With the general availability of outboundtype routing parameter for AKS and the Application Gateway Ingress Controller we are frequently receiving the question on how to set up an Kubernetes environment that secures both the ingress and the egress traffic with a firewall.
In this post I want to guide you on how to set up an environment in which your AKS cluster is routing all incoming traffic through an Application Gateway and is using an Azure Firewall so ensure that your worker nodes and pods can only connect to services and ip ranges that you have explicitly whitelisted. I will…
This is part two of my series on advanced deployment practices. If you have been following part 1 we finished with a working continuous deployment pipeline and some rudimentary automated rollback mechanism using helm. Unfortunately we were always replacing the existing helm release, which means that if there is something wrong with the new version, customers will always be impacted and possibly experiencing errors, while we are rolling back to the previous working version. This is obviously not ideal.
Here now enters the practice of blue/green deployments which means that instead of replacing the previous version (here we refer to…
This is the first part of a series of posts on deployment processes, where I wanted to document a couple of practices we have been implementing with our customers. I want to show this based on a simple demo application that we have been using for hands on workshops overs the last years and enable you to implement these practices on your own azure environment.
At the end of this post you will know how to implement the following scenario:
To make it more realistic for an enterprise setup here are a couple of design considerations that I consider worth…
One year after my last post on leveraging an azure firewall I want to revisit the scenario since we just launched a couple of new features that finally allow you to build an AKS cluster that does not use or expose any public ips. The end result should look like this and this is a guide on how you build this in your azure environment:
Update June 22nd: There have been a couple of updates and all required functionality is now GA and fully supported!
Update December 31st: This scenario is now fully compatible with Bring your own Managed Identity…
tl;dr: overview on required reboots of your worker nodes, scheduling restarts automatically and getting dashboards and notifications
As mentioned in the official documentation your AKS worker nodes will be receiving automatic unattended upgrades as configured in /etc/apt/apt.conf.d/50unattended-upgrades on each worker node.
Most of them will be installed automatically and can be applied without interruption — but some these updates require you to reboot the node to complete. As of today azure will NOT automatically reboot your machine. …
Every now and then we get the question on how to lock down ingoing to and outgoing traffic from a kubernetes cluster in azure. One option that can be set up relatively easy but is not documented in detail is using the Azure Firewall (https://azure.microsoft.com/en-us/services/azure-firewall/).
My personal recommendation on this scenario is to use the firewall to diagnose and watch the network dependencies of your applications — which is why I am also documenting the services that are currently needed for AKS to run. If you turn on the rules to block outgoing traffic, you risk that your cluster breaks…
Dennis Zielke
Global Blackbelt for cloud native applications at Microsoft, public speaker, community contributor. Opinions are mine - bring your own.
