This reference implementation shows a set of best practices for building and running a microservices architecture on Microsoft Azure, on top of the AKS Secure Baseline, which is the the recommended starting (baseline) infrastructure architecture for an AKS cluster.
To quickly understand how the AKS Fabrikam Drone Delivery expands the AKS Seucure Baseline, please refer to the following table:
| AKS Secure Baseline | AKS Fabrikam Drone Delivery | |
|---|---|---|
| Egress restriction using Azure Firewall | ✅ | ✅ |
| Ingress Controller | ✅ | ✅ |
| Azure Active Directory Pod Identity | ✅ | ✅ |
| Resource Limits | ✅ | ✅ |
| Other Infrastructure aspects | ✅ | ✅ |
| Zero Trust Network Policies | ❌ | ✅ |
| Horizontal Pod Autoscaling | ❌ | ✅ |
| Cluster Autoscaling | ❌ | ✅ |
| Readiness/Liveness Probes | ❌ | ✅ |
| Helm charts | ❌ | ✅ |
| Distributed Monitoring | ❌ | ✅ |
AKS Fabrikam Drone Delivery is not just workload focused, but also incoporates the infrastructure journey by expanding the AKS Secure Baseline. Similarly to what organizations might get into while trying to implement their own solutions by using as reference the AKS Secure Baseline, this reference implementation will carefully modify or simply interchange small pieces that could be the preference like using a different kind of Ingress Controller or deploying a different workload on top of. If you or your team are in day 0 or looking for infrastructure related aspects only, the recommendation is to start with the AKS Secure Baseline. If you want a more comprenhensive guidance to the point of deploying a more interesting workload this is right guidance to follow.
This project has a companion set of articles that describe challenges, design patterns, and best practices for a secure AKS cluster. You can find these articles on the Azure Architecture Center:
- Designing, building, and operating microservices on Azure with Kubernetes
- Microservices architecture on Azure Kubernetes Service (AKS)
- Azure Kubernetes Service (AKS) Baseline Cluster
This architecture integrates whith a maryad of Azure services to show case a worklod with distributed tracing, messaging and storage. But also it implements recommended native Kubernetes features such as auto scaling capabilities, probes, network policies as well as other standars like Helm charts and more. As a result of expanding the AKS Secure Basline, this architecture should be also considered your starting point for pre-production and production stages.
An important distintion of this architecture is that implements the Azure Application Gateway Ingress Controller instead of using Traefik as in the baseline.
Throughout the reference implementation, you will see reference to Fabrikam Drone Delivery Shipping App. Fabrikam, Inc. (a fictional company) is starting a drone delivery service and made the architectural decision of implementing its solution on top of the AKS Secure Baseline since it covers all the infrastructure aspects they are requested to operate. The company manages a fleet of drone aircraft. Businesses register with the service, and users can request a drone to pick up goods for delivery. When a customer schedules a pickup, a backend system assigns a drone and notifies the user with an estimated delivery time. While the delivery is in progress, the customer can track the location of the drone, with a continuously updated ETA.
- AKS v1.19
- System and User node pool separation
- AKS-managed Azure AD
- Managed Identities
- Azure CNI
- Azure Monitor for containers
- Azure Virtual Networks (hub-spoke)
- Azure Application Gateway (WAF)
- AKS-managed Internal Load Balancers
- Azure Firewall
- Azure Service Bus
- Azure CosmosDb
- Azure MongoDb
- Azure Redis Cache
- Flux GitOps Operator
- Azure Application Gateway Ingress Controller
- Azure AD Pod Identity
- Azure KeyVault Secret Store CSI Provider
- Kured
For the sake of simplicity in here it is just listed the required sections to follow to deploy the AKS Fabrikam Drone Delivery. But if you look for extra details on the different infrastructure related aspects, please take a look at the to the AKS Secure Baseline.
- Install and meet the prerequisites
- Procure client-facing and AKS Ingress Controller TLS certificates
- Plan your Azure Active Directory integration
- Build the hub-spoke network
- Deploy the AKS cluster and supporting services
- Place the cluster under GitOps management
- Workload prerequisites to address
- Configure AKS Ingress Controller with Azure Key Vault integration
- Deploy the workload
- Perform end-to-end deployment validation
- Cleanup all resources
While this reference implementation tends to avoid preview features of AKS to ensure you have the best customer support experience; there are some features you may wish to evaluate in pre-production clusters that augment your posture around security, manageability, etc. Consider trying out and providing feedback on the following. As these features come out of preview, this reference implementation may be updated to incorporate them.
- Preview features coming from the AKS Secure Baseline
- Currently the AKS Fabrikam Drone Delivery does not implement any Preview feature directly
This reference implementation intentionally does not cover all scenarios. If you are looking for other topics that are not addressed here, please visit AKS Secure Baseline for the complete list of covered scenarios around AKS.
Please see our contributor guide.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
With ❤️ from Microsoft Patterns & Practices, Azure Architecture Center.