Azure Kubernetes Service (AKS) is a container orchestration solution offered by Microsoft Azure, designed to simplify the management, deployment, and operation of containerized applications at scale. AKS integrates the power of Kubernetes, one of the most popular open-source systems for container orchestration, with the flexibility and security of the Azure cloud platform. With AKS, companies can focus on creating added value through their applications, leaving Azure to manage the underlying infrastructure.
In the world of software development, it is not unusual for news to emerge that can radically change the way you develop and distribute your code and applications. When containers first appeared on the scene, they revolutionized software deployment and Kubernetes became the go-to orchestration platform for managing containerized applications.
However, Kubernetes, although extremely useful, can become complex to manage and maintain, at levels that it is not too exaggerated to define as frustrating at times.
But don't worry, Microsoft has the solution that's right for us.
Azure Kubernetes Service (AKS) is a managed container orchestration service based on the open source Kubernetes system, available in the public cloud of Microsoft Azure. AKS offers all the benefits of Kubernetes while helping to reduce the difficulties of managing orchestration environments, allowing organizations to focus on critical functionality such as deploying, scaling, and managing containers (and container-based applications) more effectively.
How? Let's see it in the next sections.
Kubernetes (commonly called K8s) was originally designed by Google and is now maintained by the Cloud Native Computing Foundation. It was first announced in mid-2014 and its version 1.0 was released on July 21, 2015.
Since its first release, Kubernetes has become the most popular platform for container orchestration and management of containerized workloads.
But what is a container?
It's nothing more than a lightweight, portable unit of software that includes everything needed to run an application: the necessary code, libraries, dependencies, and runtimes. Containers allow you to isolate the application from the underlying operating system, ensuring that it works consistently on any environment, be it development, testing or production.
Kubernetes takes care of starting containers, ensuring that they remain active, distributing them on different computers in the most efficient way, and scaling (increasing or decreasing) the number of containers according to the needs of the application (a series of activities that are called “orchestration”) and is now widely used because it greatly simplifies the work of software engineers in organizing and planning applications on multiple machines.
The platform is extensible and highly configurable, meaning that Kubernetes clusters can be customized with different configurations and add-ons to meet the needs of different work environments.
Kubernetes offers numerous capabilities for running containerized workloads, including deployment models, storage orchestration, service discovery, load balancing, automatic rollouts and rollbacks, and container self-healing.
We have created the Infrastructure & Security team, focused on the Azure cloud, to better respond to the needs of our customers who involve us in technical and strategic decisions. In addition to configuring and managing the tenant, we also take care of:
With Dev4Side, you have a reliable partner that supports you across the entire Microsoft application ecosystem.
Given the complex nature of the components listed above, running and managing a Kubernetes cluster on a large scale requires effort and experience. In addition to the underlying infrastructure components (such as servers, storage, and networking), all of Kubernetes' signature components must be made operational, protected, maintained, scaled, and updated when necessary.
Managing a customized Kubernetes cluster may require the employment of a dedicated team of engineers for all operational activities. This is ideal if your core business concerns the creation of tools for the Kubernetes ecosystem or if you have a specific need that requires you to manage your clusters. However, in most other cases, it's best to delegate these cluster management tasks to a dedicated service. And that's where Azure Kubernetes comes in.
AKS is a managed service that allows organizations and their teams to simplify the deployment, scalability, and management of Kubernetes clusters, allowing them to quickly deploy cloud-native apps in their chosen environment, such as the Azure cloud, data centers, and network perimeter. It helps manage the workload associated with using Kubernetes, reducing the complexity of deployment and management operations in Kubernetes. AKS is designed for organizations that want to build scalable applications using Docker and Kubernetes within the Azure architecture.
As a managed service provided by Microsoft, AKS automatically configures all Kubernetes nodes that control and manage worker nodes during deployment. It also deals with other tasks, including governance, cluster scalability, connections to monitoring services, and configuring advanced network functionality. Users can monitor a cluster directly or view all clusters through Azure Monitor.
The main advantages of AKS are flexibility, automation, and reduced management burden, and it also helps accelerate the development and deployment of cloud-native apps. It provides predefined cluster configurations for Kubernetes, integrated pipelines for moving code to the cloud, and security mechanisms that facilitate operations such as:
AKS node configurations can be customized to adapt operating system (OS) settings or kubelet parameters, depending on the workload. In addition, nodes can be scaled up or down to adapt to fluctuating resource demands. For additional processing power, such as to run resource-intensive workloads, AKS supports pools of nodes enabled for graphics processing units (GPUs).
Furthermore, users can define custom node pools to support applications with different computing or storage needs and create custom tags to modify resources.
AKS integrates with Azure Container Registry to create and manage container images and related artifacts (although an authentication mechanism must be established first). Additionally, because AKS supports Azure Disks, users can dynamically create persistent volumes in AKS for use with Kubernetes pods.
To better understand how Azure Kubernetes works, let's now take a closer look at the individual components that characterize its architecture and how they operate within the general framework of Kubernetes.
In Kubernetes, a 'cluster' is a collection of nodes (physical or virtual servers) that work together to run containerized applications. The cluster represents the basic infrastructure on which Kubernetes manages the application lifecycle.
The AKS Control Plane acts as the brain of the Kubernetes cluster, managing its state, scheduling workloads, and ensuring that the desired configuration is maintained. The AKS control plane is fully managed by Microsoft, meaning that IT administrators don't have to worry about managing or maintaining these components themselves and can focus solely on deploying and managing their applications.
Node pools are essentially groups of virtual machines (VMs) responsible for hosting containers. In a typical AKS cluster, there are at least two node pools: a System Node Pool and an Application Node Pool. Although you can only run application workload containers in the system node pool, this is not a common practice.
The system node pool is a special node pool within the AKS cluster that is automatically created when you configure an AKS cluster. It is dedicated to hosting the system-level services essential for the operation of the Kubernetes cluster itself. These system components include metrics-server, CoreDNS, and other critical components needed for cluster and network management.
Note: The control plane does not run in the system node pool. Both the control plane and the system node pool are essential components of an AKS cluster, but they perform different functions and operate independently of each other. The control plane is managed by Azure, while the system node pool is managed by the Kubernetes cluster itself to support its internal operations.
The application node pools in AKS are primarily used to host their own application pods. While it is technically possible to host applications directly in system node pools, this is not common practice. Typically, you create at least one separate application node pool and, if necessary, you can have more than one. For example, you might have a node pool optimized to run low-demand workloads and another dedicated to more intensive tasks, equipped with GPUs.
In AKS, each node pool is comprised of an identical set of virtual machines that can be scaled horizontally up or down. For example, one node pool might include B2s VMs, while another might use NV12s_v3 VMs with GPUs. However, it's important to note that it's not possible to mix and match different VM specifications within the same node pool.
A node in AKS is essentially a virtual machine (VM) that operates within a node pool. Each node is intended to run one or more pods, which are the fundamental units of deployment in Kubernetes. These virtual machines are managed by Azure, which provides automatic provisioning and allows you to customize horizontal scaling attributes as needed.
By defining the Node Pool scalability parameters, you can ensure that your AKS cluster dynamically adjusts the number of nodes (VMs) to efficiently meet various workload needs.
Pods are the fundamental units in Kubernetes responsible for encapsulating containers.
In Kubernetes, a pod represents a single instance of your application, with each pod usually having a one-to-one correspondence with a container. However, in advanced scenarios, a pod may contain multiple tightly coupled containers, known as sidecar containers. Sidecar containers work together with the main container, extending its functionality and providing additional services.
In addition to the main components, the concept of namespace in Kubernetes is also worth mentioning.
A namespace allows you to divide the AKS cluster into multiple virtual clusters. Although they don't offer complete isolation, namespaces provide a level of logical isolation that can be useful in certain scenarios. This allows you to define resource usage limits, manage access control and separate different project teams or environments such as staging or development within the same AKS cluster, without the need to configure separate clusters from scratch.
To securely distribute your workloads in AKS clusters, there are some essential security practices to adopt to ensure maximum security. Let's take a closer look at them along with the concrete steps that can be taken to mitigate risks.
AKS clusters can be integrated with Microsoft Enter ID (formerly known as Azure AD), the identity service managed by Azure for authentication and authorization. You can create Kubernetes Roles, ClusterRoles, Rolebindings and ClusterRolebindings and integrate them with Microsoft Enter ID users and groups to define access permissions.
AKS is also fully interoperable with Kubernetes role-based access control (RBAC). We have the option to create a role in Kubernetes RBAC and then create a role binding to associate it with an Azure Entra ID user or group. Using roles and bindings helps with logical separation and control of access to resources.
To access AKS cluster resources, you can use Azure RBAC and take advantage of the principle of least privilege to provide controlled access to the AKS resources included in your subscription. Access to the Kubernetes API can be controlled through traditional Kubernetes RBAC or by integrating it with Azure RBAC for unified management and access control.
Microsoft Entra Workload ID is used to access any Azure resource from the services distributed in AKS. Managed identities managed through Entra are in fact the recommended method for authorizing access from an AKS cluster to other Azure services and it is possible to use a managed identity to authorize access from an AKS cluster to any service that supports authorization through Microsoft Entra, without the need to manage credentials or include them in the code.
The Kubernetes API server handles service requests for all activities within a cluster and, therefore, should always be protected according to the principle of least privilege. This is especially important in multi-tenant deployments. The best practice for centralized management is to use the corporate identity management features of Microsoft Entra ID.
For environments where you don't want to expose the Kubernetes API to the Internet, you can deploy a private AKS cluster, where the control plane uses an internal IP address. All traffic between the API server and the AKS node pools will remain within a private VNet. Access to the control plane can be controlled through options such as VM bastion, virtual network peering, VPN, and private endpoints. In addition to these measures, you can also choose to manage your network through a load balancer.
When it comes to cluster security, one of the most important best practices is to ensure that the AKS cluster uses the latest stable version of Kubernetes. Because Kubernetes doesn't update automatically, it's recommended that you implement a governance policy to test the compatibility of the latest version with your workloads in a development environment before deploying it to production.
Since more containers will be distributed in a cluster, it is also important to limit the type of activities that containers can perform, in particular through privileged root access. Privileged root access can be implemented by setting the AllowPrivilegeEscalation flag to 'false' in the pod manifest.
In addition, Linux kernel security modules called AppArmor and seccomp (secure computing) can be used to implement file system and process level access restrictions for containers.
To ensure secure pod access to resources, it is important to specify pod security context settings and assign the minimum permissions necessary to run the pod as a user or group other than root. This will restrict access to the node's underlying processes and services.
You can use the functionality of Workload Identity by Microsoft Enter ID to facilitate secure access to other Azure resources from the AKS pods, using a mechanism for projecting the service account token and is, to be honest, the solution recommended by Microsoft itself after the deprecation of the pod-management identity service.
Another important concern to consider is the risk of exposing credentials in your code. Recommended best practice is to use Azure Key Vault to store and retrieve the keys and credentials used by applications.
Kubernetes' native isolation capabilities can be used to isolate teams and clusters and provide access with the least privilege to resources required by users and applications. Namespaces provide logical isolation for resources and workloads and help achieve a higher pod density.
When it is necessary to support a multi-tenant architecture, Kubernetes RBAC should be used to implement the principle of least privilege and prevent infiltration. When there are hostile workloads, it is preferable to use physically isolated clusters to ensure maximum security.
Microsoft's current best practices also include the use of Confidential Computing for AKS (AKS-CoCo) and Confidential Containers for workloads that require maximum isolation. These modern approaches provide hardware-level protection for sensitive workloads.
The latter, based on Kata Confidential Containers and hardware encryption to encrypt container memory, offer a set of features and capabilities to further protect standard container workloads, preventing the data in memory during processing from being in clear, readable format.
In AKS clusters, pod security admission is enabled by default. (The pod security admission uses labels to enforce the security policy for pods distributed in a namespace.) For single-cluster deployments, admission to pod security is available by default; however, to establish an enterprise-level policy and centralized management, you must configure Azure policies.
A distributed key-value store called etcd is used for secrets in Kubernetes. In AKS, the archive etcd is fully managed by Azure and the data is encrypted at rest using cryptography managed by Microsoft. However, if you want an additional layer of security, you can also opt for customer-managed encryption keys.
With the provider Azure Key Vault for Secrets Store CSI Driver, AKS clusters can be integrated with Azure Key Vault as a repository for secrets through a Container Storage Interface (CSI) volume. This driver supports the synchronization of secrets and the automatic rotation of mounted contents.
Microsoft recommends using native integration with Key Vault through the “azure-keyvault-secrets-provider” addon, which greatly simplifies configuration compared to the traditional CSI Driver approach and this feature is now also available as an integrated add-on.
AKS generates metrics and logs that you can analyze using the native integration with Azure Monitor.
It is therefore important to regularly review the information collected by Azure Monitor both on the data plane and on the control plane to detect any anomalies, in particular in logs such as AKSAudit, AKSaudiAdmin and AKSControlPlane. Log Analytics facilitates the detailed analysis of these logs. Azure Monitor allows you to configure security alerts based on metrics and logs to be immediately informed of any problems and it is therefore advisable to do so to always stay informed about the state of our Kubernetes environments.
The time has come to talk for a moment about costs. AKS now three official pricing tiers for cluster management: Free, Standard and Premium, each with different SLA levels and functionality.
The Standard and Premium tiers apply a pay-as-you-go model to the underlying computing resources, thus allowing you to pay only for the resources actually used.
Let's see in the table below the main characteristics of the two.
For long-term jobs and workloads with predictable requirements, it is advisable to purchase Reserved Instance, which allows users to commit for a period of one or three years to AKS resources in exchange for a lower price, saving more than 72% compared to pay-as-you-go.
For example, users who know in advance how many VMs and storage resources they will need over the next three years can purchase reserved instances. However, this model is not suitable for workloads with unknown or variable requirements, as it may force the user to pay for unnecessary resources.
The Azure savings plans (Saving Plans), introduced at the end of 2022 for a variety of computing services, are also available for Azure Kubernetes Service. With Savings Plans, customers commit to spending a fixed amount per hour for one or three years. Compared to pay-as-you-go pricing, Savings Plans can help organizations save up to 65% on computing costs.
A particular advantage of Saving Plans is that they maximize flexibility by allowing customers to apply the commitment to multiple services. In other words, that expense can be used for AKS or other types of computation, such as virtual machines, Azure SQL Database, Azure Cosmos DB, and others.
As we mentioned at the beginning of this section, AKS also offers a free tier suitable for small-scale testing and development, which includes access to basic functionality such as monitoring and logging. The free level is an option with no duration limits but, precisely because of its features reduced to the bone, it is not recommended as a solution either in the short term or in the long term.
The free tier is good for trying out or starting to use AKS, but it's not suitable for large or long-term projects. For these, users should give more consideration to the other options described.
Azure offers a service level agreement (SLA) for all options except the free tier, which guarantees 99.95% uptime for clusters in an Availability Zone and 99.9% for other clusters. It should be noted that uptime SLA is an optional feature that must be enabled specifically in the Standard and Premium tiers, and is not automatically included.
For more information on pricing, please consult the official Azure Kubernetes page on the official Azure website (available hither) and begin to estimate the cost of the service through the convenient calculation tool provided by Microsoft.
Since its first appearance in 2015, Kubernetes has been one of the most popular solutions for software deployment by a large number of developers around the world, but its complexity has always been a significant obstacle in its diffusion.
However, this complexity in its administrative and operational management can be significantly mitigated by services such as Azure Kubernetes, which allow it to fully exploit its potential without having to worry excessively about the underlying infrastructure, managed in this case by Microsoft on its renowned Cloud Computing platform.
IT experts can now focus more on the most important aspects of their development and distribution work, saving time and resources that they can now spend on the maximum refinement of their code and projects.
At this point, all that remains is to invite you to try it out taking advantage of the free tier made available by Azure to find out if it is the solution that is also right for you.
Azure Kubernetes Service, known as AKS, is a Microsoft-managed platform that simplifies the use of Kubernetes for deploying, managing, and scaling containerized applications. It is designed to ease the operational burden associated with container orchestration, while offering the reliability and security of the Azure platform.
Kubernetes, while one of the most popular technologies for managing containers, can become difficult to administer and require advanced skills. AKS was created to respond precisely to this complexity: it automatically deals with the configuration of the underlying infrastructure, leaving developers and administrators the task of focusing on the application and not on managing the cluster.
AKS allows you to develop, test, deploy and scale applications more efficiently. Automate tasks such as node provisioning, control plane management, and integration with Azure services such as Container Registry, Monitor and Key Vault. In addition, it is possible to adapt the infrastructure to the needs of your applications, even using high-performance resources such as nodes with GPUs.
A node pool is a collection of virtual machines configured to run containers within the Kubernetes cluster. Node pools are divided into two main categories: system pools, intended to support the essential components of the cluster, and application pools, intended to run workloads. Each pool can be customized according to the computing needs, memory and type of load to be managed.
Yes, AKS was designed precisely to support critical workloads, even on a large scale. The Standard and Premium plans guarantee high service levels (SLA), with availability of up to 99.95%, and include all the functionality needed to manage enterprise environments.
There is a free tier of AKS, which is primarily suitable for testing and development purposes. It does not have a time limit, but it is not suitable for use in production environments due to the limited availability of functionality. It's ideal for evaluating the platform before upgrading to a more advanced plan.
AKS integrates different levels of security. You can connect clusters to Microsoft Entra ID for identity and access management, use Kubernetes RBAC access control to define roles and permissions, implement namespace isolation mechanisms, and configure pod restrictions to prevent risky behavior. In addition, advanced tools such as Key Vault can be used to protect credentials and Confidential Containers to strengthen the isolation of sensitive loads.
Yes, AKS is fully integrated with Azure Monitor. This allows you to collect and analyze logs and metrics of both the data plan and the control plane. It is possible to configure real-time alerts and diagnose anomalies, using the log analytics platform integrated into Azure.
AKS offers three price levels: Free, Standard and Premium. The Standard and Premium plans provide a payment model based on resource consumption, with the possibility of subscribing to reserved instances for one or three years, achieving significant savings compared to the consumption-based model. Alternatively, it is possible to activate a Saving Plan that allows you to commit to a fixed hourly expense to be used also on other Azure services, maintaining greater flexibility with respect to the resources booked.
No, Kubernetes versions are not automatically updated in AKS. It is necessary to pre-test new versions in development environments and schedule updates manually, ideally following a governance policy that ensures system compatibility and stability.
The Infra & Security team focuses on the management and evolution of our customers' Microsoft Azure tenants. Besides configuring and managing these tenants, the team is responsible for creating application deployments through DevOps pipelines. It also monitors and manages all security aspects of the tenants and supports Security Operations Centers (SOC).
