Azure Kubernetes Service (AKS): Kubenet Network Design

 


Overview

Managed Kubernetes simplifies deployment, management and operations of Kubernetes, and allows developers to take advantage of Kubernetes without worrying about the underlying plumbing to get it up running and freeing up developer time to focus on the applications. Different Cloud Providers are offering this service – for example Google Kubernetes Engine (GKE), Amazon has Elastic Container Service for Kubernetes (EKS), Microsoft has Azure Kubernetes Service (AKS) etc..

The focus of this blog is on Azure Kubernetes Services. AKS makes it easy to deploy and manage containerized applications without container orchestration expertise. Azure handles the ongoing operations including provisioning, upgrading and scaling of resources/nodes. Worker nodes are deployed as Azure Virtual Machines. Master nodes are completely managed by Azure. In short, AKS reduces the complexity and operational overhead of managing a Kubernetes cluster, by offloading much of that responsibility to Azure. Azure handles health monitoring and maintenance.

I’m really excited to start off this first 2019 blog series. This is Part-1 of the Azure Container Series, part of the Azure Management Services Navisite offers. This blog walks you through a step-by-step process to create a public facing “Load Balancer” service type in AKS. Once the sample application is deployed we will do a deep dive into networking and traffic flow.

These are the planned blogs in this series so stay tuned…

  1. Azure Kubernetes Services (AKS) – Kubenet Network Design (Part 1)
  2. Azure Container Registry
  3. Azure Kubernetes Services (AKS) – Advanced Network Design with CNI (Part 2)
  4. Custom Kubernetes Cluster on IaaS VMs in Azure using Flannel Overlay
  5. AKS with Persistent volumes using Azure Disks and Azure Files

AKS Reference Architecture (Kubenetes Networking)

Throughout the blog article we will reference the following architecture. It shows a 3-nodes Kubernetes cluster with basic Kubenet networking in a flat-routed topology. The master nodes are completely managed by Azure.


Kubernetes Service Architecture

To simplify the network configuration for application workloads, Kubernetes uses Services to logically group a set of pods together and expose your application for external network connectivity. There are three types of services, or ServiceTypes.

  1. ClusterIP
  2. NodePort
  3. LoadBalancer

We will focus on the LoadBalancer service type. It leverages an External Azure Load balancer  with a Public IP.

From Microsoft documentation:

Source: Microsoft Documentation

Install Azure CLI and login to Azure

Azure Kubernetes Service management can be done from a development VM as well as using Azure Cloud Shell.  In my setup, I’m using an Ubuntu VM and I’ve install Azure CLI locally. To install Azure CLI follow this link.

Few basic commands to login to Azure using Azure CLI

Create AKS Cluster and Connect to It

Create the AKS cluster in Azure is a single command. In Azure, create a resource group to manage the AKS cluster resources first.

Validations in Azure

Once the Azure Kubernetes Service Cluster is created, login to the Azure Portal and verify the Resource Groups, Service Principal, three nodes IPs and the Route table for the inter pod routing.

Resource Groups


Service Principal
Kubernetes Nodes


Route Table

Load Balancer


Run a Sample Containerized Application

Deployment Manifest file

Create a Kubernetes manifest file for the deployment. A deployment in Kubernetes represents one or more identical pods that are managed by Kubernetes deployment controller.  It also defines the number of replica sets (pods) to create. In our case we create a file called nn-deployment.yaml which uses the nginx container image and 3 replicas.  We will use a separate manifest file for services.

Service Manifest file

Azure Kubernetes uses Services to logically group a set of pods together and provide network connectivity. As explained in the architecture section, there are three types of services. In this example, we will use the LoadBalancer service type. The following manifest file creates an external public IP address and connects the requested pods to the load balancer pool.

 

SSH into the AKS Nodes

Throughout the lifecycle of your Azure Kubernetes Service cluster, you may need to access an AKS node. This access could be for maintenance, log collection, or other troubleshooting operations. The AKS nodes are Linux VMs, so you can access them using SSH. For security purposes, the AKS nodes are not exposed to the internet and master nodes are fully managed by Azure.

This article shows you how to create an SSH connection with an AKS node using their private IP addresses. Detailed documentation here.

Inspect Kubenetes Networking

In Azure Kubernetes Service, you can deploy a cluster that uses one of the following two network models:

  • Basic networking – The network resources are created and configured as the AKS cluster is deployed. This uses the Kubenet Plugin
  • Advanced networking – The AKS cluster is connected to existing virtual network resources and configurations. This uses the CNI Plugin

In Part-1 of this blog, we will focus on Basic Networking (Kubenet Networking) and take a behind the scene look at the traffic flow

Basic Networking

The basic networking option is the default configuration for AKS cluster creation. The Azure platform manages the network configuration of the cluster and pods.

Nodes in an AKS cluster configured for basic networking use the kubenet Kubernetes plugin.

Basic networking provides the following features:

  • Expose a Kubernetes service externally or internally through the Azure Load Balancer.
  • Pods can access resources on the public Internet.

 

Summary

AKS makes it easy to deploy and manage containerized applications without container orchestration expertise. Azure handles the ongoing operations including provisioning, upgrading and scaling of resources/nodes. Nodes are deployed as Azure Virtual Machines. Master nodes are completely managed by Azure. In short, AKS reduces the complexity and operational overhead of managing a Kubernetes cluster by offloading much of that responsibility to Azure. Azure handles health monitoring and maintenance. In addition to AKS, Azure has a full ecosystem of container based services  like Azure Container Registry, Azure Service Fabric and Azure Batch.

Note: I’d like to thank my manager John Rudenauer and leaders from our Navisite Product Management – Balaji Sundara , my colleagues Umang Chhibber and Eric Corbett, Marketing team – Chris Pierdominici and Carole Bailey, and Professional Services team – Mike Gallo for their continued support and direction.

If you’re interested in learning more about deploying Azure Kubernetes Services, as part of the Azure Management Services that Navisite offers, contact us today, or call us at (888) 298-8222 for additional information.

Nehali Neogi

Nehali Neogi

Principal Cloud Architect at Navisite
Nehali Neogi is a Principal Cloud Architect at Navisite, leading many of their global initiatives on building the next generation of hybrid cloud services. She enjoys designing and architecting reliable and highly available solutions for Navisite’s clients. She is a Cisco, VMware NSX and Azure certified Cloud Architect leading Hybrid Cloud offerings. Her interests are cloud technologies, Software Defined Networking, full stack engineering, and realizing the transition to DevOps and system Automation.Nehali holds an Expert Level Certification in VMware NSX(VCIX-NV) and Microsoft Certified Azure Cloud Architect.She holds Masters in Computer Engineering from UMass, Lowell.
Nehali Neogi