: Services
+          href: concepts-network-services.md
     - name: Storage
       href: concepts-storage.md
     - name: Scaling
diff --git a/articles/aks/concepts-network-services.md b/articles/aks/concepts-network-services.md
@@ -0,0 +1,57 @@
+---
+title: Concepts - Services in Azure Kubernetes Services (AKS)
+description: Learn about networking Services in Azure Kubernetes Service (AKS), including what services are in Kubernetes and what types of Services are available in AKS.
+ms.topic: conceptual
+ms.date: 04/08/2024
+ms.custom: fasttrack-edit
+---
+
+# Kubernetes Services in AKS
+
+Kubernetes Services are used to logically group pods and provide network connectivity by allowing direct access to them through a specific IP address or DNS name on a designated port. This allows you to expose your application workloads to other services within the cluster or to external clients without having to manually manage the network configuration for each pod hosting a workload.
+
+You can specify a Kubernetes _ServiceType_ to define the type of Service you want, e.g., if you want to expose a Service on an external IP address outside of your cluster. For more information, see the Kubernetes documentation on [Publishing Services (ServiceTypes)][service-types].
+
+The following ServiceTypes are available in AKS:
+
+## ClusterIP
+  
+  ClusterIP creates an internal IP address for use within the AKS cluster. The ClusterIP Service is good for _internal-only applications_ that support other workloads within the cluster. ClusterIP is used by default if you don't explicitly specify a type for a Service.
+
+  ![Diagram showing ClusterIP traffic flow in an AKS cluster.][aks-clusterip]
+
+## NodePort
+
+  NodePort creates a port mapping on the underlying node that allows the application to be accessed directly with the node IP address and port.
+
+  ![Diagram showing NodePort traffic flow in an AKS cluster.][aks-nodeport]
+
+## LoadBalancer
+
+  LoadBalancer creates an Azure load balancer resource, configures an external IP address, and connects the requested pods to the load balancer backend pool. To allow customers' traffic to reach the application, load balancing rules are created on the desired ports.
+
+  ![Diagram showing Load Balancer traffic flow in an AKS cluster.][aks-loadbalancer]
+
+  For HTTP load balancing of inbound traffic, another option is to use an [Ingress controller][ingress-controllers].
+
+## ExternalName
+
+  Creates a specific DNS entry for easier application access.
+
+Either the load balancers and services IP address can be dynamically assigned, or you can specify an existing static IP address. You can assign both internal and external static IP addresses. Existing static IP addresses are often tied to a DNS entry.
+
+You can create both _internal_ and _external_ load balancers. Internal load balancers are only assigned a private IP address, so they can't be accessed from the Internet.
+
+Learn more about Services in the [Kubernetes docs][k8s-service].
+
+<!-- IMAGES -->
+[aks-clusterip]: media/concepts-network/aks-clusterip.png
+[aks-nodeport]: media/concepts-network/aks-nodeport.png
+[aks-loadbalancer]: media/concepts-network/aks-loadbalancer.png
+
+<!-- LINKS - External -->
+[k8s-service]: https://kubernetes.io/docs/concepts/services-networking/service/
+[service-types]: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+
+<!-- LINKS - Internal -->
+[ingress-controllers]:concepts-network.md#ingress-controllers
diff --git a/articles/aks/concepts-network.md b/articles/aks/concepts-network.md
@@ -5,25 +5,23 @@ ms.topic: conceptual
 ms.date: 03/26/2024
 author: schaffererin
 ms.author: schaffererin
-
 ms.custom: fasttrack-edit
 ---
 
 # Networking concepts for applications in Azure Kubernetes Service (AKS)
 
 In a container-based, microservices approach to application development, application components work together to process their tasks. Kubernetes provides various resources enabling this cooperation:
 
-* You can connect to and expose applications internally or externally.
-* You can build highly available applications by load balancing your applications.
-* You can restrict the flow of network traffic into or between pods and nodes to improve security.
-* You can configure Ingress traffic for SSL/TLS termination or routing of multiple components for your more complex applications.
+- You can connect to and expose applications internally or externally.
+- You can build highly available applications by load balancing your applications.
+- You can restrict the flow of network traffic into or between pods and nodes to improve security.
+- You can configure Ingress traffic for SSL/TLS termination or routing of multiple components for your more complex applications.
 
 This article introduces the core concepts that provide networking to your applications in AKS:
 
-* [Services and ServiceTypes](#services)
-* [Azure virtual networks](#azure-virtual-networks)
-* [Ingress controllers](#ingress-controllers)
-* [Network policies](#network-policies)
+- [Azure virtual networks](#azure-virtual-networks)
+- [Ingress controllers](#ingress-controllers)
+- [Network policies](#network-policies)
 
 ## Kubernetes networking basics
 
@@ -35,8 +33,6 @@ Kubernetes employs a virtual networking layer to manage access within and betwee
 
 Regarding specific Kubernetes functionalities:
 
-- **Services**: Services is used to logically group pods, allowing direct access to them through a specific IP address or DNS name on a designated port.
-- **Service types**: Specifies the kind of Service you wish to create.
 - **Load balancer**: You can use a load balancer to distribute network traffic evenly across various resources.
 - **Ingress controllers**: These facilitate Layer 7 routing, which is essential for directing application traffic.
 - **Egress traffic control**: Kubernetes allows you to manage and control outbound traffic from cluster nodes.
@@ -49,51 +45,15 @@ In the context of the Azure platform:
 - As you open network ports to pods, Azure automatically configures the necessary network security group rules.
 - Azure can also manage external DNS configurations for HTTP application routing as new Ingress routes are established.
 
-## Services
-
-To simplify the network configuration for application workloads, Kubernetes uses *Services* to logically group a set of pods together and provide network connectivity. You can specify a Kubernetes *ServiceType* to define the type of Service you want. For example, if you want to expose a Service on an external IP address outside of your cluster. For more information, see the Kubernetes documentation on [Publishing Services (ServiceTypes)][service-types].
-
-The following ServiceTypes are available:
-
-* **ClusterIP**
-  
-  ClusterIP creates an internal IP address for use within the AKS cluster. The ClusterIP Service is good for *internal-only applications* that support other workloads within the cluster. ClusterIP is the default used if you don't explicitly specify a type for a Service.
-
-    ![Diagram showing ClusterIP traffic flow in an AKS cluster][aks-clusterip]
-
-* **NodePort**
-
-  NodePort creates a port mapping on the underlying node that allows the application to be accessed directly with the node IP address and port.
-
-    ![Diagram showing NodePort traffic flow in an AKS cluster][aks-nodeport]
-
-* **LoadBalancer**
-
-  LoadBalancer creates an Azure load balancer resource, configures an external IP address, and connects the requested pods to the load balancer backend pool. To allow customers' traffic to reach the application, load balancing rules are created on the desired ports.
-
-    ![Diagram showing Load Balancer traffic flow in an AKS cluster][aks-loadbalancer]
-
-    For HTTP load balancing of inbound traffic, another option is to use an [Ingress controller](#ingress-controllers).
-
-* **ExternalName**
-
-  Creates a specific DNS entry for easier application access.
-
-Either the load balancers and services IP address can be dynamically assigned, or you can specify an existing static IP address. You can assign both internal and external static IP addresses. Existing static IP addresses are often tied to a DNS entry.
-
-You can create both *internal* and *external* load balancers. Internal load balancers are only assigned a private IP address, so they can't be accessed from the Internet.
-
-Learn more about Services in the [Kubernetes docs][k8s-service].
-
 ## Azure virtual networks
 
 In AKS, you can deploy a cluster that uses one of the following network models:
 
-* ***Kubenet* networking**
+- ***Kubenet* networking**
 
   The network resources are typically created and configured as the AKS cluster is deployed.
 
-* ***Azure Container Networking Interface (CNI)* networking**
+- ***Azure Container Networking Interface (CNI)* networking**
 
   The AKS cluster is connected to existing virtual network resources and configurations.
 
@@ -150,14 +110,14 @@ It's possible to install in AKS a non-Microsoft CNI using the [Bring your own CN
 
 Both kubenet and Azure CNI provide network connectivity for your AKS clusters. However, there are advantages and disadvantages to each. At a high level, the following considerations apply:
 
-* **kubenet**
+- **kubenet**
 
-  * Conserves IP address space.
-  * Uses Kubernetes internal or external load balancers to reach pods from outside of the cluster.
-  * You manually manage and maintain user-defined routes (UDRs).
-  * Maximum of 400 nodes per cluster.
+  - Conserves IP address space.
+  - Uses Kubernetes internal or external load balancers to reach pods from outside of the cluster.
+  - You manually manage and maintain user-defined routes (UDRs).
+  - Maximum of 400 nodes per cluster.
   
-* **Azure CNI**
+- **Azure CNI**
 
   * Pods get full virtual network connectivity and can be directly reached via their private IP address from connected networks.
   * Requires more IP address space.
@@ -188,13 +148,13 @@ For more information on Azure CNI and kubenet and to help determine which option
 
 Whatever network model you use, both kubenet and Azure CNI can be deployed in one of the following ways:
 
-* The Azure platform can automatically create and configure the virtual network resources when you create an AKS cluster.
-* You can manually create and configure the virtual network resources and attach to those resources when you create your AKS cluster.
+- The Azure platform can automatically create and configure the virtual network resources when you create an AKS cluster.
+- You can manually create and configure the virtual network resources and attach to those resources when you create your AKS cluster.
 
 Although capabilities like service endpoints or UDRs are supported with both kubenet and Azure CNI, the [support policies for AKS][support-policies] define what changes you can make. For example:
 
-* If you manually create the virtual network resources for an AKS cluster, you're supported when configuring your own UDRs or service endpoints.
-* If the Azure platform automatically creates the virtual network resources for your AKS cluster, you can't manually change those AKS-managed resources to configure your own UDRs or service endpoints.
+- If you manually create the virtual network resources for an AKS cluster, you're supported when configuring your own UDRs or service endpoints.
+- If the Azure platform automatically creates the virtual network resources for your AKS cluster, you can't manually change those AKS-managed resources to configure your own UDRs or service endpoints.
 
 ## Ingress controllers
 
@@ -235,11 +195,11 @@ The following table lists the different scenarios where you might use each ingre
 
 The application routing addon is the recommended way to configure an Ingress controller in AKS. The application routing addon is a fully managed ingress controller for Azure Kubernetes Service (AKS) that provides the following features:
 
-* Easy configuration of managed NGINX Ingress controllers based on Kubernetes NGINX Ingress controller.
+- Easy configuration of managed NGINX Ingress controllers based on Kubernetes NGINX Ingress controller.
 
-* Integration with Azure DNS for public and private zone management.
+- Integration with Azure DNS for public and private zone management.
 
-* SSL termination with certificates stored in Azure Key Vault.
+- SSL termination with certificates stored in Azure Key Vault.
 
 For more information about the application routing addon, see [Managed NGINX ingress with the application routing add-on](app-routing.md).
 
@@ -271,8 +231,8 @@ For more information, see [How network security groups filter network traffic][n
 
 By default, all pods in an AKS cluster can send and receive traffic without limitations. For improved security, define rules that control the flow of traffic, like:
 
-* Back-end applications are only exposed to required frontend services.
-* Database components are only accessible to the application tiers that connect to them.
+- Back-end applications are only exposed to required frontend services.
+- Database components are only accessible to the application tiers that connect to them.
 
 Network policy is a Kubernetes feature available in AKS that lets you control the traffic flow between pods. You can allow or deny traffic to the pod based on settings such as assigned labels, namespace, or traffic port. While network security groups are better for AKS nodes, network policies are a more suited, cloud-native way to control the flow of traffic for pods. As pods are dynamically created in an AKS cluster, required network policies can be automatically applied.
 
@@ -286,23 +246,19 @@ For associated best practices, see [Best practices for network connectivity and
 
 For more information on core Kubernetes and AKS concepts, see the following articles:
 
-* [Kubernetes / AKS clusters and workloads][aks-concepts-clusters-workloads]
-* [Kubernetes / AKS access and identity][aks-concepts-identity]
-* [Kubernetes / AKS security][aks-concepts-security]
-* [Kubernetes / AKS storage][aks-concepts-storage]
-* [Kubernetes / AKS scale][aks-concepts-scale]
+- [Kubernetes / AKS clusters and workloads][aks-concepts-clusters-workloads]
+- [Kubernetes / AKS access and identity][aks-concepts-identity]
+- [Kubernetes / AKS security][aks-concepts-security]
+- [Kubernetes / AKS storage][aks-concepts-storage]
+- [Kubernetes / AKS scale][aks-concepts-scale]
 
 <!-- IMAGES -->
-[aks-clusterip]: ./media/concepts-network/aks-clusterip.png
-[aks-nodeport]: ./media/concepts-network/aks-nodeport.png
 [aks-loadbalancer]: ./media/concepts-network/aks-loadbalancer.png
 [advanced-networking-diagram]: ./media/concepts-network/advanced-networking-diagram.png
 [aks-ingress]: ./media/concepts-network/aks-ingress.png
 
 <!-- LINKS - External -->
 [cni-networking]: https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md
-[k8s-service]: https://kubernetes.io/docs/concepts/services-networking/service/
-[service-types]: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
 
 <!-- LINKS - Internal -->
 [aks-configure-kubenet-networking]: configure-kubenet.md
diff --git a/articles/aks/learn/quick-windows-container-deploy-cli.md b/articles/aks/learn/quick-windows-container-deploy-cli.md
@@ -337,7 +337,7 @@ To learn more about AKS, and to walk through a complete code-to-deployment examp
 [az-group-create]: /cli/azure/group#az_group_create
 [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
 [kubernetes-deployment]: ../concepts-clusters-workloads.md#deployments-and-yaml-manifests
-[kubernetes-service]: ../concepts-network.md#services
+[kubernetes-service]: ../concepts-network-services.md
 [windows-server-password]: /windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference
 [win-faq-change-admin-creds]: ../windows-faq.md#how-do-i-change-the-administrator-password-for-windows-server-nodes-on-my-cluster
 [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
diff --git a/articles/aks/learn/quick-windows-container-deploy-portal.md b/articles/aks/learn/quick-windows-container-deploy-portal.md
@@ -260,7 +260,7 @@ To learn more about AKS, and to walk through a complete code-to-deployment examp
 [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
 [azure-portal]: https://portal.azure.com
 [kubernetes-deployment]: ../concepts-clusters-workloads.md#deployments-and-yaml-manifests
-[kubernetes-service]: ../concepts-network.md#services
+[kubernetes-service]: ../concepts-network-services.md
 [preset-config]: ../quotas-skus-regions.md#cluster-configuration-presets-in-the-azure-portal
 [import-azakscredential]: /powershell/module/az.aks/import-azakscredential
 [baseline-reference-architecture]: /azure/architecture/reference-architectures/containers/aks/baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
diff --git a/articles/aks/learn/quick-windows-container-deploy-powershell.md b/articles/aks/learn/quick-windows-container-deploy-powershell.md
@@ -318,7 +318,7 @@ To learn more about AKS, and to walk through a complete code-to-deployment examp
 [new-azakscluster]: /powershell/module/az.aks/new-azakscluster
 [import-azakscredential]: /powershell/module/az.aks/import-azakscredential
 [kubernetes-deployment]: ../concepts-clusters-workloads.md#deployments-and-yaml-manifests
-[kubernetes-service]: ../concepts-network.md#services
+[kubernetes-service]: ../concepts-network-services.md
 [aks-tutorial]: ../tutorial-kubernetes-prepare-app.md
 [aks-solution-guidance]: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
 [windows-server-password]: /windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements#reference
diff --git a/articles/api-management/how-to-deploy-self-hosted-gateway-azure-kubernetes-service.md b/articles/api-management/how-to-deploy-self-hosted-gateway-azure-kubernetes-service.md
@@ -35,7 +35,7 @@ This article provides the steps for deploying self-hosted gateway component of A
 5. Make sure **Kubernetes** is selected under **Deployment scripts**.
 6. Select **\<gateway-name\>.yml** file link next to **Deployment** to download the file.
 7. Adjust the `config.service.endpoint`, port mappings, and container name in the .yml file as needed.
-8. Depending on your scenario, you might need to change the [service type](../aks/concepts-network.md#services). 
+8. Depending on your scenario, you might need to change the [service type](../aks/concepts-network-services.md). 
     * The default value is `LoadBalancer`, which is the external load balancer. 
     * You can use the [internal load balancer](../aks/internal-lb.md) to restrict the access to the self-hosted gateway to only internal users. 
     * The sample below uses `NodePort`.
diff --git a/articles/azure-linux/quickstart-azure-cli.md b/articles/azure-linux/quickstart-azure-cli.md
@@ -91,7 +91,7 @@ In this quickstart, you will use a manifest to create all objects needed to run
 * The sample Azure Vote Python applications.
 * A Redis instance.
 
-Two [Kubernetes Services](../../articles/aks/concepts-network.md#services) are also created:
+Two [Kubernetes Services](../../articles/aks/concepts-network-services.md) are also created:
 
 * An internal service for the Redis instance.
 * An external service to access the Azure Vote application from the internet.
diff --git a/articles/azure-linux/quickstart-azure-powershell.md b/articles/azure-linux/quickstart-azure-powershell.md
@@ -89,7 +89,7 @@ In this quickstart, you use a manifest to create all objects needed to run the [
 - The sample Azure Vote Python applications.
 - A Redis instance.
 
-This manifest also creates two [Kubernetes Services](../../articles/aks/concepts-network.md#services):
+This manifest also creates two [Kubernetes Services](../../articles/aks/concepts-network-services.md):
 
 - An internal service for the Redis instance.
 - An external service to access the Azure Vote application from the internet.
diff --git a/articles/azure-linux/quickstart-azure-resource-manager-template.md b/articles/azure-linux/quickstart-azure-resource-manager-template.md
@@ -250,7 +250,7 @@ In this quickstart, you use a manifest to create all objects needed to run the [
 * The sample Azure Vote Python applications.
 * A Redis instance.
 
-Two [Kubernetes Services](../../articles/aks/concepts-network.md#services) are also created:
+Two [Kubernetes Services](../../articles/aks/concepts-network-services.md) are also created:
 
 * An internal service for the Redis instance.
 * An external service to access the Azure Vote application from the internet.
