Microsoft’s Azure Kubernetes Service (AKS) is designed to streamline the daily management of Kubernetes, significantly simplifying the complexity inherent in building and running large-scale, cloud-native applications. With Azure taking on much of the heavy lifting, developers can focus more on creating and extending their code and containers. AKS initially targets the basics of running Kubernetes, but as the platform has matured, there has been a growing need for more advanced services that provide deeper insights into applications and more sophisticated security mechanisms. Kubernetes’ modular architecture, with its support for sidecars and service meshes, allows for the extension of the platform’s capabilities without necessitating changes to individual applications.
Microsoft enhances AKS by integrating Advanced Container Networking Services (ACNS), which bundles open-source tools to bolster both observability and security. ACNS simplifies the incorporation of essential tools like Grafana and Prometheus alongside Cilium-enabled nodes using Hubble and eBPF for advanced integration with container hosts. Alternatively, nodes can be constructed using Microsoft’s proprietary Retina Kubernetes observability tool. Currently, ACNS includes two major services: Advanced Network Observability and Fully Qualified Domain Name (FQDN) filtering with an attached DNS proxy. Both services leverage Azure’s extended Berkeley Packet Filters, providing kernel-level access to both Windows and Linux networking environments.
1. Sign Into Azure Environment
To begin securing your Azure Kubernetes environment with ACNS, the first step is to sign into your Azure environment. Utilize either Azure’s Bash in Cloud Shell or the Azure CLI in a desktop terminal session. If you opt for the CLI, ensure that you are logged into the Azure environment you’re configuring. This initial action sets the stage for deploying and managing the AKS cluster under the right credentials and workspace.
Azure Command-Line Interface (CLI) serves as a powerful tool for interacting with Azure services programmatically. Signing into this environment allows you to execute commands, create and manage resources, and configure services like ACNS efficiently. Be sure to verify your access permissions and role assignments since various operations may require elevated privileges. Performing this step correctly ensures that subsequent actions, particularly those that modify network and security settings, are authorized and effective.
2. Install Azure CLI Preview Extension
Given that ACNS is currently a preview service, it’s essential to install the Azure CLI preview extension to enable the necessary feature flags required to use ACNS. This step is crucial because it provides access to experimental and pre-release features, allowing you to test and implement cutting-edge functionalities before they become generally available.
To install the preview extension, execute the appropriate installation commands within your chosen CLI environment. This extension acts as a gateway for activating ACNS-specific commands and features, facilitating the deployment and configuration processes. This preparatory step ensures that your Azure CLI is equipped with the latest tools and capabilities, enabling seamless integration of ACNS into your AKS environment.
3. Create Resource Group for AKS Cluster
Once you’ve installed the CLI preview extension, the next step is to create a resource group for your AKS cluster. Resource groups in Azure serve as logical containers for managing related resources, such as virtual machines, storage accounts, and networking interfaces. Setting up a resource group specifically for your AKS cluster helps organize resources more effectively and simplifies the management of associated services and permissions.
When creating a resource group, consider the scope and requirements of your deployment. Choose an appropriate region (location) based on performance, compliance, and cost considerations. Proper resource group management not only aids in administration and auditing but also plays a role in cost management by allowing for grouped billing and budgeting. By setting up a dedicated resource group, you ensure that all components of your AKS cluster are systematically organized and easily maintainable.
4. Set Up the AKS Cluster
Setting up the AKS cluster involves a few critical steps, including adding ACNS services to the cluster. It’s important to ensure that your cluster includes the appropriate data plane, like Cilium, if you’re planning to use FQDN filtering. The Cilium data plane leverages eBPF technology to provide advanced networking, security, and observability capabilities.
To include ACNS in your AKS cluster, utilize the --enable-acns flag when executing the aks create command. This command facilitates the integration of observability and FQDN filtering within your cluster setup. Configuring the cluster with this flag ensures that both core and advanced networking services are activated, providing enhanced visibility and security features.
Moreover, setting up the AKS cluster with these configurations helps streamline the deployment of complex applications, allowing you to leverage Azure’s robust security frameworks and observability tools. This setup phase is critical for establishing a stable and secure baseline for your Kubernetes environment.
5. Configure for FQDN Filtering (Optional)
If your requirements solely include FQDN filtering, you can achieve this by replacing the --enable-acns flag with --enable-fqdn-policy in the aks create command. This more focused configuration targets domain name filtering without additional observability features. You can also add ACNS support to existing AKS clusters using the same flags with the aks update command.
FQDN filtering simplifies access management by allowing traffic based on domain names rather than static IP addresses. This approach is particularly effective in orchestrated environments where dynamic scaling and ephemeral IPs are common. The domain-based system ensures that access policies remain consistent and easier to manage, reducing errors and security risks associated with IP-based filtering.
This optional configuration caters to specific needs, providing flexibility in how you secure and control network traffic in your Kubernetes clusters. By leveraging domain names, you align your security practices with modern, dynamic application architectures.
6. Manage FQDN Policies through Cilium Agent
Managing FQDN policies is facilitated through the Cilium agent, which orchestrates DNS requests from pods by routing them to the ACNS DNS proxy. When a DNS query is made, the proxy evaluates the request based on pre-configured policies to determine whether it should be permitted. If the request is allowed, the proxy forwards it to a DNS server, retrieves the resolution, and sends the response back to the originating pod. Conversely, if a request is blocked, it is discarded without any query being made.
This mechanism operates at Layer 7 of the OSI model, giving it precedence over other network policies. As a result, even if other policies would allow pod connectivity, a DNS block enforced by the Cilium agent will take precedence, thereby preventing access to specific endpoints. The policy configurations for DNS filtering can be managed using YAML or JSON, offering flexibility and precision in defining access rules.
Managing FQDN policies through the Cilium agent ensures that stringent and adaptable controls are in place to govern network interactions within the Kubernetes environment. This level of control is vital for maintaining robust security postures, mitigating risks associated with unauthorized access, and ensuring compliance with organizational policies.
Using ACNS for Network Observability
Advanced Container Networking Services (ACNS) provides powerful tools for network observability, enabling detailed insights into the performance and interactions within your AKS clusters. Utilizing either Cilium or Retina, ACNS extracts metrics from service hosts and maps them to nodes and pods. These metrics are stored in Kubernetes’ Prometheus format, allowing for comprehensive data analysis and visualization using pre-configured Grafana dashboards.
The observability tools offered by ACNS, like Hubble, provide real-time tracing of data flows within your environment. Hubble can map communications between pods and generate detailed service connection graphs, which are invaluable for understanding network dynamics and pinpointing performance issues. However, note that ACNS does not include Hubble’s visualization tools by default, so you may need to set up your own servers for full graphical interfaces, either on-premises or in Azure, which could incur additional costs.
The observability capabilities of ACNS extend to monitoring network performance, detecting anomalies, and ensuring that service interactions conform to expected patterns. This holistic view is crucial for optimizing application performance, troubleshooting issues, and maintaining the overall health of your Kubernetes environment. By implementing these observability tools, businesses can achieve a deeper understanding of their cloud-native applications and ensure they operate efficiently and securely.
Conclusion
Microsoft’s Azure Kubernetes Service (AKS) aims to ease the day-to-day management of Kubernetes, making it significantly less complex to develop and operate large-scale, cloud-native applications. By handling much of the heavy lifting, Azure allows developers to focus on writing and enhancing their code and containers. AKS initially addresses the core needs of running Kubernetes, but as it has evolved, there’s been an increasing demand for advanced services that offer deeper application insights and enhanced security features. Kubernetes’ modular structure, supporting sidecars and service meshes, permits extending the platform’s functionality without altering individual applications.
Microsoft improves AKS through the integration of Advanced Container Networking Services (ACNS), which incorporates open-source tools to boost both observability and security. ACNS simplifies the deployment of vital tools like Grafana and Prometheus, along with Cilium-enabled nodes leveraging Hubble and eBPF for sophisticated integration with container hosts. Alternatively, nodes can be set up using Microsoft’s proprietary Retina Kubernetes observability tool. Currently, ACNS offers two main services: Advanced Network Observability and Fully Qualified Domain Name (FQDN) filtering with an integrated DNS proxy. Both services utilize Azure’s extended Berkeley Packet Filters, granting kernel-level access to networking environments on both Windows and Linux. As a result, developers gain a powerful, flexible platform that supports efficient and secure cloud-native application development.
