Setup Azure Kubernetes Services (AKS) with Advance Networking & Application Routing
Kubernetes is an open-source system for orchestrating containerised applications. Kubernetes builds upon decade plus years of experience running workloads at Google and practices from the community.
This blog post is going to demonstrate, “How to getting started with Advanced Networking and AKS in Azure”. During the blog post, we would be creating following Azure artefacts,
- Azure AD Application (Service Principal)
- Azure VNet (Virtual Network)
- Azure Subnet and Add Service Principal
- Azure Log Analytics (Optional)
- Azure Kubernetes Service (AKS)
For the blog post, Azure Portal as primary tool choice for creating and provisioning Azure Resources. For production and more serious implementations, I would recommend ARM and Automation for provisioning and configuring these artefacts.
Create Azure AD Application & Service Principal
“Application” can be misunderstood in the context, Azure Kubernetes Service (AKS) is a managed service and the Kubernetes Master is the primary scope of the created Service Principal. It is not recommended to share the created Service Principal with other Azure Application. Azure Portal allows creating Service Principal implicitly as part of Kubernetes deployment. However, I would not recommend as a good practice.
Create Service Principal
Create a new Application Registration
Azure Portal > Active Directory (Instance) > App registration > New application registration. Please note that application type is set to
Web app / API. Sign-on URL just for scope purpose in this context.
Create a Service Principal Token (or Key)
Once the application created, go to
Application > Settings > Keys to create a new token (or key) for Kubernetes Master to manage underlying Azure Infrastructure for AKS. Keep Application ID and Key safe, and you will need them while configuring Azure Kubernetes Service.
Create Azure Virtual Network (VNet)
Microsoft has an excellent step-by-step guide for creating Azure Virtual Network; I would recommend to consider and validate your Azure Kubernetes Service’s network topology and CIDR ranges. Subnet (CIDR range) that use to configure AKS cannot overlap with internal Kubernetes CIDR ranges. In my case, I have used following configuration.
- Azure Virtual Network CIDR:
- Azure AKS Subnet CIDR:
- Kubernetes Service Address CIDR:
- Kubernetes DNS Service IP Address:
- Docker Bridge CIDR:
Please refer Microsoft’s step by step guide for creating a virtual network using the Azure portal and networking in Kubernetes . I will preferably come up with a separate blog post on the topic of Enterprise Networks with Kubernetes and Azure Kubernetes Services.
Add Service Principal to the Subnet
Kubernetes Master need permission (
Owner) to manage underlying and transparent configuration with network. Go to
Azure Portal > Virtual Networks > [Select Your VNet] > Subnets > [Select Your Subnet] > Users > Add (+), add a previously created Service Principal to the Azure Subnet with
Create Azure Kubernetes Service (AKS) in Azure Portal
You can create AKS Cluster using Azure CLI and Azure Portal. For the article, we are going to use Azure Portal.
Create AKS Cluster (Basic)
Azure Portal is self-explanatory and will be very easy for anyone has some familiarity beforehand. Make sure that you configure service principal with Client ID (Application ID) and Client Secret (Key).
Create AKS Cluster (Networking)
Next configuration step is where everything that we have created so far will come together. Enabling HTTP Application Routing is going to create Custom DNS Zone for your Kubernetes (AKS) setup. The DNS Zone is transparently managed and updated by AKS Master based on deployment definitions. You can use
CNAME mapping with your custom domain to map with the DNS Zone. The feature is not mandatory to enable Advance Networking with AKS.
Select Advance Network Configuration to configure existing Azure Virtual Network and Subnet. Select previously created VNet (
10.0.0.0/16) and Subnet (
10.0.0.0/24). Configure values for Kubernetes Service Address Range (
10.100.0.0/16), Kubernetes DNS Service IP (
10.100.0.10/32) and Docker Bridge (
172.17.0.1/16). You can choose these value according to your Network Topology but need to ensure that they are unique across VNet and bridged networks. Prefer appropriate CIDR/ranges based on your estimated number of Kubernetes Pods and Kubernetes Nodes.
Create AKS Cluster (Monitoring & Tags)
Configuring monitoring and tags are optional, if you are configuring production or commercial environment, then it is highly recommended to configure Azure Log Analytics/OMS for AKS instance.
Create AKS Cluster (Summary)
Verify the configuration and click create.
Verify & Test the Azure Kubernetes Service
It could take up to half hour for provisioning of all managed resources and get you up and run with AKS. Azure Resources Group
MC_[Your Resource Group] is provisioned by Azure Kubernetes Services and Microsoft & Azure manages the Resource Group transparently but of course the subscription owner is responsible for the cost.
kubectl to Azure Kubernetes Cluster
- Download Azure CLI .
az aks install-clito install
Login to Azure Subscription using
If you have more than one subscription, please make sure that you select correct subscription
az account set --subscription **SubscriptionID**.
az aks get-credentials --resource-group **ResourceGroupName** --name **AKSClusterName**to add or merge your AKS credentials to local
kubectl get nodes to check Kubernetes Nodes’s status.
Congratulations, you should be up and running with Azure Kubernetes Service with Advance Networking and Application Routing. Run
az aks browse --resource-group **ResourceGroupName** --name **AKSClusterName** to access your Kubernetes Web Console. You can verify the Cluster IP assigned from the provided Kubernetes Service Address CIDR range
Similarly, the Kubernetes and Azure deployment have deployed and configured
Any views or opinions expressed are solely those of the author and do not represent any other person or organisation. THE ARTICLE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL THE AUTHOR(S) OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY.