Creating AKS Cluster on Azure:

AKS makes it easy to deploy and manage containerized applications without container orchestration expertise. Azure handles the ongoing operations including provisioning, upgrading and scaling of resources/nodes. Nodes are deployed as Azure Virtual Machines. Master nodes are completely managed by Azure. In short, AKS reduces the complexity and operational overhead of managing a Kubernetes cluster by offloading much of that responsibility to Azure. Azure handles health monitoring and maintenance. In addition to AKS, Azure has a full ecosystem of container based services  like Azure Container Registry, Azure Service Fabric and Azure Batch.

Overview

Managed Kubernetes simplifies deployment, management and operations of Kubernetes, and allows developers to take advantage of Kubernetes without worrying about the underlying plumbing to get it up running and freeing up developer time to focus on the applications. Different Cloud Providers are offering this service – for example Google Kubernetes Engine (GKE), Amazon has Elastic Container Service for Kubernetes (EKS), Microsoft has Azure Kubernetes Service (AKS) etc..

The focus of this blog is on Azure Kubernetes Services. AKS makes it easy to deploy and manage containerized applications without container orchestration expertise. Azure handles the ongoing operations including provisioning, upgrading and scaling of resources/nodes. Worker nodes are deployed as Azure Virtual Machines. Master nodes are completely managed by Azure. In short, AKS reduces the complexity and operational overhead of managing a Kubernetes cluster, by offloading much of that responsibility to Azure. Azure handles health monitoring and maintenance.


AKS Reference Architecture (Kubenetes Networking)

Throughout the blog article we will reference the following architecture. It shows a 3-nodes Kubernetes cluster with basic Kubenet networking in a flat-routed topology. The master nodes are completely managed by Azure.


Kubernetes Service Architecture

To simplify the network configuration for application workloads, Kubernetes uses Services to logically group a set of pods together and expose your application for external network connectivity. There are three types of services, or ServiceTypes.

  1. ClusterIP
  2. NodePort
  3. LoadBalancer

We will focus on the LoadBalancer service type. It leverages an External Azure Load balancer  with a Public IP.

From Microsoft documentation:

Source: Microsoft Documentation

Install Azure CLI and login to Azure

Azure Kubernetes Service management can be done from a development VM as well as using Azure Cloud Shell.  In this setup, I’m using an Ubuntu VM and I’ve install Azure CLI locally. To install Azure CLI follow this link.

Few basic commands to login to Azure using Azure CLI


Create AKS Cluster and Connect to It

Create the AKS cluster in Azure is a single command. In Azure, create a resource group to manage the AKS cluster resources first.


Validations in Azure

Once the Azure Kubernetes Service Cluster is created, login to the Azure Portal and verify the Resource Groups, Service Principal, three nodes IPs and the Route table for the inter pod routing.

Resource Groups


Service Principal
Kubernetes Nodes


Route Table

Load Balancer


Run a Sample Containerized Application

Deployment Manifest file

Create a Kubernetes manifest file for the deployment. A deployment in Kubernetes represents one or more identical pods that are managed by Kubernetes deployment controller.  It also defines the number of replica sets (pods) to create. In our case we create a file called nn-deployment.yaml which uses the nginx container image and 3 replicas.  We will use a separate manifest file for services.


Service Manifest file

Azure Kubernetes uses Services to logically group a set of pods together and provide network connectivity. As explained in the architecture section, there are three types of services. In this example, we will use the LoadBalancer service type. The following manifest file creates an external public IP address and connects the requested pods to the load balancer pool.


SSH into the AKS Nodes

Throughout the lifecycle of your Azure Kubernetes Service cluster, you may need to access an AKS node. This access could be for maintenance, log collection, or other troubleshooting operations. The AKS nodes are Linux VMs, so you can access them using SSH. For security purposes, the AKS nodes are not exposed to the internet and master nodes are fully managed by Azure.

This article shows you how to create an SSH connection with an AKS node using their private IP addresses. Detailed documentationhere.

Get the resource Group:
azure@aks-setup-vm:~$ az aks show --resource-group nn-aks-rg --name nn-aks-cluster --query nodeResourceGroup -o tsv
 
MC_nn-aks-rg_nn-aks-cluster_eastus
 
Get the list of VMs
 
azure@aks-setup-vm:~$ az vm list --resource-group MC_nn-aks-rg_nn-aks-cluster_eastus -o table
Name ResourceGroup Location Zones
------------------------ ---------------------------------- ---------- -------
aks-nodepool1-19416140-0 MC_nn-aks-rg_nn-aks-cluster_eastus eastus
aks-nodepool1-19416140-1 MC_nn-aks-rg_nn-aks-cluster_eastus eastus
aks-nodepool1-19416140-2 MC_nn-aks-rg_nn-aks-cluster_eastus eastus
 
Add the public key to the nodes
az vm user update \
--resource-group MC_nn-aks-rg_nn-aks-cluster_eastus \
--name aks-nodepool1-19416140-0 \
--username azureuser \
--ssh-key-value ~/.ssh/id_rsa.pub
 
az vm user update \
--resource-group MC_nn-aks-rg_nn-aks-cluster_eastus \
--name aks-nodepool1-19416140-1 \
--username azureuser \
--ssh-key-value ~/.ssh/id_rsa.pub
 
az vm user update \
--resource-group MC_nn-aks-rg_nn-aks-cluster_eastus \
--name aks-nodepool1-19416140-2 \
--username azureuser \
--ssh-key-value ~/.ssh/id_rsa.pub
 
 
Get the list of node IPs:
 
azure@aks-setup-vm:~$ az vm list-ip-addresses --resource-group MC_nn-aks-rg_nn-aks-cluster_eastus -o table
VirtualMachine PrivateIPAddresses
------------------------ --------------------
aks-nodepool1-19416140-0 10.240.0.4
aks-nodepool1-19416140-1 10.240.0.5
aks-nodepool1-19416140-2 10.240.0.6
 
Run an ubuntu container image and attach a terminal session to it. We will use this container to ssh to any of the AKS cluster nodes.
 
kubectl run -it --rm aks-ssh --image=ubuntu
apt-get update && apt-get install openssh-client -y
 
In a Seperate window
azure@aks-setup-vm:~$ kubectl get pods
NAME READY STATUS RESTARTS AGE
aks-ssh-6fbc77d848-h52wc 1/1 Running 0 43s
nn-nginx-deployment-7489bc85cf-95jxn 1/1 Running 0 15m
nn-nginx-deployment-7489bc85cf-xwllg 1/1 Running 0 15m
nn-nginx-deployment-7489bc85cf-zp68z 1/1 Running 0 15m
 
Copy the ssh private key to the newly deployed pod.
 
azure@aks-setup-vm:~$ kubectl cp ~/.ssh/id_rsa aks-ssh-6fbc77d848-h52wc:/id_rsa
 
Back in the container terminal
 
root@aks-ssh-6fbc77d848-h52wc:/# ls
bin boot dev etc home id_rsa lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
root@aks-ssh-6fbc77d848-h52wc:/# chmod 0600 id_rsa
root@aks-ssh-6fbc77d848-h52wc:/# mv id_rsa ~/.ssh/
root@aks-ssh-6fbc77d848-h52wc:~# cd .ssh/
root@aks-ssh-6fbc77d848-h52wc:~/.ssh# ls
id_rsa known_hosts
 
From here on you can ssh to any of the AKS nodes.
root@aks-ssh-6fbc77d848-h52wc:~/.ssh# ssh azureuser@10.240.0.4

In Azure Kubernetes Service, you can deploy a cluster that uses one of the following two network models:

  • Basic networking – The network resources are created and configured as the AKS cluster is deployed. This uses the Kubenet Plugin
  • Advanced networking – The AKS cluster is connected to existing virtual network resources and configurations. This uses the CNI Plugin

In Part-1 of this blog, we will focus on Basic Networking (Kubenet Networking) and take a behind the scene look at the traffic flow

Basic Networking

The basic networking option is the default configuration for AKS cluster creation. The Azure platform manages the network configuration of the cluster and pods.

Nodes in an AKS cluster configured for basic networking use the kubenet Kubernetes plugin.

Basic networking provides the following features:

  • Expose a Kubernetes service externally or internally through the Azure Load Balancer.
  • Pods can access resources on the public Internet.