Author : MD TAREQ HASSAN | Updated : 2021/04/15
Be Aware of Managed Load Balancer
- Depending on the options selected during AKS creation:
- A (managed) load balancer will be provisioned
- Availability zone feature -> requires “vm scale set” -> requires “load balancer”
- Load Balancer routes and balances traffic to AKS cluster
- Load Balancer acts as entry point to AKS cluster (it has a public IP address)
Although Managed Load Balancer has a public IP and therefore exposed to internet, AKS cluster is protected by K8s RBAC (@Azure AD RBAC, if enabled)
Secure Access to API Server Using Authorized IP Address Ranges
- To secure access to the publicly accessible AKS control plane / API server, you can enable and use authorized IP ranges
- These authorized IP ranges only allow defined IP address ranges to communicate with the API server
- A request made to the API server from an IP address that isn’t part of these authorized IP ranges is blocked
Set authorized IP ranges
- Azure portal > Resource Group > AKS
- Settings: Networking > (Security section) Set authorized IP ranges
- Specify IP ranges
See: Secure access to the API server using authorized IP address ranges
Create Namespace
Using yaml (depolyment / resource definition)
- Azure Portal > Resource Group > AKS
- Kubernetes resources: Namespaces > Add
- yaml code (write or paste) > Add
apiVersion: v1
kind: Namespace
metadata:
name: xyz
labels:
name: xyz
kubectl command
kubectl create namespace xyz
Set Autoscaling
- Azure Portal > Resource Group > AKS
- Settings: Node pools > Select node pool > Scale
- Scale method: Autoscale > Node count range: 0~n
- Apply
Set Admin Azure AD Groups
- Azure Portal > Resource Group > AKS
- Settings: Cluster configuration > Edit Azure AD groups
Create Load Balancer
- Inbound, external traffic flows from the load balancer to the virtual network for your AKS cluster
- The virtual network has a Network Security Group (NSG) which allows all inbound traffic from the load balancer. This NSG uses a service tag of type LoadBalancer to allow traffic from the load balancer
- Types:
- Public Load Balancer:
- for Level 4 (of OSI model)
- non-HTTP traffic (HTTP traffic -> ingress controller)
- Internal (or private) Load Balancer:
- Only private IPs are allowed as frontend
- Internal load balancers are used to load balance traffic inside a virtual network
- A load balancer frontend can also be accessed from an on-premises network in a hybrid scenario.
- Public Load Balancer:
A public Load Balancer when integrated with AKS serves two purposes:
- To provide outbound connections to the cluster nodes inside the AKS virtual network. It achieves this objective by translating the nodes private IP address to a public IP address that is part of its Outbound Pool
- To provide access to applications via Kubernetes services of type LoadBalancer. With it, you can easily scale your applications and create highly available services
public-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: public-svc
spec:
type: LoadBalancer
ports:
- port: 80
selector:
app: public-app
Create a public Service of type LoadBalancer: kubectl apply -f public-svc.yaml
kubectl get service public-svc
See:
- https://docs.microsoft.com/en-us/azure/aks/internal-lb
- https://docs.microsoft.com/en-us/azure/aks/load-balancer-standard
Enable Ingress Controller for HTTP Traffic
- Azure Portal > Resource Group > AKS
- Settings: Networking > Application Gateway ingress controller (AGIC): Enable ingress controller
- Select existing AGIC or create new
- Save
See: