AKS Production Baseline - amitbhilagude/userfullinks GitHub Wiki

  1. AKS Private Cluster
    1. Private clusters will not allow access to Kubernetes APIs. Which will provide high-level security.
    2. This will require additional implementation on deploying the application. e.g. We may need to set up DevOps Agent in VM which is part of the same event.
    3. Alternate option is to create a public cluster but put Firewall restrictions e.g. DevOps IP Address
  2. Hub and Spoke Network Topology
    1. In this topology Hub vnet will have Azure Firewall, Azure Baston and VPN Gateway for on-Prem Connectivity.
    2. All other vents will have peered with Hub. which is called Spoke.
    3. One Spoke will have AKS cluster setup, it includes
      1. One subnet with App gateway which is accessible publicly.
      2. one subnet with an Internal load balancer where app gateway will route the traffic.
      3. One subnet will have an AKS cluster.
    4. End-to-end traffic flow
      1. Inbound traffic will route the App gateway with WAF->ILB->Cluster
      2. Outbound traffic will route to the Azure Firewall.
  3. Plan IP address
    1. CNI networking over default kubenet networking will get IP addresses to the POD from subnets.
    2. This will also give flexibility to assigned IP addresses of subnet to the private endpoint with keyvault and car.
    3. when patches or maitanace activity taken, internally it creates temp cluster which will try to use IP addresses from cluster so make sure you have enough IP addresses reservered in vnet.