Design 22: AKS Basic (Kubernetes)

Summary

This design deploys a Basic Azure Kubernetes Service (AKS) cluster.

Topology: The AKS cluster is deployed in a Spoke VNet. It is peered to the Hub VNet so that CI/CD agents and Admins can access the private API server (if private) or internal services.

1. Key Design Decisions (ADR)

ADR-01: Network Plugin

Decision: Use Azure CNI.
Rationale: Pods get real VNet IP addresses. Allows Pods to talk directly to other VNet resources (like SQL Private Link) without NAT.

ADR-02: Ingress

Decision: Use Web App Routing (Nginx) or App Gateway.
Rationale: We need an Ingress Controller to expose services. For "Basic", we'll use a simple Load Balancer Ingress.

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  Internet    |           |        HUB VNet          |           |  SPOKE VNet  |
|              |           |      (Container Reg)     |           |              |
|              |           |                          |           |              |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (Peering)                      |
+------+-------+                        v                                v
|  Load        |           +------------+-------------+           +------+-------+
|  Balancer    |<----------| ACR (Docker Images)      |---------->|  AKS Cluster |
|  (Public)    |           | (Private Endpoint)       |           |  (Nodes)     |
+------+-------+           +--------------------------+           +------+-------+
       |                                                                 ^
       +-------------------------(Traffic)-------------------------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Azure Container Reg   |                                           |
|   | (ACR)                 |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-aks-spoke (10.1.0.0/16)                              |
|   +---------------------------------------------------------------+   |
|   | Subnet: snet-aks-nodes (10.1.1.0/24)                          |   |
|   | [VMSS Nodes]                                                  |   |
|   |  - Pod A (10.1.1.5)                                           |   |
|   |  - Pod B (10.1.1.6)                                           |   |
|   +---------------------------------------------------------------+   |
+---------------|-------------------------------------------------------+
                |
                | (GitOps / Flux)
                v
+-----------------------------------------------------------------------+
| SECONDARY REGION (West US) - DR Site                                  |
|                                                                       |
|   +-----------------------+       +-----------------------+           |
|   | AKS Cluster (Standby) |       | ACR Replica           |           |
|   | (Min Node Count: 1)   |       | (Geo-Replicated)      |           |
|   +-----------------------+       +-----------------------+           |
+-----------------------------------------------------------------------+

4. Component Rationale

ACR (Registry): Stores Docker images. Shared across all clusters.
Node Pool: The VMs that run the containers.

5. Strategy: High Availability (HA)

Cluster: Use Availability Zones for the System Node Pool.
App: Run at least 2 Replicas of your Pods with podAntiAffinity.

6. Strategy: Disaster Recovery (DR)

Implementation: Blue/Green Clusters.
Process:

* Maintain a secondary cluster in West US.

* Use GitOps (Flux/ArgoCD) to deploy the *same* manifests to both clusters.

* Use Traffic Manager to route to West US if East US fails.

7. Strategy: Backup

State: Backup Persistent Volumes (PVs) using Velero or Azure Backup for AKS.
Config: Git is the backup for configuration.

8. Strategy: Security

RBAC: Integrate AKS with Entra ID (Azure AD). Admins login with their corporate email.
Secrets: Use Azure Key Vault Provider for Secrets Store CSI Driver (don't store secrets in YAML).

9. Well-Architected Framework Analysis

Reliability: High. Self-healing (k8s restarts crashed pods).
Security: High.
Cost Optimization: Medium. You pay for the VMs. Use Spot Instances for Dev/Test.
Operational Excellence: High. GitOps enabled.
Performance Efficiency: High.

10. Detailed Traffic Flow

1. User: Hits Public IP of Load Balancer.

2. LB: Routes to a Node (VM).

3. Kube-Proxy: Routes to the Pod IP (10.1.1.5).

4. Pod: Processes request. Needs image?

5. Pull: Node pulls image from ACR (via Hub Peering).

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Spoke VNet

1. Search: "Virtual networks" -> + Create.

2. Resource Group: Create rg-design22-aks.

3. Name: vnet-aks-spoke.

4. Region: East US.

5. IP Addresses: 10.1.0.0/16.

6. Subnets:

* snet-aks-nodes: 10.1.0.0/22 (1024 IPs - AKS needs space).

7. Create.

Phase 2: Peer to Hub

1. Go to vnet-aks-spoke -> Peerings -> + Add.

2. Remote VNet: Select vnet-hub.

3. Allow gateway transit: Uncheck (unless Hub has VPN).

4. Add.

Phase 3: Create ACR (in Hub or Shared RG)

1. Search: "Container registries" -> + Create.

2. Resource Group: rg-hub-shared.

3. Registry name: acrsharedcorp[uniqueid].

4. SKU: Standard.

5. Create.

Phase 4: Create AKS Cluster

1. Search: "Kubernetes services" -> + Create.

2. Basics:

* Resource Group: rg-design22-aks.

* Cluster preset configuration: Standard ($).

* Kubernetes cluster name: aks-prod.

* Region: East US.

* Availability zones: Zone 1, 2, 3.

* API server availability: 99.5%.

3. Node pools:

* agentpool:

* Node size: Standard_DS2_v2.

* Scale method: Autoscale.

* Node count range: 1 to 3.

4. Networking:

* Network configuration: Azure CNI Node Subnet.

* Virtual network: vnet-aks-spoke.

* Cluster subnet: snet-aks-nodes.

* DNS name prefix: aks-prod-dns.

5. Integrations:

* Container registry: Select acrsharedcorp[uniqueid]. (This grants AcrPull role).

6. Review + create -> Create. (Takes 10-15 mins).

Phase 5: Verify

1. Once created, click Connect (Top bar).

2. Open Cloud Shell (Bash).

3. Run the commands shown:

* az account set --subscription ...

* az aks get-credentials --resource-group rg-design22-aks --name aks-prod

4. Run: kubectl get nodes.

* You should see the nodes in Ready state.

5. Run: kubectl run nginx --image=nginx.

6. Run: kubectl get pods -o wide.

* Note the IP address. It should be in 10.1.x.x range (VNet IP).

Phase 5: Verify

1. Click Connect -> Open Cloud Shell.

2. kubectl get nodes.

3. kubectl run nginx --image=nginx.

4. kubectl get pods.