Announcing Public Preview of Confidential VM on AKS.
Azure confidential VMs (DCav5/ECav5) are VM based Hardware Trusted Execution Environment (TEE) that leverage SEV-SNP security features to deny the hypervisor and other host management code access to VM memory and state, providing defense in depth protections against operator access.
Source: Confidential VM node pool support on AKS with AMD SEV-SNP VM in preview (microsoft.com)
In this overview video I cover the basics of containers, Kubernetes, the Azure Kubernetes Service (AKS) and how all the pieces fit together!
In general, I see two approaches
What do/would I consider
Private Azure Kubernetes Service Cluster
In a private cluster, the control plane or API server has internal IP addresses that are defined in the RFC1918 - Address Allocation for Private Internet document. Using a private cluster lets you ensure network traffic between your API server and your node pools remains on the private network only.
Create a private Azure Kubernetes Service cluster - Azure Kubernetes Service | Microsoft Docs
Azure offers a unique capability of mounting Blob Storage (or object storage) as a file system to a Kubernetes pod or application using BlobFuse or NFS 3.0 options. This allows you to use blob storage with a number of stateful Kubernetes applications including HPC, Analytics, image processing, and audio or video streaming. Not only that, if your application ingests data into Data Lake storage on Azure Blobs, you can now directly mount and use it with AKS. Previously, you had to manually install and manage the lifecycle of the open-source Azure Blob CSI driver including deployment, versioning, and upgrades.
You can now use the Azure Blob CSI driver as a managed addon in AKS with built in storage classes for NFS and BlobFuse, reducing the operational overhead and maximizing time to value.
Source: Generally available: Azure Blob CSI driver support in AKS