Setup Azure Kubernetes Services (AKS) with Advance Networking & Application Routing

Posted by Nilay Parikh and last modified on Tue Jun 12, 2018.

Kubernetes is an open-source system for orchestrating containerised applications. Kubernetes builds upon decade plus years of experience running workloads at Google and practices from the community.

This blog post is going to demonstrate, “How to getting started with Advanced Networking and AKS in Azure”. During the blog post, we would be creating following Azure artefacts,

For the blog post, Azure Portal as primary tool choice for creating and provisioning Azure Resources. For production and more serious implementations, I would recommend ARM and Automation for provisioning and configuring these artefacts.

Create Azure AD Application & Service Principal

“Application” can be misunderstood in the context, Azure Kubernetes Service (AKS) is a managed service and the Kubernetes Master is the primary scope of the created Service Principal. It is not recommended to share the created Service Principal with other Azure Application. Azure Portal allows creating Service Principal implicitly as part of Kubernetes deployment. However, I would not recommend as a good practice.

Create Service Principal

Create a new Application Registration Azure Portal > Active Directory (Instance) > App registration > New application registration. Please note that application type is set to Web app / API. Sign-on URL just for scope purpose in this context.

Create a Service Principal Token (or Key)

Once the application created, go to Application > Settings > Keys to create a new token (or key) for Kubernetes Master to manage underlying Azure Infrastructure for AKS. Keep Application ID and Key safe, and you will need them while configuring Azure Kubernetes Service.

Create Azure Virtual Network (VNet)

Microsoft has an excellent step-by-step guide for creating Azure Virtual Network; I would recommend to consider and validate your Azure Kubernetes Service’s network topology and CIDR ranges. Subnet (CIDR range) that use to configure AKS cannot overlap with internal Kubernetes CIDR ranges. In my case, I have used following configuration.

  • Azure Virtual Network CIDR: 10.0.0.0/16
  • Azure AKS Subnet CIDR: 10.0.0.0/24
  • Kubernetes Service Address CIDR: 10.100.0.0/16
  • Kubernetes DNS Service IP Address: 10.100.0.10/32
  • Docker Bridge CIDR: 172.17.0.1/16

Please refer Microsoft’s step by step guide for creating a virtual network using the Azure portal and networking in Kubernetes . I will preferably come up with a separate blog post on the topic of Enterprise Networks with Kubernetes and Azure Kubernetes Services.

Add Service Principal to the Subnet

Kubernetes Master need permission (Owner) to manage underlying and transparent configuration with network. Go to Azure Portal > Virtual Networks > [Select Your VNet] > Subnets > [Select Your Subnet] > Users > Add (+), add a previously created Service Principal to the Azure Subnet with Owner role.

Create Azure Kubernetes Service (AKS) in Azure Portal

You can create AKS Cluster using Azure CLI and Azure Portal. For the article, we are going to use Azure Portal.

Create AKS Cluster (Basic)

Azure Portal is self-explanatory and will be very easy for anyone has some familiarity beforehand. Make sure that you configure service principal with Client ID (Application ID) and Client Secret (Key).

Create AKS Cluster (Networking)

Next configuration step is where everything that we have created so far will come together. Enabling HTTP Application Routing is going to create Custom DNS Zone for your Kubernetes (AKS) setup. The DNS Zone is transparently managed and updated by AKS Master based on deployment definitions. You can use CNAME mapping with your custom domain to map with the DNS Zone. The feature is not mandatory to enable Advance Networking with AKS.

Select Advance Network Configuration to configure existing Azure Virtual Network and Subnet. Select previously created VNet (10.0.0.0/16) and Subnet (10.0.0.0/24). Configure values for Kubernetes Service Address Range (10.100.0.0/16), Kubernetes DNS Service IP (10.100.0.10/32) and Docker Bridge (172.17.0.1/16). You can choose these value according to your Network Topology but need to ensure that they are unique across VNet and bridged networks. Prefer appropriate CIDR/ranges based on your estimated number of Kubernetes Pods and Kubernetes Nodes.

Create AKS Cluster (Monitoring & Tags)

Configuring monitoring and tags are optional, if you are configuring production or commercial environment, then it is highly recommended to configure Azure Log Analytics/OMS for AKS instance.

Create AKS Cluster (Summary)

Verify the configuration and click create.

Verify & Test the Azure Kubernetes Service

It could take up to half hour for provisioning of all managed resources and get you up and run with AKS. Azure Resources Group MC_[Your Resource Group] is provisioned by Azure Kubernetes Services and Microsoft & Azure manages the Resource Group transparently but of course the subscription owner is responsible for the cost.

Connect using kubectl to Azure Kubernetes Cluster

  1. Download Azure CLI .
  2. Run az aks install-cli to install kubectl.
  3. Login to Azure Subscription using az login.

  4. If you have more than one subscription, please make sure that you select correct subscription az account set --subscription **SubscriptionID**.

  5. Run az aks get-credentials --resource-group **ResourceGroupName** --name **AKSClusterName** to add or merge your AKS credentials to local .kube profile.

Run kubectl get nodes to check Kubernetes Nodes’s status.

Congratulations, you should be up and running with Azure Kubernetes Service with Advance Networking and Application Routing. Run az aks browse --resource-group **ResourceGroupName** --name **AKSClusterName** to access your Kubernetes Web Console. You can verify the Cluster IP assigned from the provided Kubernetes Service Address CIDR range 10.100.0.0/16.

Similarly, the Kubernetes and Azure deployment have deployed and configured addon-HTTP-application-routing-* pods.

Disclaimer

Any views or opinions expressed are solely those of the author and do not represent any other person or organisation. THE ARTICLE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL THE AUTHOR(S) OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY.

References