[SLIDES FROM MICROSOFT ONLINE TECH FORUM SESSION]
Kubernetes is the open source container orchestration system that supercharges applications with scaling and reliability and unlocks advanced features, like A/B testing, Blue/Green deployments, canary builds, and dead-simple rollbacks.
In this session, see how Tailwind Traders took a containerized application and deployed it to Azure Kubernetes Service (AKS).
You’ll walk away with a deep understanding of major Kubernetes concepts and how to put it all to use with industry standard tooling.
Debugging and Interacting with Production Applications - MS Online Tech ForumDavide Benvegnù
[SLIDE FROM MICROSOFT ONLINE TECH FORUM SESSION]
Now that the applications are in the Cloud, developers must find ways to debug and interact with the production applications with minimal impact and maximal efficiency.
Azure comes with a full set of tools and utilities that can be used to manage and monitor your applications.
In this session, see how streaming logs work to monitor the production application in real time. We also show how Snapshot Debugging can be used to live debug applications.
Best Practices with Azure Kubernetes ServicesQAware GmbH
Cloud Native Night November 2018, Munich: Talk by Jose Moreno (Microsoft).
Join our Meetup: www.meetup.com/cloud-native-muc
Abstract: Three commands to deploy a Kubernetes Cluster to Azure! Well, but is the cluster secure? How to perform capacity management? What happens in case of a data center disaster? In this session we'll explore capabilities of the Azure Kubernetes Service and acs-engine to address these requirements.
There’s a plethora of Container-related services available in Azure: Azure Container Instance, Azure Container Service, managed Kubernetes and managed container registry to name a few. I will cover the most useful container and container orchestration related services in this talk, explain their differences and help you figure out which scenarios they fit best.
As presented by Karl Ots, Azure MVP at CNCF & Kubernetes Finland meetup. on February 22, 2018.
In this session, we will show how to simplify the deployment, management, and operations of Kubernetes using Azure Container Service (AKS). We will demonstrate how to use Brigade - a framework for scripting together multiple tasks and executing them inside of containers and Kashti - an open source reporting dashboard web interface to easily manage and visualize their Brigade events and projects through a web browser. Additionally, we will provide comparisons of the wide variety of tools in the Kubernetes ecosystem for CI/CD, observability, storage and networking.
Azure and Kubernetes go together like peanut butter and jelly with Azure offering many options to host Kubernetes. In this session, we'll show you how to mix the Open Source tools you already use with the powerful Kubernetes hosting options on Azure. Take your deployment and orchestration to the next level!
It's never been easier to containerize your services using Docker and deploy them to Azure using Kubernetes. In this session we will introduce you to the world of containers in Azure. You will learn how to set up continuous deployment with Visual Studio Team Services (VSTS), monitor and scale your containers in Azure, how to build Docker images, run them in Azure, and even handle secrets in Kubernetes clusters.
Debugging and Interacting with Production Applications - MS Online Tech ForumDavide Benvegnù
[SLIDE FROM MICROSOFT ONLINE TECH FORUM SESSION]
Now that the applications are in the Cloud, developers must find ways to debug and interact with the production applications with minimal impact and maximal efficiency.
Azure comes with a full set of tools and utilities that can be used to manage and monitor your applications.
In this session, see how streaming logs work to monitor the production application in real time. We also show how Snapshot Debugging can be used to live debug applications.
Best Practices with Azure Kubernetes ServicesQAware GmbH
Cloud Native Night November 2018, Munich: Talk by Jose Moreno (Microsoft).
Join our Meetup: www.meetup.com/cloud-native-muc
Abstract: Three commands to deploy a Kubernetes Cluster to Azure! Well, but is the cluster secure? How to perform capacity management? What happens in case of a data center disaster? In this session we'll explore capabilities of the Azure Kubernetes Service and acs-engine to address these requirements.
There’s a plethora of Container-related services available in Azure: Azure Container Instance, Azure Container Service, managed Kubernetes and managed container registry to name a few. I will cover the most useful container and container orchestration related services in this talk, explain their differences and help you figure out which scenarios they fit best.
As presented by Karl Ots, Azure MVP at CNCF & Kubernetes Finland meetup. on February 22, 2018.
In this session, we will show how to simplify the deployment, management, and operations of Kubernetes using Azure Container Service (AKS). We will demonstrate how to use Brigade - a framework for scripting together multiple tasks and executing them inside of containers and Kashti - an open source reporting dashboard web interface to easily manage and visualize their Brigade events and projects through a web browser. Additionally, we will provide comparisons of the wide variety of tools in the Kubernetes ecosystem for CI/CD, observability, storage and networking.
Azure and Kubernetes go together like peanut butter and jelly with Azure offering many options to host Kubernetes. In this session, we'll show you how to mix the Open Source tools you already use with the powerful Kubernetes hosting options on Azure. Take your deployment and orchestration to the next level!
It's never been easier to containerize your services using Docker and deploy them to Azure using Kubernetes. In this session we will introduce you to the world of containers in Azure. You will learn how to set up continuous deployment with Visual Studio Team Services (VSTS), monitor and scale your containers in Azure, how to build Docker images, run them in Azure, and even handle secrets in Kubernetes clusters.
Moving multi-container applications to Azure Kubernetes.
- Micorservices
- Dockerize application using Docker Container
- Touch on different Kubernetes Objects
- Leverage Azure Container Registry and AKS
The slides were presented @ Kubernetes Meetup Bangalore held on 26th May - 2018 by Sathyam Zode - An OpenEBS Contributor and Software Engineer at MayaData .
Service Fabric is the foundational technology powering core Azure infrastructure and large-scale Microsoft services such as Azure Cosmos DB, Azure SQL Database, Dynamics 365, and Cortana. Come to this session for a developer’s tour and dives into the latest and greatest of Service Fabric capabilities, including containers, low-latency data processing, .NET Core 2.0 and VS 2017 integration. We are also going to immerse you with our future roadmap that makes building containerized microservice applications much easier.
Kubernetes can be complex to manage at enterprise scale! Cloud provider services like Amazon EKS solves the challenge of bringing up a Kubernetes control plane. However, production Kubernetes requires multi-layer security, access controls, load-balancing, monitoring, logging, governance, secrets management, policy management, and several other considerations. In this fast paced talk, we will cover how enterprises can address each of these areas and discuss best practices to fast track deployments.
Making sense of containers, docker and Kubernetes on Azure.Nills Franssens
A presentation for the Belgian Azure User Group (AZUG) on June 26 2018.
Topics:
- Containers
- Docker
- Kubernetes
Sources: https://github.com/NillsF/Azug-Container-Session/
This presentation was made as part of Container Conference 2018 : www.containerconf.in
"Typically enterprise applications are deployed as processes on Virtual Machines or as Containers. For example, applications can be deployed on Amazon EC2 instances or as Docker containers in on-premise Kubernetes cluster. Both the strategies have their own pros and cons. While VMs are portable and secure, they are also bulky and time consuming to bring up. Containers on the other hand are lightweight, portable and can be launched very quickly, but their security concerns remain.
Even though traditional containers (such as Docker) isolate the application process namespace from other containers, they share the host OS kernel. Considering the number of un-trusted applications that are run as containers, the entire host OS can be compromised. Even though the community has come up with a variety of tools for scanning vulnerabilities (such as Clair) and modules for enhancing the security (such as AppArmor & SELinux), the onus is on the administrator to use these tools and make the environment secure. In this presentation we explore Virtualized Containers, an evolving container technology which inherently provides security by design without compromising on speed and flexibility."
CloudBurst Malmö: Best practices of securing web applications running on Azur...Karl Ots
The multitude of security controls and guidelines for both Kubernetes and Azure can be overwhelming. Based on real-life experiences from securing web applications running on Azure Kubernetes Service, Karl has compiled a list of best practices that bring these worlds together.
In this session, you will learn how to build, operate and develop secure web applications on top of Azure Kubernetes Service. After this session, you will know which security controls are available, how effective they are and what will be the cost of implementing them.
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18CodeOps Technologies LLP
This presentation was made by Mohit Saxena as part of the Container Conference 2018.
"Stateless and Stateful services in Kubernetes
Kubernetes (K8s) cluster infrastructure is getting more and more traction industry wide. Different kinds of workload are getting shifted from tradition three tier to micorservice architecture. Every application comes with its own need of infrastructure components be its scaling of application to loadbalancing(LB) these application. K8s also trying to cater the different requirement of these workload one such example is headless services which is basically used for stateful service set. Role of LB is most important when it comes to scaling of services and service discovery be it ingress or E-W. For stateful services exposed using clusterIP/NodePort to ingress default Round Robin loadbalancing will not work. We need intelligent services discovery and LB modules when working with a set of apps consisting of both stateful and stateless services."
Conference URL: www.containerconf.in
“Microservices” have become a trendy development strategy. Hosting and running such services used to be pretty painful... but here comes Service Fabric! Let’s take a closer look at this platform, its different development models and all the features it offers, and not only for microservices!
Consolidating Infrastructure with Azure Kubernetes ServiceEng Teong Cheah
In this session, see how Tailwind Traders took a containerized application and deployed it to Azure Kubernetes Service (AKS). You’ll walk away with a deep understanding of major Kubernetes concepts and how to put it all to use with industry standard tooling.
Cloud-native .NET Microservices mit KubernetesQAware GmbH
BASTA! 2017, Mainz: Talk von Mario-Leander Reimer (@LeanderReimer, Cheftechnologe bei QAware).
Cloud-Größen wie Google, Twitter und Netflix haben die Kernbausteine ihrer Infrastruktur quelloffen verfügbar gemacht. Das Resultat aus vielen Jahren Cloud-Erfahrung ist nun frei zugänglich, und jeder kann seine eigenen Cloud-nativen Anwendungen entwickeln – Anwendungen, die in der Cloud zuverlässig laufen und fast beliebig skalieren. Die einzelnen Bausteine wachsen zu einem großen Ganzen zusammen, dem Cloud-Native-Stack. In dieser Session stellen wir die wichtigsten Konzepte und aktuellen Schlüsseltechnologien kurz vor. Anschließend implementieren wir einen einfachen Microservice mit .NET Core und Steeltoe OSS und bringen ihn zusammen mit ausgewählten Bausteinen für Service-Discovery und Konfiguration schrittweise auf einem Kubernetes-Cluster zum Laufen.
Moving multi-container applications to Azure Kubernetes.
- Micorservices
- Dockerize application using Docker Container
- Touch on different Kubernetes Objects
- Leverage Azure Container Registry and AKS
The slides were presented @ Kubernetes Meetup Bangalore held on 26th May - 2018 by Sathyam Zode - An OpenEBS Contributor and Software Engineer at MayaData .
Service Fabric is the foundational technology powering core Azure infrastructure and large-scale Microsoft services such as Azure Cosmos DB, Azure SQL Database, Dynamics 365, and Cortana. Come to this session for a developer’s tour and dives into the latest and greatest of Service Fabric capabilities, including containers, low-latency data processing, .NET Core 2.0 and VS 2017 integration. We are also going to immerse you with our future roadmap that makes building containerized microservice applications much easier.
Kubernetes can be complex to manage at enterprise scale! Cloud provider services like Amazon EKS solves the challenge of bringing up a Kubernetes control plane. However, production Kubernetes requires multi-layer security, access controls, load-balancing, monitoring, logging, governance, secrets management, policy management, and several other considerations. In this fast paced talk, we will cover how enterprises can address each of these areas and discuss best practices to fast track deployments.
Making sense of containers, docker and Kubernetes on Azure.Nills Franssens
A presentation for the Belgian Azure User Group (AZUG) on June 26 2018.
Topics:
- Containers
- Docker
- Kubernetes
Sources: https://github.com/NillsF/Azug-Container-Session/
This presentation was made as part of Container Conference 2018 : www.containerconf.in
"Typically enterprise applications are deployed as processes on Virtual Machines or as Containers. For example, applications can be deployed on Amazon EC2 instances or as Docker containers in on-premise Kubernetes cluster. Both the strategies have their own pros and cons. While VMs are portable and secure, they are also bulky and time consuming to bring up. Containers on the other hand are lightweight, portable and can be launched very quickly, but their security concerns remain.
Even though traditional containers (such as Docker) isolate the application process namespace from other containers, they share the host OS kernel. Considering the number of un-trusted applications that are run as containers, the entire host OS can be compromised. Even though the community has come up with a variety of tools for scanning vulnerabilities (such as Clair) and modules for enhancing the security (such as AppArmor & SELinux), the onus is on the administrator to use these tools and make the environment secure. In this presentation we explore Virtualized Containers, an evolving container technology which inherently provides security by design without compromising on speed and flexibility."
CloudBurst Malmö: Best practices of securing web applications running on Azur...Karl Ots
The multitude of security controls and guidelines for both Kubernetes and Azure can be overwhelming. Based on real-life experiences from securing web applications running on Azure Kubernetes Service, Karl has compiled a list of best practices that bring these worlds together.
In this session, you will learn how to build, operate and develop secure web applications on top of Azure Kubernetes Service. After this session, you will know which security controls are available, how effective they are and what will be the cost of implementing them.
Stateless and Stateful Services in Kubernetes - Mohit Saxena - Citrix - CC18CodeOps Technologies LLP
This presentation was made by Mohit Saxena as part of the Container Conference 2018.
"Stateless and Stateful services in Kubernetes
Kubernetes (K8s) cluster infrastructure is getting more and more traction industry wide. Different kinds of workload are getting shifted from tradition three tier to micorservice architecture. Every application comes with its own need of infrastructure components be its scaling of application to loadbalancing(LB) these application. K8s also trying to cater the different requirement of these workload one such example is headless services which is basically used for stateful service set. Role of LB is most important when it comes to scaling of services and service discovery be it ingress or E-W. For stateful services exposed using clusterIP/NodePort to ingress default Round Robin loadbalancing will not work. We need intelligent services discovery and LB modules when working with a set of apps consisting of both stateful and stateless services."
Conference URL: www.containerconf.in
“Microservices” have become a trendy development strategy. Hosting and running such services used to be pretty painful... but here comes Service Fabric! Let’s take a closer look at this platform, its different development models and all the features it offers, and not only for microservices!
Consolidating Infrastructure with Azure Kubernetes ServiceEng Teong Cheah
In this session, see how Tailwind Traders took a containerized application and deployed it to Azure Kubernetes Service (AKS). You’ll walk away with a deep understanding of major Kubernetes concepts and how to put it all to use with industry standard tooling.
Cloud-native .NET Microservices mit KubernetesQAware GmbH
BASTA! 2017, Mainz: Talk von Mario-Leander Reimer (@LeanderReimer, Cheftechnologe bei QAware).
Cloud-Größen wie Google, Twitter und Netflix haben die Kernbausteine ihrer Infrastruktur quelloffen verfügbar gemacht. Das Resultat aus vielen Jahren Cloud-Erfahrung ist nun frei zugänglich, und jeder kann seine eigenen Cloud-nativen Anwendungen entwickeln – Anwendungen, die in der Cloud zuverlässig laufen und fast beliebig skalieren. Die einzelnen Bausteine wachsen zu einem großen Ganzen zusammen, dem Cloud-Native-Stack. In dieser Session stellen wir die wichtigsten Konzepte und aktuellen Schlüsseltechnologien kurz vor. Anschließend implementieren wir einen einfachen Microservice mit .NET Core und Steeltoe OSS und bringen ihn zusammen mit ausgewählten Bausteinen für Service-Discovery und Konfiguration schrittweise auf einem Kubernetes-Cluster zum Laufen.
Cloud-Größen wie Google, Twitter und Netflix haben die Kernbausteine ihrer Infrastruktur quelloffen verfügbar gemacht. Das Resultat aus vielen Jahren Cloud-Erfahrung ist nun frei zugänglich, und jeder kann seine eigenen Cloud-nativen Anwendungen entwickeln – Anwendungen, die in der Cloud zuverlässig laufen und fast beliebig skalieren. Die einzelnen Bausteine wachsen zu einem großen Ganzen zusammen, dem Cloud-Native-Stack. In dieser Session stellen wir die wichtigsten Konzepte und aktuellen Schlüsseltechnologien kurz vor. Anschließend implementieren wir einen einfachen Microservice mit .NET Core und Steeltoe OSS und bringen ihn zusammen mit ausgewählten Bausteinen für Service-Discovery und Konfiguration schrittweise auf einem Kubernetes-Cluster zum Laufen. @BASTAcon #BASTA17 @qaware #CloudNativeNerd
https://basta.net/microservices-services/cloud-native-net-microservices-mit-kubernetes/
Attendees will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers, including Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Container Service for Kubernetes (Amazon EKS). We also discuss best practices for the security of your container images such as scanning them for known vulnerabilities.
Bitbucket Pipelines - Powered by KubernetesNathan Burrell
This talk covers how pipelines uses Kubernetes to power its builder infrastructure and shares some tips on running Kubernetes at scale in a secure way.
This presentation was presented to the sydney Kubernetes meetup on the 3rd of August 2017.
Monitoring Containers at Scale - September Webinar SeriesAmazon Web Services
Containers come and go rapidly, which is great for scalable or fast-evolving infrastructure. However, the short life of containers make it more challenging to monitor, leaving many with questions such as: How many containers can you run on a given Amazon EC2 instance type? Which metric should you look at to measure contention? How do you manage fleets of containers at scale? In this session, we'll present the challenges and benefits of running containers at scale, how to use quantitative performance patterns to monitor your infrastructure at this magnitude and complexity, and we'll discuss proven strategies for monitoring your containerized infrastructure on AWS and ECS.
Learning Objectives:
- Set up the infrastructure to monitor your containers running on AWS
- Understand the metrics available and what they mean
- Define a strategy to monitor your containers
In this presentation you will learn about:
• CloudFormation 101
– The building block of Infrastructure as Code
• CodePipeline and CodeCommit 101
– Tools for our IaC pipeline
• Review of an example IaC Pipeline
– Automated validation
– Least privilege enforcement
– Manual review/approval
Microservices CICI automation inside Azure using AzureDevops and AKS Radu Vun...Radu Vunvulea
Microservices CI/CD automation inside Microsoft Azure: This session represents the journey that we need to follow when we start to implement a microservice solution using Azure Kubernetes Service (AKS). Except for the microservices themselves, there are a lot of other things that we need to be aware if we want to have an automated system where we focus only on the functionality and nothing more. Join this session if you want to discover the world of Azure DevOps and how you can configure a CI/CD environment in 30 minutes.
Azure: Docker Container orchestration, PaaS ( Service Farbic ) and High avail...Alexey Bokov
Deep dive into Azure cloud technologies including common considerations about technology choices and then going deep into some of them. First we start from Azure Container Service and Docker containers orchestration by using Mesos or Swarm. Next part is about PaaS v2 which called Azure Service Fabric - crash course and deep dive into some parts of SF. After that we going through high Availability and Disaster Recovery in Azure:
- Azure DNS - cloud API for DNS records hosting
- Traffic Manager – load balancing and fault-tolerance on DNS level
- Azure Load Balancer – load balancing on transport level
-Application Gateway – load balancing on application level
Last part of deck is about IaaS based services and some updates for storage service:
* Azure Batch for computational tasks
* VM Scale sets
* Storage - managed disks and cool storage
Building a Kubernetes App with Amazon EKSDevOps.com
Interested in learning how to set up a Kubernetes cluster and use automation to test and deploy an app?
During this presentation, Laura Frank will take a deep dive into CI/CD best practices with Kubernetes and Amazon EKS. You will be introduced to AmazonEKS, Amazon’s Kubernetes service and CloudBees CodeShip, a flexible continuous integration (CI)/continuous delivery(CD) tool that runs your builds in the cloud. Designed with developers in mind, both EKS and CodeShip when used together reduce the complexity of running an app with Kubernetes.
Attend this webinar to learn:
- An overview of Amazon EKS
- How to set up your own CI/CD pipeline
- How to leverage CI/CD best practices with Kubernetes
Interested in learning how to set up a Kubernetes cluster and use automation to test and deploy an app?
During this presentation, Laura Frank will take a deep dive into CI/CD best practices with Kubernetes and Amazon EKS. You will be introduced to AmazonEKS, Amazon’s Kubernetes service and CloudBees CodeShip, a flexible continuous integration (CI)/continuous delivery(CD) tool that runs your builds in the cloud. Designed with developers in mind, both EKS and CodeShip when used together reduce the complexity of running an app with Kubernetes.
Attend this webinar to learn:
- An overview of Amazon EKS
- How to set up your own CI/CD pipeline
- How to leverage CI/CD best practices with Kubernetes
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks
Alfonso described how Weave open source projects (Weave Net and Weave Scope) can help with networking, visualization, and control for ECS. Specifically, Weave acts as a key communicator for networking containers with its multi-host overlay and additional features (including automatic DNS service discovery and multicast).
Similar to Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech Forum (20)
DevSecOps Done Right - Strategies and Tools.pptxDavide Benvegnù
Had a session at the "Empowering Digital Trust: Data Security and Beyond" event organized by Thales Data Security. The event was free and open to the public.
Security issues, dependency vulnerabilities, misconfigurations... All of those can make or break your Open Source projects. Also, you want to make sure you adhere to the best practices, especially when you use more complex tools like Kubernetes.
Let's see how we can use the tools that GitHub and Datree provide (most are Open Source too!) to secure your project and make sure that no misconfiguration ever reaches the deployment targets!
Microsoft Skills Bootcamp - The power of GitHub and AzureDavide Benvegnù
In this session, part of the Microsoft Skills Bootcamp, I go through Digital Transformation in the DevOps era, and how to use Azure DevOps and GitHub together to achieve that.
All Around Azure: DevOps with GitHub - Managing the Flow of WorkDavide Benvegnù
Let's see how to use GitHub and Azure DevOps together to manage the flow of work.
DevOps is all about continuously delivering value. Before we can even begin thinking about CI/CD, we need to make sure we do the right work. Sprint after sprint, iteration after iteration, we need to plan our work and manage our workflows.
This includes planning and tracking all units of work for the project. With frequent small iterations, there is no time to waste. Careful planning needs to happen to ensure the correct work gets done for each iteration. With the compressed time frame for each iteration, team members must work and coordinate their activities. Thus cross (functional) team visibility of work becomes vital for that coordination and allocation of resources. Visibility also ensures problems or bottlenecks get surfaced and addressed quickly.
CI CD per .Net 5? Facile con Azure Pipelines e GitHub Actions Davide Benvegnù
.Net 5 e' appena diventato GA ma e' gia supportato sia da GitHub che da Azure DevOps. In questa sessione vedremo come fare CI CD per le nostre applicazioni .Net 5 e Asp.net Core 5 usando Azure Pipelines e GitHub Actions
GitHub Actions: your free CI engine (and much more)Davide Benvegnù
SLIDES FROM THE HONG KONG OPENSOURCE CONFERENCE 2020
--------------
GitHub Actions is now the second most popular Build Platform on GitHub.
But it is also much more than than a CI system: it is a very powerful automation engine.
Let's take a look at how we can do CI with Actions, and how we can automate operations on our GitHub projects.
Life of a Remote Developer - Productivity tips (MSBuild 2020)Davide Benvegnù
[These are the slides from my session at Microsoft Build 2020]
Working remotely is not easy, even if you are a developer.
Let’s take a look at some techniques and tools to improve our productivity when working remotely (and that works as well if you’re working in office!)
Architect your app modernization journey with containers on Microsoft AzureDavide Benvegnù
Modernize your application with containers has never been easier! Discover how Azure helps providing all the services you need.
This slides deck has been created for the Microsoft Azure Developer Camp in HK
Secure your applications with Azure AD and Key VaultDavide Benvegnù
Developers like the productivity of the Azure Platform, and now with Azure KeyVault and AAD we can easily secure secrets like DocumentDB, Media Services or Azure Batch keys in Azure KeyVault and apply granular policies to define who can access the secrets.
In this session we will see how to adopt a secure approach to manage application secrets by using Azure KeyVault, Azure Active Directory and Principals based on Certificates.
Microservices have become a trendy development strategy. Hosting and running such services used to be pretty painful… but here it comes Service Fabric! Let's take a closer look at this platform, it's different development models and all the features it offers. And not only for microservices!
Develop a Serverless Integration Platform for the EnterpriseDavide Benvegnù
Integrating different systems is usually important, but in the Enterprise it is critical. And managing the integration platform is often even more critical.
But what if we can design an integration architecture and pattern which can be applied to most of the systems, which doesn't require much management and which can scale on the fly?
In this session we will see how we can achieve that using the serveless offering we have on Azure: Functions, LogicApp and Service Bus.
SharePoint Disaster Recovery in Microsoft AzureDavide Benvegnù
When disaster strikes your SharePoint environment, your top priority is to get the system running again quickly. Disaster recovery with SharePoint is quicker and easier with Microsoft Azure.
This covers everything from ground up to compliment a customers SharePoint farm with its DR on Azure.
Microsoft TechSummit - Deploy your Solution to IaaS and PaaS with VSTS and Az...Davide Benvegnù
Azure offers exciting possibilities for hosting your application, whether you choose the IaaS or the PaaS offering. Using Visual Studio Team Services, we can deploy to any of them and leverage on their features easily. Let's see how.
VS2017PI - Le novità di visual studio team servicesDavide Benvegnù
Vediamo insieme tutte le principali novità di Visual Studio Team Services presentate a Connect() o introdotte nell'ultimo mese.
Novità per sviluppatori, DevOps e generali.
Even if very few people know it, Microsof thas a long story in the Open Source software.
Let's take a look at the current situation as well as all the major steps taken during the last 15 years
Continuous Integration: a real win-win for developersDavide Benvegnù
A dream of every developer is to have their applications ever up-to-date without a lot of effort. In this session we will talk about Continuous Integration and Continuous Delivery concepts, and we will see how it is possible to achieve this goal using the tools that Visual Studio Team Services provide us.
Azure AD: Enterprise-Grade Identity Provider For Your ApplicationsDavide Benvegnù
Azure Active Directory is a comprehensive identity and access management cloud solution that provides a robust set of capabilities to manage users and groups; it handles billions of authentications each day from more than 200 million active users.
Azure Active Directory offers developers an effective way to integrate identity management into their applications: let's take a look on how to do it.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
Worried about document security while sharing them in Salesforce? Fret no more! Here are the top-notch security standards XfilesPro upholds to ensure strong security for your Salesforce documents while sharing with internal or external people.
To learn more, read the blog: https://www.xfilespro.com/how-does-xfilespro-make-document-sharing-secure-and-seamless-in-salesforce/
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Hivelance Technology
Cryptocurrency trading bots are computer programs designed to automate buying, selling, and managing cryptocurrency transactions. These bots utilize advanced algorithms and machine learning techniques to analyze market data, identify trading opportunities, and execute trades on behalf of their users. By automating the decision-making process, crypto trading bots can react to market changes faster than human traders
Hivelance, a leading provider of cryptocurrency trading bot development services, stands out as the premier choice for crypto traders and developers. Hivelance boasts a team of seasoned cryptocurrency experts and software engineers who deeply understand the crypto market and the latest trends in automated trading, Hivelance leverages the latest technologies and tools in the industry, including advanced AI and machine learning algorithms, to create highly efficient and adaptable crypto trading bots
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
2. Davide Benvegnu
DevOps Architect
Azure DevOps Customer Advisory Team
• Microsoft Certified Professional
• Microsoft Certified Azure Solution Architect Expert
• Microsoft MVP in VSALM - 3 years
• Microsoft Event Speaker – Gold (2018 and 2019)
• MMA fighter
3. Agenda
App Intro
AKS architecture
Scale
Network & Security
Handling Failures
Tailwind Traders
Introduction to Kubernetes and components
Scale your applications in and out
Pod identity and Calico network policies
Cluster and Application Error Management
14. Create vnet
az network vnet create
--resource-group myResGroup
--name myVnet
--address-prefixes 10.0.0.0/8
--subnet-name myVnetSub
--subnet-prefix 10.240.0.0/16
az commands
Also we create a subnet
for our cluster
15. Create a subnet
az network vnet subnet create
--resource-group myResGroup
--vnet-name myVnet
--name VNSubnet
--address-prefix 10.241.0.0/16
az commands
Create a subnet for
virtual node
az commands
16. Create a service
principal az ad sp create-for-rbac
--name mySPk8s
--role Contributor
az commands
The service principal
allows us to create other
cloud resources
az commands
17. Create a base
AKS Cluster
az aks create
--resource-group myResGroup
--name myAKSCluster
--node-count 3
--generate-ssh-keys
az commands
Basic cluster
az commands
18. Create an AKS
Cluster
az aks create
--resource-group myResGroup
--name myAKSCluster
--node-count 3
--service-principal <appId>
--client-secret <password>
--generate-ssh-keys
--network-plugin azure
--dns-service-ip $KUBE_DNS_IP
--docker-bridge-address 172.17.0.1/16
--vnet-subnet-id <vnet id>
--load-balancer-sku standard
--enable-vmss
--node-zones 1 2 3
--network-policy calico
az commands
All addon flags
az commands
19. Add virtual
node
az aks enable-addons
--resource-group myResGroup
--name myAKSCluster
--addons virtual-node
--subnet-name VNsubnet
az commands
Add the virtual node
addon
az commands
20. Get the cluster
connection
az aks get-credentials
--resource-group myResGroup
--name myAKSCluster
--admin
kubectl get pods
kubectl apply –f myfile.yaml
...
az commands
Retrieves the
configuration and keys
for connecting to the AKS
cluster
az commands
21. Future proof your cluster
by enabling Virtual Node,
CNI and availability zones
23. Feature Request From Management
Management has asked us for a new service. The service must:
• Generate customer recommendations off previous orders
• Have its own deployable artifact
• Have a documented API to interface with existing services
28. Virtual Node Supports
Linux containers
Windows containers
GPU
Tip
In the backend Virtual
node is using Helm to
deploy the binary needed
to connect to ACI
29. Tell Your Pods
to Use Virtual
Node
nodeSelector:
beta.kubernetes.io/os: linux
kubernetes.io/role: agent
type: virtual-kubelet
tolerations:
- key: virtual-kubelet.io/provider
operator: Equal
value: azure
effect: NoSchedule
Example.yamlExample.yaml
When using virtual node
you need to specify
virtual node in the node
selector
43. Availability Zones
Resiliency to data centre failures
Nodes are split across 3 datacenters in a region
Gives us fault domains to plan our deployments around.
2
3
1
45. Handling Application Failure
Use deployments with replication set to the number of
zones you are using
Use an ingress controller that is highly available
Understand your disk mounts in pods
2
3
1
47. In review…
AKS architecture
Scale
Network & Security
Handling Failures
Kubernetes is complex, with AKS it’s easy
Scalability is a first-class citizen
Pod identity and Calico network policies FTW
Manage failures with AZs and proper settings
In this slide we are showing what items the traditional azure resources that make up Tailwind traders we have
* Postgres
* SQL
* Multiple VM's
* ACI (Azure container instances)
* Blob storage
Kubernetes is complex, running Kubernetes yourself is not the easiest of tasks without that skillset in your business.
In this slide we are showing the high level architecture of Kubernetes and all the moving parts, we want to call out the control plane (master node) and the worker nodes but we also want the audience to understand the flow from the API server to Kubelet to the worker nodes.
This slide the main points that we want to make is that, leading in off the last slide.
The Kubernetes control plane is managed by us as Azure, so the customer does not need to worry about that (so greater reduced complexity to allow your business to concentrate on your application not cluster administration)
The end user is responsible for the Kubernetes worker nodes (This means operational task like OS patching)
In this slide we want to tie together the architecture of Kubernetes with tailwind traders application.
We want to articulate how the traffic flows the cluster to the pod. Also tieing in the two slides before that link the control plane (master nodes) and the worker nodes.
For more information around Kubernetes ingress https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/
This is the first slide in which we will introduce Calcio network policies https://azure.microsoft.com/en-au/blog/integrating-azure-cni-and-calico-a-technical-deep-dive/ which will act as a soft network switch and sets security boundaries
In this slide we need to show the audience how virtual node connects ACI to Kubernetes
Virtual node installs a go binary on the control plane that converts the communications between ACI and Kubernetes so Kubernetes sees ACI as a worker node in the cluster
Also for more reading on how the horizontal pod autoscaler works https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
ACI creates a container runtime on demand with the security of vm isolation
We also create a subnet on our vnet to talk to ACI so virtual node communications are private
In this slide we want to show the audience that when we set up availability zones in AKS the worker nodes will be split across Azure regions to make the cluster more highly available.
This is done using an Azure load balancer for more reading https://docs.microsoft.com/bs-latn-ba/azure/aks/availability-zones
This slide will give the audience context for the failure section
From this slide on we are going to walk through how we create an AKS cluster with the 4 added features we covered in the previous architecture slides CNI, Virtual node and Availability zones.
The first step, is to create an Azure resource group
We define the region with the –l flag
And name with the -n
In this slide we are adding a vnet to our resource group
Also creating a subnet for our cluster to use with the name myVnet
In this slide we are creating a second subnet that will be used for communication between Kubernetes and the ACI API in the region of the cluster
We are tying it to our resource group we created earlier, also to our vnet myVnet
In this slide we are creating a service principal for the cluster to use to create other resources on Azure it might need.
An example of this would be a public IP for ingress or schedule pods on ACI for virtual node
In this slide are showing how to create your first AKS cluster.
This meant to be an introduction to creating the cluster, by not adding any flags you will get the default networking stack and will not be able to add any of the features we need for the managements ask.
This leads into the next slide where are going to add flags to make our cluster fit the functionality that we have been request of via the management
Remember once a cluster is created you cant add network policy, or availability zones
In this slide we are going to contrast the pervious slide which is just getting a cluster up and running in 5 minutes. Here we are looking at a production use case with business needs.
In this command we are create the cluster like the last slide
* Add the cluster to our resource group
* Give the cluster a name
* Add 3 worker nodes, this will put one node in each availability zone
* Add the service principal and client secret so the cluster can provision other cloud resources
* Generate a set of ssh keys to access the work nodes
* We specify the network plugin, Azure cni this allows us to create network policies and is a pre requisite for that.
* We specify the DNS address the cluster will use for internal service discovery
* The docker bridge address is an ip range that has to be there for Docker to start as systemd will fail without it
* We add the vnet id of the subnet we created in the earlier steps
* We then add a load balancer, this is a pre requsite for avaliblity zones. It is used for the control plane to speak to the worker nodes
* We then enable vmms (virtual machine scaling sets https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview) this is also need for avalibility zones
* We then specify the availability zones that the worker nodes will go in. This ties into the node count placing one node in each zone
* Lastly we add the network policy plugin
Now we have our cluster created we are going to add the virtual node plugin, this will allow us to burst our workloads to ACI (https://docs.microsoft.com/en-gb/azure/container-instances/)
This will install a service on our cluster that will talk to Kubernetes and ACI and represent ACI as a node to Kubernetes.*
*First we enable the addon
* We then tie the addon to our resource group that our cluster
* We tie it to the cluster we just created by the clusters name
* The addon flag is virtual node as that is the addon we want to use
* We use the subnet that we created earlier to communicate with ACI on an internal connection
Now we have our cluster created we are going to add the virtual node plugin, this will allow us to burst our workloads to ACI (https://docs.microsoft.com/en-gb/azure/container-instances/)
This will install a service on our cluster that will talk to Kubernetes and ACI and represent ACI as a node to Kubernetes.*
*First we enable the addon
* We then tie the addon to our resource group that our cluster
* We tie it to the cluster we just created by the clusters name
* The addon flag is virtual node as that is the addon we want to use
* We use the subnet that we created earlier to communicate with ACI on an internal connection
In this slide we are emulating a feature request coming in from management, Management want us to add a new consumer that takes customer data and colate all there orders to see if we can better server them when hitting the site.
We are going to add a new message que with RabbitMQ and then have our new service take the data from the que and do its work
In this slide we are emulating a feature request coming in from management, Management want us to add a new consumer that takes customer data and colate all there orders to see if we can better server them when hitting the site.
We are going to add a new message que with RabbitMQ and then have our new service take the data from the que and do its work
Cluster autoscaler
The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes.
1) CA watches for pods in a pending state
2) If found any, starts a scale-out of the cluster by adding additional nodes
3) CA watches for underutilized node
4) If found, and evicting pods are not in violation of other rules, a node will be drained and removed
Horizontal pod autoscaler
The horizontal pod autoscaler (HPA) uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If a service needs more resources, the number of pods is automatically increased to meet the demand.
1) HPA obtains resource metrics and compares them to user-specified threshold
2) HPA evaluates whether user specified threshold is met or not
3) HPA increases/decreases the replicas based on the specified threshold
4) The Deployment controller adjusts the deployment based on increase/decrease in replicas
For tailwind traders we are going to use HPA with virtual node as we want the speed of processing and cluster autoscaler will not suit our needs. Also using virtual node we pay per second for the usage on ACI so we only pay when we use it.
In the diagram we list the pod primatives virtual kubelet exposes to Kubernetes via the ACI API
This allows the user to define there pods and execute the workloads on ACI with Kubernetes orchastrating for more information on virtual kubelet https://docs.microsoft.com/en-us/azure/aks/virtual-kubelet
For more information on pod and podspecs https://kubernetes.io/docs/concepts/workloads/pods/pod/
More reading
Here is an explanation of a kubelet
The kubelet is the primary “node agent” that runs on each node. The kubelet works in terms of a PodSpec. A PodSpec is a YAML or JSON object that describes a pod. The kubelet takes a set of PodSpecs that are provided through various mechanisms (primarily through the apiserver) and ensures that the containers described in those PodSpecs are running and healthy. The kubelet doesn’t manage containers which were not created by Kubernetes.
Other than from a PodSpec from the apiserver, there are three ways that a container manifest can be provided to the Kubelet.
Virtual Kubelet is an open-source Kubernetes kubelet implementation that masquerades as a kubelet.
This allows Kubernetes nodes to be backed by Virtual Kubelet providers such as serverless cloud container platforms.
In this slide we look at the different types of pods that are supported.
So virtual nodes support most types of workloads
To make sure workloads are scheduled on virtual node we have to specify a node selector in our deployments.
Nodes selectors are used to define the node a workload will run on, by default no workload will be scheduled on virtual node without the above code added to your yaml at deployment time
Here is a full example https://github.com/scotty-c/kubecon-china/blob/master/demo/manifests/consumer/consumer.yaml#L26
This slide introduce the full suite of security features that we offer at Azure, this is a 30,000 foot overview and then will introduce us to the networking and pod indentity topic that we will go deeper into
Image and container level security
AAD authenticated Container registry access
ACR image scanning and content trust for image validation
Node and cluster level security
Automatic security patching nightly
Nodes deployed in private virtual network subnet w/o public addresses
Network policy to secure communication paths between namespaces (and nodes)
Pod Security Policies
K8s RBAC and AAD for authentication
Pod level security
Pod level control using AAD Pod Identity
Pod Security Context
Workload level security
Azure Role-based Access Control (RBAC) & security policy groups
Secure access to resources & services (e.g. Azure Key Vault) via Pod Identity
Storage Encryption
App Gateway with WAF to protect against threats and intrusions
When pods need access to other Azure services, such as Cosmos DB, Key Vault, or Blob Storage, the pod needs access credentials. These access credentials could be defined with the container image or injected as a Kubernetes secret, but need to be manually created and assigned. Often, the credentials are reused across pods, and aren't regularly rotated.
Managed identities for Azure resources (currently implemented as an associated AKS open source project) let you automatically request access to services through Azure AD. You don't manually define credentials for pods, instead they request an access token in real time, and can use it to access only their assigned services. In AKS, two components are deployed by the cluster operator to allow pods to use managed identities:
These are the two components that handle talking between AAD (Azure active directory) and Kubernetes to lease a MSI (Microsoft secure identity)
The steps to walk through the pod identity are as follows
1) Cluster operator first creates a service account that can be used to map identities when pods request access to services
2) The NMI server and MIC are deployed to relay any pod requests for access tokens to Azure AD.
3) A developer deploys a pod with a managed identity that requests an access token through the NMI server.
4) The token is returned to the pod and used to access an Azure SQL Server instance.
All pods in an AKS cluster can send and receive traffic without limitations, by default. To improve security, you can define rules that control the flow of traffic. Back-end applications are often only exposed to required front-end services, for example. Or, database components are only accessible to the application tiers that connect to them.
Network Policy is a Kubernetes specification that defines access policies for communication between Pods. Using Network Policies, you define an ordered set of rules to send and receive traffic and apply them to a collection of pods that match one or more label selectors.
By default the network in Kubernetes is flat, without a policy engine all pods can speak to one another
In this slide we introduce the two options that we offer in network security policy.
This slide leads into the next two slides that we will deep dive into the implementation details further
The main point here to call out between the two is Calico sets up Kernel routes and Azure network policy filters on the bridge. This detail will be important for customers that are highly regulated that go through audits.
Both implementations use Linux IPTables to enforce the specified policies. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as IPTable filter rules.
In this slide we are going to visualize the packet flow and how all the components hang together.
We have to logical sets of pods in this diagram one is labeled "test" the other "prod" both the policy engines work on labels to define the pod grouping.
Then we can see both groups of pods talk directly to the bridge, this is where the policy engine plugs into and enforces IPtables rules preventing test from talking to prod
You can then see the bridge connects to the vm-nic that is protected via the network security group on the Azure physical network
In this slide we are going to visualize the packet flow and how all the components hang together.
We have to logical sets of pods in this diagram one is labeled "test" the other "prod" both the policy engines work on labels to define the pod grouping this is the same as the last slide
Then we can see both groups of pods use the network layer in the kernel to apply iptables and layer 3 routing. So no packets leave the kernel and make there way to the bridge. Calico plugs into the kernel to apply the policies there.
You can then see the bridge connects to the vm-nic that is protected via the network security group on the Azure physical network
Availability Zones is a high-availability offering that protects your applications and data from datacenter failures. Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there’s a minimum of three separate zones in all enabled regions.
Here are the main features that using avalibility zones gives use.
AKS clusters can currently be created using availability zones in the following regions:
East US 2
North Europe
Southeast Asia
West Europe
West US 2
Other limitations that need to be called out are
You can only enable availability zones when the cluster is created.
Availability zone settings can't be updated after the cluster is created. You also can't update an existing, non-availability zone cluster to use availability zones.
You can't disable availability zones for an AKS cluster once it has been created.
The node size (VM SKU) selected must be available across all availability zones.
Clusters with availability zones enabled require use of Azure Standard Load Balancers for distribution across zones.
You must use Kubernetes version 1.13.5 or greater in order to deploy Standard Load Balancers.
Here are the main features that using avalibility zones gives use.
The code example on this slide shows a deployment that has 3 replicas (highlighted in red) This is to show how we would handle failures if a pod, node or region died.
After this slide we will cut to the terminal and run show the availability zones the cluster has with kubectl describe nodes | grep -e "Name:" -e "failure-domain.beta.kubernetes.io/zone“
We will then turn a node off and check that the application is still available