Azure Kubernetes Service (AKS)

Announcing Public Preview of Confidential VM on AKS.

Azure confidential VMs (DCav5/ECav5) are VM based Hardware Trusted Execution Environment (TEE) that leverage SEV-SNP security features to deny the hypervisor and other host management code access to VM memory and state, providing defense in depth protections against operator access.

Source: Confidential VM node pool support on AKS with AMD SEV-SNP VM in preview (microsoft.com)

• Simplifies deployment, management, and operations of Kubernetes
• Kubernetes Objects
• Azure Kubernetes Services or AKS
• It makes it quick and easy to deploy and manage containerized applications without container orchestration expertise.
• Eliminates the burden of ongoing operations and maintenance by provisioning, upgrading, and scaling resources on demand
• Master node(s) managed by Microsoft
• Access to enterprise-grade features of Micorosft Azure
• Reduces the complexity and operational overhead of managing a Kubernetes cluster by offloading much of that responsibility to Azure
• Handles critical tasks like health monitoring and maintenance for you

In this overview video I cover the basics of containers, Kubernetes, the Azure Kubernetes Service (AKS) and how all the pieces fit together!

• Automated Kubernetes version upgrade and patching
• Easy cluster scaling
• Self-healing hosted control plane (masters)
• Cost savings

In general, I see two approaches

• Start with App Services for all applications, and only if the complexity and orchestration needs exceed the limits, then go for AKS. This would be my approach as I don’t see either/or, but I would leverage their individual strengths.
• Or if they already plan to introduce a sophisticated AKS infrastructure, then use leverage this (I have the feeling that some at Swiss Re try to go into this direction)

What do/would I consider

• General: have simple applications with just a few Web Apps I would go with App Services, but for a more complex microservice architecture, I would consider AKS.
• Is there a strategic decision already taken
• Is there a Multi-Cloud strategy and need to leverage knowledge (infrastructure) across clouds, then it could make sense to go with AKS as this is more provider agnostic
• If there is no Kubernetes knowledge available, App Services would be simpler to start with
• If you have an Application with just a front-end (maybe SPA) and API backend, then App Services would be preferable
• If it is a containerized application with a lot of containers that need orchestration, then AKS could help
• What Customers need to understand is that there are much more management activities they need to take care of when using AKS compared to App Service. AKS is closer to an IaaS platform from that point of view. So as long as their needs can be met with App Service, I think it’s a much less painful choice compared to AKS.

Private Azure Kubernetes Service Cluster

In a private cluster, the control plane or API server has internal IP addresses that are defined in the RFC1918 - Address Allocation for Private Internet document. Using a private cluster lets you ensure network traffic between your API server and your node pools remains on the private network only.

Create a private Azure Kubernetes Service cluster - Azure Kubernetes Service | Microsoft Docs

Azure offers a unique capability of mounting Blob Storage (or object storage) as a file system to a Kubernetes pod or application using BlobFuse or NFS 3.0 options. This allows you to use blob storage with a number of stateful Kubernetes applications including HPC, Analytics, image processing, and audio or video streaming. Not only that, if your application ingests data into Data Lake storage on Azure Blobs, you can now directly mount and use it with AKS. Previously, you had to manually install and manage the lifecycle of the open-source Azure Blob CSI driver including deployment, versioning, and upgrades. 

You can now use the Azure Blob CSI driver as a managed addon in AKS with built in storage classes for NFS and BlobFuse, reducing the operational overhead and maximizing time to value.

Source: Generally available: Azure Blob CSI driver support in AKS