One of the top concerns I see from companies when architecting AKS is running out of IP addresses. This is commonly known as IP exhaustion. This concern would come up when selecting the network model for AKS specifically with Azure CNI.
Companies would lean towards Azure CNI at first but quickly opt for Kubenet. Azure CNI provides benefits on Azure. It has deeper integration between Kubernetes and Azure networking. With Azure CNI you don’t have to manually configure routing for traffic to flow from pods to other resources on Azure VNets. Pods get full network connectivity and can be reached via their private IP address. Supports Virtual Nodes (Azure Container Instances), it supports either Azure or Calico Network Policies and Windows containers. Azure CNI does however require more IP address space. The traditional Azure CNI assigns an IP address to every Pod from a subnet reserved for pods or pre-reserved set of IPs on every node. This method can lead to exhausting available IPs.
The alternative to Azure CNI with AKS is Kubenet. A lot of companies opt for Kubenet to avoid IP Exhaustion as it conserves IP address space. Kubenet assigns private IP addresses to pods. It does not have routing to Azure networking. In order to route from pods to Azure VNets you need to manually configure and manage user-defined routes (UDRs). With Kubenet a simple /24 IP CIDR range is able to support up to 251 nodes in an AKS cluster. This would give you support IPs for up to 27,610 pods (at 110 pods per node).
With Azure CNI the same /24 IP CIDR range would be able to support up to 8 nodes in the cluster supporting up to 240 pods (default max of 30 pods per node w/Azure CNI. Allocation of 31 IP address; 1 for the node + 30 for Pods.).
Here is a side by side breakdown of Kubenet and Azure CNI:
Capacity using ‘/24’ address range
251 nodes / 27,610 pods (110 pods / node)
8 nodes / 240 pods (30 pods / node)
Max nodes per cluster
400 (UDR max)
1,000 (or more)
NAT’ed / UDR /
Slightly greater (NAT hop)
Calico community support
Supported by Azure support and the Engineering team
Out of the Box Logging
/var/log/calico inside the container
Rules added/deleted in IPTables are logged on every host under /var/log/azure-npm.log
Best w/limited IP space Most pod comms within cluster UDR management is acceptable
Available IP space Most pod coms outside cluster No need to manage UDR Need advanced features
As you can see you can get a lot more pods on Kubenet and you will burn through a lot more IP’s with Azure CNI. One would think when using Azure CNI to just assign a large CIDR for the subnets like /16 instead of /24. This would work however most IT teams in the enterprise that are connecting AKS to existing networks don’t have that option based on the existing IP design and are stuck working with smaller IP address ranges they can use.
Microsoft has built a solution to the IP exhaustion problem. The solution is Azure CNI Overlay. Azure CNI Overlay for AKS has been around for a while but was recently released into public preview on 9/4/22. Azure CNI Overlay for AKS helps us avoid IP exhaustion with our AKS clusters. It does this by assigning using a private /24 IP CIDR range and assigning IPs from this for pods on every node.
After designing and architecting AKS the next step is to deploy your cluster/s. It is ideal to build your AKS deployments out as code.
This means taking your Azure infrastructure & AKS cluster/s design and scripting them as IaC (Infrastructure as Code). Scripting the AKS deployment vs manually deploying gives you documentation as code, standardization, & a templatized deployment for repeatability. You can deploy this code as is, place it in a pipeline for ease of deployment, in inner-source, or in a service catalog for access by multiple teams.
Microsoft has built a tool named the AKS Construction helper to accelerate building out your IaC for AKS. This tool is not as well-known as it should be. I wanted to blog about this tool to share this great resource that will save you tons of time. The AKS Construction helper was originally launched by Keith Howling of Microsoft. The core contributors to this tool have been Gordon Byers and Keith Howling with contributions from others as well.
The tool lets you select Operations Principles or Enterprise-Scale path for configuring the options.
This helps narrow down the overall design requirements of your AKS deployment.
The next section of the AKS Construction helper is to fine-tune your AKS deployment. This gives you the chance to tweak things like the cluster name, K8s version, resource group, region, to be created, IP and Cider, initial RBAC, SLA, autoscaling, upgrade configuration, cluster networking, add ons such as an ingress controller (App Gateway, NGINX, etc), monitoring such as Azure Monitor, Azure policy, service mesh, secret storage, Keda, GitOps with Flux, and even has a few options to deploy some sample apps. This is done across 5 tabs in the Fine tine and Deploy section.
After you have set all of the configurations for your cluster there is code available for you to copy on the Deploy tab. Again you have options for Az CLI, a Github Actions workflow, Terraform scripts or an ARM Template Parameters file. Running the deployment code will deploy your AKS cluster exactly how you have it configured in the AKS Construction helper tool.
NOTE:As with all of my blog posts the views and opinions on this post are my own and are not that of my employer.
The goal of this blog is to serve as Guidance on Microsoft AKS Enterprise Documentation.
Before joining Microsoft, I was in the F500/F100 consulting world. I was focused on Azure, DevOps, and Kubernetes. Many organizations had an interest in utilizing a managed Kubernetes service. This would often lead them to Azure Kubernetes Service (AKS). We spent time guiding organizations on how to get started with AKS including the design of the architecture, deployment, and operation of it.
Like with Azure and other platforms that have a lot of moving parts, AKS has many design areas that need to be covered as a part of the design and implementation. The core areas are:
IAM (Identity and access management)
Networking (topology, IP addressing, Ingress, load balancing, service mesh, Web App Firewall, etc.)
Management and Operations (monitoring, backup, DR, etc.)
Automation and DevOps (Orchestration, service discovery, Configuration, Autoscaling, CI/CD/GitOps, etc.)
These are in addition to the core but come into play with the apps that will run on top of Kubernetes:
In order to simplify Kubernetes projects, you can funnel them down to three phases; Design, Deploy, and Operate.
This is a lot of ground to cover on top of gaining a solid understanding of Kubernetes itself. Microsoft has created a set of resources that can simplify and accelerate the adoption of Kubernetes. This is a set of resources that help you build out landing zones for AKS and some for Azure. These resources live in the Azure Architecture Center (AAC). The AAC is where you get guidance for architecting solutions on Azure using established patterns and practices.
I highly recommend any team and organization that plans to adopt Kubernetes utilize these artifacts from Microsoft to help you along your journey. This will ensure your AKS clusters are enterprise ready. When starting with AKS it can be confusing when and in what order to use these resources.
Again, the goal of this blog post is to give you a guide on how to use these resources. I will list these resources here in order with a brief description of them, when to use them, and how to use them:
Part #1 is to start with architecting. You will need to start with designing your AKS architecture. There are several documents that can assist with this as you work through your AKS architecture design. You will want to start with the Baseline architecture for an Azure Kubernetes Service (AKS) document. This document is core for designing AKS, however, there are some additional AKS documents that you will want to utilize in addition to the Baseline architecture for an Azure Kubernetes Service (AKS). These additional documents will depend on your organization’s specific use case.
Baseline architecture for an Azure Kubernetes Service (AKS) cluster
What it is:
The AKS baseline gives you detailed recommendations for networking, security, identity, management, and monitoring of AKS clusters. This baseline takes you through all the needed facets of AKS to come up with a plan for implementing AKS across your enterprise. The final result will be based on your organization’s business requirements.
How to use it:
This document will take you through 6 core areas divided up into sections with sub-sections.
You will start with your networking and work your way through the sections finishing off with operations.
This document has a Visio file of the AKS architecture you can download to get you started. You can download this right away and build it out with specifics to your needs as you work through this document. In fact, there are multiple Visio templates you can download to help.
A common area that folks really struggle with when getting started with AKS is planning the IP addresses. Teams need help deciding to use Kubenet or Azure CNI for the networking model. You cannot change this on an AKS cluster after it is deployed so you have to make this decision upfront. The only way to go from one networking model to another is to deploy a new cluster. Admins often worry about IP exhaustion when utilizing Azure CNI. There is a Visio and another sub-doc to help with all of this within the IP Address section. It has a link to this: repo (https://github.com/mspnp/aks-baseline/blob/main/networking/topology.md) that has a markdown file that has a table to help with planning your subnets for AKS and this document that helps you determine to go with Kubenet or Azure CNI as well as critical information on each model type and IPs.
This document also covers GitOps, multi-tenancy, and cost management with AKS.
The next four documents I am going to mention fit different scenarios so you may or may not need them. I will call out in the “How to use it” sections below each reference.
AKS Secure Baseline with Private Cluster
What it is:
This document helps you deploy a secure AKS cluster, compliant with Enterprise-Scale for AKS guidance and best practices. This document also contains links to reference scripts for deploying a private AKS cluster.
How to use it:
In practice in the real world, you will want to deploy a private AKS cluster 99% of the time. There needs to be a very solid reason not to. By doing this alone you will greatly improve the security posture of your AKS cluster. By default, when you deploy AKS the API server is accessible via a public IP. Deploying a private AKS cluster makes the AKS API Server private and only accessible on the Azure or when connected to your Azure VNet that the private cluster is on i.e. if you are connected via ExpressRoute. I would recommend you plan to deploy your clusters as private and utilize this document right along the baseline document when designing your AKS architecture.
This reference architecture details how to run multiple instances of an Azure Kubernetes Service (AKS) cluster across multiple regions in an active/active and highly available configuration.
How to use it:
If you need multi-region AKS clusters with greater high availability then this is a document you will want to look at to guide you with this. If you don’t need multi-region-based clusters skip this document.
Microsoft has built a 9-part series of articles to help when organizations need to run PCI workloads on AKS. Below are the first 3 of those articles as this is where you start. You will want to reference all 9 parts of the series though.
Introduction of an AKS regulated cluster for PCI-DSS 3.2.1 – This reference architecture describes the considerations for an Azure Kubernetes Service (AKS) cluster designed to run a sensitive workload. The guidance is tied to the regulatory requirements of the Payment Card Industry Data Security Standard (PCI-DSS 3.2.1).
Architecture of an AKS regulated cluster for PCI-DSS 3.2.1 – This article describes a reference architecture for an Azure Kubernetes Service (AKS) cluster that runs a workload in compliance with the Payment Card Industry Data Security Standard (PCI-DSS 3.2.1). This architecture is focused on the infrastructure and not the PCI-DSS 3.2.1 workload.
Configure networking of an AKS regulated cluster for PCI-DSS 3.2.1 – This article describes the networking considerations for an Azure Kubernetes Service (AKS) cluster that’s configured in accordance with the Payment Card Industry Data Security Standard (PCI-DSS 3.2.1).
How to use it:
If your organization plans to run any workloads that need PCI compliance on AKS then you will want to check out this document and utilize it when designing for your AKS clusters. It gets into topics such as TLS, DDoS protection, pop-to-pod security, and more.
Advanced Azure Kubernetes Service (AKS) microservices architecture
What it is:
This reference architecture details several configurations to consider when running microservices on Azure Kubernetes Services. Topics include configuring network policies, pod autoscaling, and distributed tracing across a microservice-based application.
How to use it:
The chances are high that you will be running microservice-based workloads on your AKS cluster. Utilize this document in your design process to ensure your architecture is ready to handle microservices-based workloads. It also includes a Visio file to help you get started.
Part #2 is to deploy the architecture you designed. The best option for deploying Azure infrastructure and AKS clusters is to script it as IaC (Infrastructure as Code). Scripting the deployment vs manually deploying allows you to have documentation via code, standardization, and a templatized deployment for repeatability. You can take this code and place it in a pipeline for ease of deployment, in a service catalog for access to teams across your org, or as an inner source for use among DevOps teams.
Microsoft has built something called the AKS Landin Zone Accelerator as a starting point to use for building out your IaC for AKS. The idea is that you can utilize the Azure Kubernetes Service (AKS) Baseline documentation as a reference when designing your AKS and use the AKS Landing Zone Accelerator to deploy. Now your architecture should be based on the AKS baseline with some modifications to fit your specific needs. The AKS Landing Zone Accelerator may need to be modified to fit your specific needs as well. As long as your architecture is based on the AKS Baseline then you should not have to make a ton of modifications to the AKS Landing Zone Accelerator code. In fact, 80% or more of the work should be done for you already when utilizing the AKS Landing Zone Accelerator IaC code.
The AKS Landing Zone Accelerator contains IaC code for both bicep and terraform. It also has instructions on how to deploy the AKS Baseline using either of the two languages.
Today Pierre Roman (@wiredcanuck) Senior Cloud Advocate of Microsoft & myself (@buchatech) streamed “Introduction to Azure Arc enabled Kubernetes” on Learn Live. Here is what we covered in this session:
In this session, showed you how Azure Arc enabled Kubernetes clusters can help customers like Contoso to optimize and simplify their operations. Here are the Learning objectives we covered:
Describe Kubernetes, Azure Arc, and Azure Arc-enabled Kubernetes.
Connect Kubernetes clusters to Azure Arc.
Manage Azure Arc enabled Kubernetes clusters by using GitOps.
Integrate Azure Arc enabled Kubernetes cluster with Azure services like Azure Monitor and Azure Policy.
If you missed it don’t worry. 🙂 You can watch the playback on the Microsoft Developer YouTube channel here:
You can check out more Learn Live episodes on the:
My session will be with my friend and co-author of my latest book John Joyner.
Here are the session details:
Azure Arc: Extending Hyperscale Cloud Management to Your Datacenter
Learn about Microsoft’s Azure Arc service, a new multi-cloud management platform that belongs in every cloud or DevOps estate. The premise of Azure Arc is compelling: why not extend familiar management tools proven in Azure to on-premise and other cloud networks? A practical scenario-based tour will get you up to speed quickly, with instruction and demos that are heavy with hands-on experience. If your organization has resources across the hybrid cloud, multi-cloud, and edge environments, then this session is for you. You will learn how to configure and use Azure Arc to uniformly manage workloads across all of these environments.
What you will learn:
Introduces the basics of hybrid, multi-cloud, and edge computing and how Azure Arc fits into that IT strategy
Insights into Azure native management tooling for managing on-premises servers and extending to other clouds
Detail an end-to-end hybrid server monitoring scenario leveraging Azure Monitor and/or Microsoft Sentinel that is seamlessly delivered by Azure Arc
Define a blueprint to achieve regulatory compliance with industry standards using Azure Arc, delivering Azure Policy from Microsoft Defender for Cloud
Are you thinking about starting the cloud journey, or are you an experienced cloud engineer already? Come join this interactive session where we will talk all things cloud! We will have a round-table discussion about what resources are available, where to find them, and which ones are better than others. Talk with experienced cloud architects about the mistakes they’ve seen and how to avoid them. Come listen to stories, enjoy a few drinks, and have a great time talking about the cloud movement.
What you will learn:
How to begin your cloud adoption journey
What resources are available to start your migration process, and how to find them
This session will be an open format Q&A. Come ask your burning questions in front of a live audience and get real-time feedback from cloud MVP’s and SME’s. No question too hard, no topic off-limits. Wanted to know why something was built the way it was? Want to know how to accomplish something you’ve been working on for months? Have a general question about Azure in general? Come, listen, ask.
I was a guest on Tech Talk with Kazeem again! The topic of discussion was Azure Arc Enabled Kubernetes for Beginners.
@KazeemCanTeach & @buchatech
@buchatech Azure Arc K8s book with O’Reilly
In the discussion with me and Microsoft MVP Kazeem Adegboyega, we talked about Azure Stack, AKS, Azure Arc: K8s, and GitOps! We talked about each technology and when to use them for what purpose and more.
I am giving a talk for the Data on Kubernetes Community (DoKC) Community next week. They are a user group like community that focuses on how to build and operate data-centric applications on Kubernetes. Be sure to check them out! The DoK website is: https://dok.community.
My talk is titled: “Running Stateful Apps in Kubernetes Made Simple“
ABSTRACT OF THE TALK
Eventually, the time will come to run a stateful app in Kubernetes. This can be a scary thing adding more moving parts to a Kubernetes cluster and deploying as well as managing your app on Kubernetes when it requires state.
In this talk, Steve Buchanan will take you through a journey of understanding how storage works in Kubernetes, how to Persistent state with pods, what storage options are available with Azure Kubernetes Service, best practices, and a demo of deploying a stateful app to AKS.
In the demo, I will show how to deploy stateful Worpress & Jenkins workloads on Azure Kubernetes Service using the GitOps model with Argo CD.
KEY TAKE-AWAYS FROM THE TALK
Overview of Storage in Kubernetes covering Storage Classes, Persistent Volumes, & Persistent Volume Claims. Overview of Azure Storage, Best Practices to running stateful apps in Kubernetes.
This was a fun podcast with Jez Ward, and Dave Chapman of Cloudreach. They run a podcast called Cloudbusting. On the podcast they focus on transformation, leadership, ways of working and emerging technology they explore the significant impact that cloud is having on people and businesses.
On this podcast episode, we set out to answer very important questions such as what are Jucy Lucy’s?, what are root Canals like today? oh, and yeah we also spend some time talking about what Containers, Kubernetes, & GitOps are and how they fit in the cloud.