Azure Kubernetes Service (AKS) Fabrikam Drone Delivery
The AKS Fabrikam Drone Delivery project is an expertly designed reference implementation showcasing best practices for building and operating a microservices architecture using Microsoft Azure. This project is developed on top of the AKS Secure Baseline, which is a recommended foundational infrastructure architecture for setting up an Azure Kubernetes Service (AKS) cluster.
Enhancing the AKS Secure Baseline
The AKS Fabrikam Drone Delivery extends and enriches the core functionalities of the AKS Secure Baseline. The table below outlines how this project adds significant features to the existing baseline infrastructure:
| Feature | AKS Secure Baseline | AKS Fabrikam Drone Delivery |
|---|---|---|
| Egress Restriction Using Azure Firewall | ✅ | ✅ |
| Ingress Controller | ✅ | ✅ |
| Microsoft Entra Workload ID | ✅ | ✅ |
| Resource Limits | ✅ | ✅ |
| Infrastructure Aspects | ✅ | ✅ |
| Zero Trust Network Policies | ❌ | ✅ |
| Horizontal Pod Autoscaling | ❌ | ✅ |
| Cluster Autoscaling | ❌ | ✅ |
| Readiness/Liveness Probes | ❌ | ✅ |
| Helm Charts | ❌ | ✅ |
| Distributed Monitoring | ❌ | ✅ |
The AKS Fabrikam Drone Delivery project not only focuses on enhancing the workload but also expands infrastructure capabilities by integrating additional features like zero trust policies, autoscaling, and Helm charts, making it ideal for organizations seeking a comprehensive solution.
Azure Architecture Center Guidance
This project is complemented by a series of articles from the Azure Architecture Center that delve into challenges, design patterns, and best practices for securing an AKS cluster. Some key resources include:
- Designing, building, and operating microservices on Azure using Kubernetes.
- Explaining microservices architecture on AKS.
- Details on the AKS Baseline Cluster.
Architecture
The AKS Fabrikam Drone Delivery architecture integrates numerous Azure services to facilitate distributed tracing, messaging, and storage for workloads. By implementing native Kubernetes features such as auto-scaling, probes, and network policies, this architecture serves as both a starting point and guide for deploying advanced workloads in pre-production and production environments.
One notable change is using Azure Application Gateway Ingress Controller instead of Traefik, providing added security and functionality.
The Scenario: Fabrikam Drone Delivery
Fabrikam, Inc., a fictional company initiating a drone delivery service, chose to base its solution on the AKS Secure Baseline. With a fleet of drones, they offer a service where businesses can register, and users can schedule drone pickups for deliveries. As part of the process, customers receive notifications about the estimated delivery time and can track their delivery in progress through a backend system.
Core Architecture Components
Azure Platform Components
- AKS v1.28:
- System and user node pool separation.
- AKS-managed Microsoft Entra ID.
- Managed identities and Azure CNI.
- Azure Monitor for containers.
- Other Services:
- Azure Virtual Networks (hub-spoke).
- Azure Application Gateway (WAF).
- AKS-managed Internal Load Balancers.
- Azure Firewall.
- Azure Service Bus, CosmosDb, MongoDb, and Redis Cache.
In-Cluster Open Source Software Components
- Flux GitOps Operator.
- Azure Application Gateway Ingress Controller.
- Microsoft Entra Workload ID.
- Azure KeyVault Secret Store CSI Provider.
- Kured for node updates.
Deploying the Reference Implementation
To successfully deploy the reference implementation, one should follow these steps:
- Install Prerequisites - Ensure all necessary software and tools are installed.
- Obtain TLS Certificates - Acquire the required certificates for client-facing and AKS Ingress Controller.
- Plan Microsoft Entra Integration - Strategize how Microsoft Entra will be integrated.
- Build the Hub-Spoke Network - Set up the network architecture.
- Deploy the AKS Cluster - Implement the AKS cluster and its supporting services.
- Manage with GitOps - Use GitOps for cluster management.
- Prepare Workload Prerequisites - Address necessary workload setups.
- Configure Ingress and Secret Management - Integrate AKS Ingress Controller with Azure Key Vault.
- Deploy the Workload - Implement the specific workloads on the AKS cluster.
- Validation - Conduct end-to-end checks.
- Cleanup - Properly close out and clean up resources.
Next Steps
It's important to note that this reference implementation does not cover every possible scenario. For more detailed scenarios and advanced topics, one should explore the full range of resources available within the AKS Secure Baseline documentation.
This project is a collaboration by Microsoft's Patterns & Practices team, offering invaluable insights and guidance for anyone embarking on, or enhancing their journey with, Azure-based microservices architectures.