Kubernetes on Azure

Content ## Introduction
## Kubernetes on Azure overview
## Top scenarios
## Customer stories
## Resources
What is a container?

VM VM Containers Containers

App1 App2
App1 App1
Binaries & Binaries &
libraries libraries Binaries & Binaries &
libraries libraries
Guest OS Guest OS

Virtual machines Containers

Virtualize the hardware Virtualize the operating system
VMs as units of scaling Applications as units of scaling
Traditional virtualized environment

From dev to production agility across

development and operations teams Virtual Virtual
machine machine

Low utilization of resources

Containerization of applications Container Container Container Container

and their dependencies for

App App
portability

Hypervisor

Host OS

Hardware
Advantages of a containerized environment

Containers are lighter weight and

faster to scale dynamically Virtual Virtual
machine machine
Migrate containers and their
Container Container
dependencies to underutilized
VMs for improved density and
isolation
Decommission unused Container Container
resources
for efficiency gains and cost App
savings

Hypervisor
Docker Engine

Host OS

Hardware
Secure DevOps

Source Build Release Kubernetes

• Deliver code faster with code Pipelines Pipelines cluster
Kubernetes and CI/CD Continuou Continuou Deployme

</>
s s Delivery nt
Integratio strategies
n
• Accelerate the feedback
loop with constant Monitor &
monitoring logging

• Balance speed and security Iterate Monitor

with continuous security and

deep traceability
 Inner loop
1 Azure

Secure
Azure AKS dev Monitor
sample code {
DevSpaces cluster
Testiterating.with.tea
m
9
DevOps </>
Debug
// in one
// isolated
environment
App
telemetry
Container
health
Real-time
log
analytics
}
Capabilities 8
1. Developers rapidly iterate, test, and debug different 3
parts of an application together in the same
Kubernetes cluster 2 Azure AKS
5
2. Code is merged into a GitHub repository, after which Source Container production
automated builds and tests are run by Azure code control Registry cluster Azure
Pipelines
3. Container image is pushed to Azure Container
Scan Runtim Policy

Registry e
4. Kubernetes clusters are provisioned using tools like
Terraform; Helm charts, installed by Terraform, define  Release
3
the desired state of app resources and configurations Container
image
5. Operators enforce policies to govern deployments
to the AKS cluster
 v1

4 v2
6. Release pipeline automatically executes pre-defined
deployment strategy with each code change
SCA SAST
7. Policy enforcement and auditing is added to CI/CD Azure
CI/CD 7
Accept
Deny
pipeline using Azure Policy Pipelines Helm chart Terraform
8. App telemetry, container health monitoring, and
real-time log analytics are obtained using Azure Release
N
3
2
1
Monitor
9. Insights used to address issues and fed into next 6
sprint plans
Introduction
 20 B y
22

>75%
of global organizations
will be running
containerized
applications in
production1

1
Gartner.
What’s behind the growth?
Kubernetes: the leading orchestrator shaping the future app development and
management

42% 45% 50%

portability scalability agility

The perceived benefits of

Kubernetes

Source: Cloud Native Computing Foundation

What’s behind the growth?
Kubernetes: the leading orchestrator shaping the future app development and
management

It’s widely used It’s vendor-neutral It’s community-supported

Kubernetes is in production for A variety of cloud providers There’s a huge community of

global companies across offer robust Kubernetes active contributors supporting
industries1 support Kubernetes3
Capital
eBay SAP Azure AWS
One 24,000 1.1 million
contributors contributions
New York Pokémon since 2016 since 2016
Spotify VMWare Red Hat
Times Go

1
Kubernetes.io. “Kubernetes User Case Studies.” 2CNCF. “Kubernetes Is First…” 3CNCF. Keynote
address.
Kubernetes: the industry-leading orchestrator

Portable Extensible Self-healing

Public, private, hybrid, Modular, pluggable, Auto-placement, auto-restart,
multi-cloud hookable, composable auto-replication, auto-scaling
Kubernetes and DevOps: better together

DevOp AKS
s

AKS DevOps
Kubernetes on its own is not enough
Save time from infrastructure management and roll out updates faster without
compromising security
Developmen Platform
Unlock the agility for containerized t
applications using: IDE
container
support Governanc
Security Identity
• e
Infrastructure automation that
simplifies provisioning, patching, and <\> Source code
repository
upgrading

• Tools for containerized app

Registry
supporting
Kubernetes
development and CI/CD workflows Helm

• Services that support security, CI/CD Infrastructure automation

governance, and identity and access
management
Monitoring Virtual machines Networking

Microservic
e Storage Data
debugging
 Containers in Azure

Kubernetes Container
App Service Service Fabric Container Apps Ecosystem
Service Instance

Deploy web Modernize .NET Scale and Elastically burst Fully managed Bring your
apps or APIs applications to orchestrate Linux from your Azure serverless Partner
using microservices containers using Kubernetes container service solutions that
containers in a using Windows Kubernetes Service (AKS) run great on
PaaS Server cluster Azure
environment containers

Azure Container Docker

Registry Hub

Choice of developer tools and

clients
 n
r w AKS and OpenShift
uo
or
oyu
i y
l d n
l d
u
iB o w
B u Different use-case Different use-case
Build your own platform Commercial distributed Kubernetes
Flexibility Focus on App
Platform life cycle management Secure by default
SLO (and now SLA) Fully supported (integrated)
Fast develop pace SLA
Kubernetes capabilities Long term support
3th party tools Build-in tools

Commercial distributed K
Kubernetes on Azure overview
Azure Kubernetes Service (AKS)
Ship faster, operate easily, and scale confidently with managed Kubernetes on Azure

Manage Kubernetes Accelerate Build on an Run anything,

with ease containerized enterprise-grade, anywhere
development secure foundation
Azure Kubernetes momentum

Trusted by thousands of customers

30x
Azure Kubernetes Service
usage grew 30x since it was
made generally available in June
2018
Dated November 2018
 How Kubernetes works

Kubernete
s control Worker node
Internet
kubelet kube-proxy

1. Kubernetes users
communicate with API Docker
server and apply desired Master node
state Prod Prod

API server Containers Containers

2. Master nodes actively
enforce desired state on
worker nodes
3. Worker nodes support -controller-
communication between manager -scheduler
Worker node (virtuel)
containers kubelet kube-proxy
Internet

replication,
4. Worker nodes support namespace,
serviceaccounts, etc. etcd
communication from the
Internet Docker

Prod Prod

Containers Containers
Manage Kubernetes with ease
Infrastructure automation

Azure managed control plane

• Automated provisioning,
Self-managed master node(s)
upgrades, patches App/
workload Kubernetes etcd
User definition API endpoint API server Store

• High reliability, availability

• Easy, secure cluster scaling Scheduler

Controller
Manager
Cloud
Controller

• Self-healing

• API server monitoring Schedule pods

over private
tunnel
Customer VMs
• At no charge
Docker Docker Docker Docker Docker

Pods Pods Pods Pods Pods

From infrastructure to innovation

Responsibilities DIY with Kubernetes Managed Kubernetes on Azure

Managed Kubernetes Containerization

empowers you to achieve
more Application iteration,
debugging
Focus on your containers
CI/CD
and code, not the plumbing
of them
Cluster hosting

But triggered by customer

Cluster upgrade

But reboot configured by customer

Patching

Scaling

Monitoring and But enabled by customer

logging

Customer Microsoft
Azure Kubernetes Service
Simplify the deployment, management, and operations of Kubernetes

Portable Extensible Self-healing

Deploy, manage, Accelerate Roll out Secure your

Scale
and monitor containerized new features environment
applications
Kubernetes with app seamlessly with layers of
on the fly
ease development (CI/CD) isolation
Manage Kubernetes with ease
Highly available, reliable service with serverless scaling

Azure Monitor

Azure Container
AKS production cluster Instances (ACI)

Microservices Pods
Serverless Kubernetes
No infrastructure to
Virtual manage
node Starts in seconds

Availability Reliability Auto scaling

Accelerate containerized development

Kubernetes and DevOps

better together
Develop Deliver Operate
͏Develop
• Native containers and Kubernetes support Azure AKS
Inner loop Source Container production
in IDE
code control Registry cluster
• Remote debugging and iteration for multi- Azure AKS dev
Scale
containers DevSpaces cluster
Azure
Monitor
• Effective code merge Test
• Automatic containerization
Debug Container
͏Deliver image
• CI/CD pipeline with automated tasks in a
few clicks
• Pre-configured canary deployment strategy
• In depth build and delivery process review
and integration testing Azure Pipelines
Helm chart Terraform
• Private registry with Helm support

͏Operate
• Out-of-box control plane telemetry, log
aggregation, and container health
• Declarative resource management
• Auto scaling
Secure your Kubernetes environment with layers of isolation

Control access through Safeguard keys and Secure network Compliant Kubernetes
secrets with Key Vault communications with service with certifications
AAD and RBAC VNET and policy for SOC, HIPAA, and PCI
Scale applications on the fly

Built-in auto Global data center Elastically burst from Geo-replicated

scaling to boost performance AKS cluster using ACI container registry for
and reach low latency image
serving
Microsoft drives community-led innovations for Kubernetes

68% of Kubernetes users* prefer Helm as their package

manager

Visual Studio Code Kubernetes Extensions has 11K monthly

active users
Microsoft is also the maintainer of

Cloud Native Application Virtual Kubelet

Bundles (CNAB) spec

* August, 2018 bi-annual CNCF survey

Work how you want with opensource tools and APIs

Development DevOps Monitoring Networking Storage Security

Take advantage
of services and
tools in the
Kubernetes
ecosystem
Virtual kubelet

CNAB

Contain
DevOps er
Leverage 100+ Registr
VS Azure Azure Azure y
turn-key Azure Code ARM Monitor VNET Storage
services
Entra
ID
Azure
Policy
Key
Vault
Azure makes Kubernetes easy
Deploy and manage Kubernetes with ease

Task The Old Way With Azure

Create a cluster Provision network and VMs az aks create

Install dozens of system components including etcd
Create and install certificates
Register agent nodes with control plane

Upgrade a cluster Upgrade your master nodes az aks upgrade

Cordon/drain and upgrade worker nodes individually

Scale a cluster Provision new VMs az aks scale

Install system components
Register nodes with API server
Azure makes Kubernetes easy
Accelerate containerized application development

Task The Old Way With Azure

Build a containerized app Build the app draft init to configure your environment
and deploy to Kubernetes Write a Dockerfile draft create to auto-create Dockerfile/Helm chart
Build the container image draft up to deploy to Kubernetes
Push the container to a registry
Write Kubernetes manifests/Helm chart
Deploy to Kubernetes

Inner loop development Set up a local dev environment using Minikube Use Dev Spaces
Determine the transitive closure of your Do breakpoint debugging in your IDE
dependencies
Identify behavior of dependencies for key test cases
Stub out dependent services with expected behavior
Make local changes, check-in, and hope things work
Validate with application logs

Expose web apps to the Deploy an ingress controller Turn HTTP application routing on in your cluster
internet with a DNS entry Create a load-balanced IP for it Add an ingress resource to your deployment
Add an ingress resource to your deployment
Acquire a custom domain
Create a DNS A-record for your service
Azure makes Kubernetes easy
Roll out new features seamlessly (CI/CD)

Task The Old Way With Azure

Set up a CI/CD pipeline Create Git repo Create a project on Azure DevOps with
and deploy to Kubernetes Create a build pipeline Kubernetes/AKS as a target
Create a container registry
Create a Kubernetes cluster
Configure build pipeline to push to container registry
Configure build pipeline to deploy to Kubernetes
Define and set up deployment strategy

Make container images Create a container registry in every region Create an Azure Container Registry with geo-
available for deployment Configure build pipeline with multiple endpoints replication
worldwide Push your image to a single endpoint
Loop through all regions and push following build

Track health with Choose a logging solution Checkbox “container monitoring” in the Azure portal
consolidated cluster and Deploy log stack in your cluster or provision a
application logs service
Configure and deploy a logging agent onto all nodes
Build on a secure, enterprise-grade platform

Control access through Secure network Put guardrails in your

communications with development process with
Entra ID and RBAC VNET and network Azure Policy
policy
Identity
Use familiar tools like Entra ID for fine-grained identity and access control to Kubernetes
resources from cluster to containers

Azure
Storage

AKS with RBAC

Azure VNet
Active
Entra ID SQL

Synced identity
Directory
Node Node Database

Pod Pod

EID Pod Identity

Cosmos
DB
Azure
Key Vault
Networking
Secure your Kubernetes workloads with virtual network and policy-driven communication
paths between resources

App Gateway
Kubernetes cluster: Azure VNET

Internal
Load Balancer
External
DNS

Ingress
Control plane
Controller

Worker node Worker node

kubelet Pods Pods kubelet

Containers Containers
…

Namespace
Governance
Dynamically enforce guardrails defined in Azure Policy across multiple clusters—nodes,
pods, and even container images can be tracked and validated at the time of deployment
or as part of CI/CD workflows

Cloud Azure
Architect Policy

Compliance reports
Assigns a policy
Cluster-1 Cluster-2 Cluster-3 across clusters

Compliance reports for

the entire environment,
with pod-level
granularity

Develop AKS
Real-time
er
enforcement of
policy and
feedback
Cluster-1 Cluster-2 Cluster-3

Run anything, anywhere

Container Region

Windows Linux 20+ regions worldwide

Your choice
of…

Environment

Public IoT Azure Azure

cloud Edge Governmen Stack
t
Azure Kubernetes Service (AKS) support for Windows Server
Containers
Now you can get the best of managed Kubernetes for all your workloads whether they’re
in Windows, Linux, or both

• Lift and shift Windows applications

to run on AKS

• Seamlessly manage Windows and

Linux applications through a
single unified API

• Mix Windows and Linux

applications
in the same Kubernetes cluster—
with consistent monitoring
experience and deployment
pipelines
Kubernetes is built and maintained by the community

Kubernetes collects wisdom, code, and

efforts from hundreds of corporate
contributors and thousands of individual
150,0 30,00 #1
00 0
GitHub
contributors project

commits contributors

Microsoft is part of this vibrant community and leads in the

associated committees to help shape the future of Kubernetes
and its ecosystem

CNCF CNCF CNCF Kubernetes Linux Foundation

platinum membe technical oversig governing board steering committ board member
r ht committee ee

AKS is certified Kubernetes conformant, ensuring portability and interoperability of your container
workloads
Microsoft contributions to the community

Containerd CNAB
Packaging
& distribution Helm Duffle

Virtual Kubelet Open Policy

Agent
Scalability
& control
KEDA Service Mesh Interface

Kubernetes Draft VS Code Kubernetes

developer Extensions

tooling Brigade
Microsoft contributions to the community

Top
code contributor to
55,000
monthly downloads of Helm
68%
of Kubernetes users prefer
Windows support in Helm
Kubernetes

1 of 3 3x
Created the
Illustrated Children’
s Guide to Kuberne
tes
top corporate growth of employee
, now part of CNCF
contributors contributors within three
years
Top scenarios
 Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

App modernization without code changes

• Speed application
deployments by using
Kubernetes cluster
container technology
Existing Container Modernize Modernize Modernize
application Registry CI/CD d d d
application application application
• Defend against
infrastructure failures with
container orchestration

• Increase agility with Managed

continuous integration and Database

continuous delivery
 Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

App modernization without code changes

Capabilities
1. Use Azure Container Registry to store Virtual network
container images and Helm charts
for your modernized applications, Active
Directory
replicated globally for low latency
image serving
2. Integrate AKS with Azure Pipelines or 1 3
other Kubernetes ecosystem tooling Azure
2
to enable continuous Existing Container CI/CD Azure
application Registry Pipelines Database
integration/continuous delivery AKS for MySQL
(CI/CD)
3. Enhance security with Azure Active
Directory and RBAC to control access
to AKS resources
 Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

Microservices: for faster app development

Monolithic Microservices
Large, all-inclusive app Small, independent services
• Independent deployments APP APP APP

• Improved scale and resource

utilization per service

• Smaller, focused teams

 Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

Microservices for faster app development

Azure AKS production 4

Capabilities Inner
loop
Source Containe cluster
code r Azure
control Registry Pods Monitor
1. Use Azure Dev Spaces to iteratively Dev AKS dev
Spaces cluster
develop, test, and debug Test
microservices targeted for AKS
clusters. Debug
2. ͏Azure Pipelines has native
integration with Helm and helps 1 Auto-
build
simplifying continuous 3
integration/continuous delivery 2
3. ͏Virtual node—a Virtual Kubelet
(CI/CD) Container instances
implementation—allows fast scaling
Pods
of services for unpredictable traffic.
4. ͏Azure Monitor provides a single
CI/CD Pipelines
pane of glass for monitoring over app
telemetry, cluster-to-container level
health analytics.

https://github.com/Microsoft/
SmartHotel360-AKS-DevSpaces-Demo
Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

Secure DevOps

Source Build Release Kubernetes

• Deliver code faster with code Pipelines Pipelines cluster
Kubernetes and CI/CD Continuou Continuou Deployme

</>
s s Delivery nt
Integratio strategies
n
• Accelerate the feedback
loop with constant Monitor &
monitoring logging

• Balance speed and security Iterate Monitor

with continuous security and

deep traceability
 Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

Inner loop
1 Azure

Secure
Azure AKS dev Monitor
sample code {
DevSpaces cluster
iterating.with.tea
Test
m
9
DevOps </>
Debug
// in one
// isolated
environment
App
telemetry
Container
health
Real-time
log
analytics
}
Capabilities 8
1. Developers rapidly iterate, test, and debug different 3
parts of an application together in the same
Kubernetes cluster 2 Azure AKS
5
2. Code is merged into a GitHub repository, after which Source Container production
automated builds and tests are run by Azure code control Registry cluster Azure
Pipelines Policy
3. Container image is pushed to Azure Container
Registry
4. Kubernetes clusters are provisioned using tools like
Terraform; Helm charts, installed by Terraform, define  Release
3
the desired state of app resources and configurations Container
image
5. Operators enforce policies to govern deployments
to the AKS cluster
 v1

4 v2
6. Release pipeline automatically executes pre-defined
deployment strategy with each code change

7. Policy enforcement and auditing is added to CI/CD Azure

CI/CD 7
Accept
Deny
pipeline using Azure Policy Pipelines Helm chart Terraform
8. App telemetry, container health monitoring, and
real-time log analytics are obtained using Azure Release
N
3
2
1
Monitor
9. Insights used to address issues and fed into next 6
sprint plans
 Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

Data scientist in a box

Algorithm

• Quick deployment and high

availability GPU-enabled VMs

AKS trained AI model in

• Low latency data processing Training
data model production

Serve the
• Consistent environment model
Data
across test, control and Scientist
production
Compute

Developer

<\>

https://github.com/Azure/kubeflow-labs
 Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

App
developer

Data scientist in a box

Query the model for AI
6 features in app
Capabilities AKS

ML model in
1. Package ML model into a container containers
and publish to Azure Container
2. Registry
Azure Blob Storage hosts training 1
data sets and trained model Azure
Data Container
3. Use Kubeflow to deploy training job scientist Registry
3 Serve the
model in
to AKS, distributed training job to 4 production
Kubeflow GPU-
AKS includes Parameter servers and
Parameter Worker enabled
Worker nodes server node nodes VMS
2
4. Serve production model using
Azure
Kubeflow, promoting a consistent 5
Blob
environment across test, control and Storage
production
5. AKS supports GPU enabled VM
6. Developer can build features
querying the model running in AKS
cluster https://github.com/Azure/kubeflow-labs
 Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

Scalable Internet of Things solutions IoT Edge

devices

• Portable code, runs

anywhere

• Elastic scalability and

manageability AKS
IoT Edge
Connector IoT Hub

• Quick deployment and high

availability

Azure
SQL Cosmos Database
Database DB for MySQL
 Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

Scalable Internet of Things solutions

Decrypt
Decompress
Compress
Send to
Encrypt
Storage
Capabilities 1
Send to Cloud

1. ͏Azure IoT Edge encrypts data and send Azure Azure IoT Edge
to
Azure, which then decrypts the data and
send to storage Kubernetes cluster
2
2. ͏Virtual node, an implementation 4
of Virtual Kubelet, serves as the Node Node Virtual node
translator between cloud and Edge Docker
Docker Docker Docker Docker container
Docker IoT Edge
container container container container container
s Provider 3
3. ͏IoT Edge Provider in virtual node
redirects containers to IoT Edge and
extend AKS cluster to target millions of
edge devices
4. Consistent update, manage, and
monitoring as one unit in AKS using
single pod definition
 Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

Data streaming Azure

Cosmos
DB
API AKS
Managemen
IoT sensor t Storage
• Real-time data gathered Apache
and streamed to AKS Kafka HDInsight

Analysis

• Collected data analyzed

and insights generated
almost instantly
Database
for Cache for
• Data stored and available PostgreSQL Redis

for deeper analysis by data

scientists
 Lift and shift to Microservices Secure Machine IoT Data
containers DevOps learning streaming

Data streaming IoT sensor

API
Managemen
t
AKS
Azure
Cosmos
DB
3
1 2 Ingest
service Cold path

Service Mesh

Service Mesh
Capabilities Asynchronous 4

Interface
Apache
Kafka HDInsight
CI/CD Analysis
1. ͏Sensor data is generated and streamed to Azure API service
GitHub Pipelines ACR
Management Hot path
Processing
2. ͏AKS cluster runs microservices that are deployed service
as containers behind a service mesh; containers are
built using a DevOps process and stored in Azure 5
Container Registry 6
3. ͏Ingest service stores data in an Azure Cosmos DB Splunk

4. Asynchronously, the analysis service receives the Database

data and streams it to Apache Kafka and Azure for Cache for
PostgreSQL Redis
HDInsight
5. Data scientists can analyze the big data for use in
machine learning models using Splunk

6. Data is processed by the processing service, which

stores the result in Azure Database for PostgreSQL
7
and caches the data in an Azure Cache for Redis

7. A web app running in Azure App Service is used to App Service

visualize the results
Customer stories
Xerox Docushare Flex—Before
Internet

Virtual
Machines
Typical 3-tier Customer Customer Customer
architecture using VMs A B C

Java Java Java

• Each customer instance assigned to
dedicated Java and Postgres VMs

• Set of backing services for

authentication, file sharing, common
data sources
Postgres Postgres Postgres

Problem: Due to overhead and

management burden of VMs, Backing
Services
adding a new customer takes
24 hours, slowing down
customer onboarding through LDAP SFTP PRIZM
sales and partner network
Xerox Docushare Flex—After

Internet

Typical 3-tier
architecture using VMs AKS

• Convert Postgres database to a NGINX

shared backing service Azure
Container
• Registry
Run Java application in containers Customer Customer Customer
with no code modification A B C

• Switch to NGINX-based web-tier with Java Java Java

LetsEncrypt for free SSL/TLS

• New Helm chart created to automate

customer onboarding to AKS

Outcome: Run the Java Backing

application in containers on Services

AKS, decreasing provisioning

time from 24 hours to 10 LDAP SFTP PRIZM Postgres
minutes, accelerating sales and
customer onboarding with no
code changes required
Xerox moves to containers in Azure for faster
demo environment releases
“
Thanks to Azure Kubernetes Service, we
can now spin up new demo
environments in 10 minutes instead of
24 hours. Moving Docushare Flex from
virtual machines to containers in Azure
Benefits: • Onboard prospective customers faster through allows us to provision environments
faster, empowering our sales and
automation partner network.”
• Enable self-service demo environments for large — Robert Bingham, Director of
partners DocuShare Cloud Operations, Xerox

• Reduce administrative overhead for small Ops team

• No code modification required
Maersk uses AKS for a customer service
process
to elevate NSAT, an industry-wide challenge
Needs: Get near-real-time data to provide better customer
service
Collect data for future Machine Learning driven
features
Challenges: Compute & memory intensive features
Data integration difficulties
Limited organisational experience in Cloud &
Kubernetes
Requirements: Spend less time on container software management
Automation and continuous delivery
Full visibility to application, container and
infrastructure
Fine grained security and access control

Click icon to learn

more
Architectural approach

App Gateway
1. Azure Pipelines for
automation and CI/CD
pipelines; adding Terraform Firewall
for further automation Data On-

2. Key Vault to secure secrets Azure

Pipeline
AKS w/
RBAC
Data
Factory
Manageme
nt Gateway
premises
database

and for persistent

1 4
configuration store Express
Route
3. Azure Monitor for containers Key
Vault
SQL
Databas

to provide better logging, SQL

e

troubleshooting, with no 2 Databas Cosmos

e DB

direct container access Azure

Monitor Event Hub
Performance
4. RBAC control for fine 3 Document
DB
grained Kubernetes App
Batch
processing
Service Bus
Event
resources access control Insights
Simulation

Internal
Queuing
Results

Reduced environment AKS and CaaS 100% automated

provisioning time from can potentially save production
1+ weeks to 2.5 hours 33% on run cost deployments

<\>

Less time spend on Increased developer

managing secrets with autonomy with ARM
AKS and Key Vault and terraform
Power grid operator uses containerized
software to promote smart utility initiatives
“
We are building our own new
applications using microservices, and
AKS is our choice for orchestrating their
workloads.”
— Ståle Heitmann, Chief Technology
Challenge: Legacy systems for reading meter data needed Officer
greater capacity to process large volumes of IoT Hafslund Nett
data—but implementing the necessary system
enhancements was difficult and expensive

Solution: Hafslund chose to develop its own software for

processing meter data. The company used
Microsoft Azure as its cloud platform, AKS to
manage software containers, and Azure Monitor for
containers to optimize container performance.
Outcome: Halfslund now has a standard way to create,
monitor, scale, and manage applications, which
means it can respond to customer needs faster.

Click icon to learn

more
Cloud computing supports value-based care
development for medical technology provider
Challenge: Siemens Healthineers wanted to develop more of
its solutions in the cloud—on-premises systems
were proving complicated for data aggregation and
analytics—but strict compliance requirements were
making that transition tricky.
“
Using Azure Kubernetes Service puts us
into a position to not only deploy our
business logic in Docker containers,
including the orchestration, but also …
to easily manage the exposure and
control and meter the access.”
— Thomas Gossler, Lead Architect,
Digital Ecosystem Platform
Siemens Healthineers

Solution: The company selected Microsoft Azure for its cloud

development platform thanks in large part to the
number of regulatory certifications Azure has
earned worldwide. With that decision, the company
now deploys its distributed applications in Docker
containers, orchestrates those containers using
Kubernetes, and monitors and manages the
environment with AKS.
Outcome: AKS enables developers to quickly and easily work
with their applications with minimal operations and
maintenance overhead, leading to shorter release
cycles and helping the company achieve its desired
continuous delivery approach.
Click icon to learn
more
Ambit Energy uses cloud to electrify pace of
innovation and expansion
“
Azure support for Docker, Kubernetes,
Puppet, Terraform, Cassandra, and
other open source tools has become
very important to us and has really
accelerated our move into Azure.”
Challenge: To meet aggressive growth goals, Ambit Energy
— Robert Rudduck, Director of
needed to automate infrastructure provisioning to Architecture and DevOps, Ambit
match their pace of new software creation. Energy

Solution: To stand up infrastructure quickly, Ambit used

Microsoft Azure services such as Azure Container
Service, together with infrastructure as code and
open source technologies, to completely automate
infrastructure provisioning.
Outcome: By implementing Azure, Ambit can move
dramatically faster to enhance its services and
enter new markets. Infrastructure redundancy is
flexible and worry-free. And costs are 22 percent
lower, which helps Ambit compete in the crowded
electricity market.

Click icon to learn

more
Altair Engineering uses cloud to
democratize HPC access
“
Customers are limited as to what they
can do on workstations, but with Azure
we can give them a scalable, cost-
effective back-end HPC infrastructure.”

Challenge: Altair needed a specialized HPC architecture
containing high-performance graphics processing
units to deliver their latest topology optimization
and analysis application to customers.
— Sam Mahalingam, Chief Technical
Officer Cloud Computing and High-
Performance Computing Strategy,
Altair Engineering

Solution: Altair used Kubernetes in Azure Container Service

to handle back-end functions and increase the
density of services running across compute nodes.

Outcome: With Azure, Altair provides customers with a

scalable, cost-effective back-end HPC
infrastructure, eliminating the need for expensive
engineering workstations.

Click icon to learn

more
Varian uses cloud and container software
technology to streamline IT and focus on
“
With AKS, developers get a safe place
to innovate and to experiment with new
technologies and ideas…It’s the best of
open service combined with the best of
innovation Azure.”
— Shivakumar Gopalakrishnan
Challenge: Varian needed to provide broader cancer care and
Senior Manager, Varian Medical
enable faster innovation for the benefit of cancer
Systems
patients.
Solution: Varian chose Microsoft Azure as its cloud platform
and Azure Kubernetes Service to scale application
deployments to thousands of customers, utilizing
containers to modernize existing apps and create
new ones.
Outcome: With AKS, Varian’s developers can deliver features
to customers quickly and get their feedback without
the overhead of provisioning a group of virtual
machines.

Click icon to learn

more
Falkonry uses cloud and machine
learning to create a “data scientist in a
“
We’re very happy with the speed of
deployment we can offer our customers

with Azure. If we had to fly people out

box” to configure and set up hardware and
software, we would lose several weeks
Challenge: Falkonry needed a solution to scale the deployment
— the
in process.”
Sanket Amberkar, Senior VP of
of its machine learning application to reach Marketing, Falkonry
customers in the oil and gas industries.

Solution: Falkonry used Azure Kubernetes Service to

automate the deployment of Kubernetes clusters to
deliver their application globally.

Outcome: With Azure Kubernetes Service, Falkonry is able to

deploy their solutions in days, compared to months
it takes for companies using a more traditional
platform approach.

Click icon to learn

more
OpenAI uses cloud to drive flexibility and
scalability for deep learning experiments
“
Because Kubernetes provides a
consistent API, we can move our
research experiments very easily
between clusters… [We] have a number
of teams that run their experiments
Challenge: OpenAI needed infrastructure for deep learning that both in Azure and in our own data
centers, just depending on which
would allow experiments to run either in the cloud cluster has free capacity, and that's
or in its own data center, and to easily scale. hugely valuable.”
— Christopher Berner, Head of
Infrastructure, OpenAI
Solution: OpenAI migrated its Kubernetes clusters to Azure,
running key experiments in fields including robotics
and gaming both in Azure and in its own data
centers.
Outcome: Researchers now spend far less time launching
experiments and scaling them out to hundreds of
GPUs. OpenAI has also benefited from greater
portability and lower costs given the ability to use
its own data centers when appropriate.

Click icon to learn

more
Kubernetes and OpenShift
 n
r w AKS and OpenShift
uo
or
oyu
i y
l d n
l d
u
iB o w
B u Different use-case Different use-case
Build your own platform Commercial distributed Kubernetes
Flexibility Focus on App
Platform life cycle management Secure by default
SLO Fully supported (integrated)
Fast develop pace SLA
Kubernetes capabilities Long term support
3th party tools Build-in tools

Commercial distributed K
Compete
How to compete?

Feature AWS GPC Breadth of

EKS GKE service

Never do a feature We stronger  Getting There Azure Core

compare strategic
application
platform

1
CNCF. 2Microsoft..
Resources
Best support for your enterprise need

Learning path What is Hear from experts

aka.ms/LearnKubernetes
Kubernetes aka.ms/AKS/videos
aka.ms/k8sLearning

Case studies See what’s new

aka.ms/k8s/roadmap
Try for free
aka.ms/aks/casestudy aka.ms/aks/trial

Feedback on the roadmap? Tell us at https://aka.ms/aks/feedback

Product deep dive
Horizontal Pod Autoscaler
The horizontal pod autoscaler (HPA) uses the Metrics Server in a Kubernetes cluster to monitor the resource
demand
of pods. If a service needs more resources, the number of pods is automatically increased to meet the
demand.
1. ͏HPA obtains resource metrics 2 Node1
and compares them to user- Horizontal
Pod
specified threshold Autoscaler Deployment ReplicaSet Pod
3 Kubelet

2. ͏HPA evaluates whether user replicas+

+
replicas-- 4
specified threshold is met or not Pod cAdvisor

3. ͏HPA increases/decreases the

replicas based on the specified NodeX
threshold Grabs
metric 1 Node2
4. ͏The Deployment controller s Metrics
Server
adjusts Pod
the deployment based on Kubelet Collects metrics from
all containers on the
increase/decrease in replicas node

cAdvisor
Collects
metrics from
all nodes
Cluster Autoscaler
The cluster autoscaler watches for pods that can't be scheduled on nodes because of
resource constraints. The cluster then automatically increases the number of nodes.

Cluster
1. ͏HPA obtains resource metrics Azure Autoscaler Pod Pod
and compares them to user-
specified threshold 2 1

2. ͏HPA evaluates whether user Additional Pods are in

nodes needed pending
specified threshold is met or not state

3. ͏HPA increases/decreases the 3

Pending
replicas based on the specified 4 pods
threshold Node is are
AKS cluster granted scheduled
4. ͏The Deployment controller
adjusts
the deployment based on Node Node
increase/decrease in replicas
Pod Pod Pod Pod
Azure Pipelines for AKS

Deep traceability
1. ͏As part of the CI, developers check in their 3
code to a central repository; Azure pipelines Source
Repositor Container
automatically build application binaries, run y image Pod
unit test, and push container image into a
registry
2. ͏Developers then deploy the application to
a testing environment and run integration
test as part of the CD workflow
Azure
Source Azure Pipelines AKS
3. ͏Developers can review which pod is
code 1 Pipelines Build 2 Release 4 cluster
running which container image, what source
code is built into an image, and what tests Continuou Continuou Deploy
s s Delivery strategies
are run against each image at any point of </> Integratio
n
time
4. ͏For production deployment, Azure Pipelines
automatically execute pre-defined
deployment strategy and progressively roll Azure
out application to Monitor
an AKS cluster
5. ͏Enable app telemetry, container health
monitoring, and real-time log analytics; Iterate 5 Monitor

insights used to address issues and feed into

next sprint plans
Azure Container Registry geo-replication
Push image to a single registry and ACR takes care of
Container
geographical replication, including local notifications. Developer image

1. ͏US-based developer commits codes to 1

build container image </>

2. Image is pushed to the nearest Azure 3 5

Container Registry (ACR) region based on contoso.azurecr.io contoso.azurecr.io
East US 2 West Europe
DNS
3. ͏Geographical webhook triggers
AKS CD ACR ACR CD AKS
deployment to
East US
4. ͏ACR geo-replicates to configured regions
Geo-Replication
contoso.azurecr.io/ contoso.azurecr.io/
5. ͏Geographical webhook triggers app:v1 4 app:v1
deployment to West Europe 6 6
6. ͏Both AKS clusters pull from
contoso.azurecr.io
Serverless Kubernetes using AKS virtual
nodes

• Elastically provision compute capacity

in seconds Node Node

Pods Pods
• No infrastructure to manage

• Built on open sourced Virtual Kubelet

technology, donated to the Cloud Native
Computing Foundation (CNCF) Fargate
Kubernetes
control
Pods
plane

Virtual
node
Kubernetes-based event-driven auto-scaling (KEDA)

Open-source component jointly built by Kubernetes cluster

Microsoft and RedHat

• Event-driven container creation & scaling Scaler AKS cluster

Allows containers to “scale to zero” until an
event comes in, which will then create the External
container and process the event, resulting in trigger source
more efficient utilization and reduced costs Controller

• ​ ative triggers support

N
Containers can consume events directly from
Metrics adapter
the event source, instead of routing events
through HTTP

• ​ an be used in any Kubernetes service

C
This includes in the cloud (e.g., AKS, EKS, KEDA
GKE, etc.) or on-premises with OpenShift—
any Kubernetes workload that requires
scaling by events instead of traditional CPU
or memory scaling can leverage this
component.
Service Mesh Interface (SMI)

SMI defines a set of APIs that can be

implemented by individual mesh Apps Tooling Ecosystem
providers. Service meshes and tools can either
integrate directly with SMI or an adapter can
consume SMI and drive native mesh APIs.

• ​ tandard interface for service mesh on

S
Kubernetes​
Service Mesh Interface
Routing Telemetry Policy
• ​ asic feature set to address most common
B
scenarios​

• ​ xtensible to support new features as they

E
become widely available​
…and more

Kubernetes
 Internal External
User User

Security overview
Azure
Container App Gateway
Registry AKS with RBAC
Developer Internal External
1. ͏Image and container level 1 Load Load
security Balancer Balancer
• AAD authenticated Container
registry access
• ACR image scanning and content
trust for image validation Azure VNet
2. ͏Node and cluster level
Kubernete
security Active Ingress Ingress External
s Admin
Controller Controller DNS
• Automatic security patching nightly Directory
• Nodes deployed in private virtual Node Node
network subnet w/o public addresses
• Network policy to secure Pod Pod
communication paths between
namespaces (and nodes) 2
3
• Pod Security Policies AAD Pod Identity
3. • ͏Pod leveland
K8s RBAC security
AAD for
• Pod
authentication using AAD Pod
level control Azure
Identity Key Vault
• Pod Security Context 4
4. ͏Workload level security Azure SQL
• Azure Role-based Access Control Storage Database Cosmos DB
(RBAC) & security policy groups
• Secure access to resources &
services
(e.g. Azure Key Vault) via Pod
Identity
• Storage Encryption Encrypted Storage
• App Gateway with WAF to protect
Pod identity

Developer

1. Kubernetes operator defines an <\>

identity map for K8s service
accounts
2. Node Managed Identity (NMI)
watches for mapping reaction Kubernete 3
s
and syncs to Managed Service
Identify (MSI)
Kubernete Azure
s controller Identity Azure SQL
3. Developer creates a pod with Binding Pod Server

a service account, and pod uses 1

standard Azure SDK to fetch
a token bound to MSI
Active
Directory
4. Pod uses access token to Pod
Token

consume other Azure services; Identity Azure MSI

services validate token
4
NMI +
EMSI

2
Secure network communications with VNET and CNI

On-premises
1. Uses Azure subnet for both your 1 infrastructure
containers and cluster VMs 3
Azure VNet A Enterpris
Backend e system
services
2. Allows for connectivity to existing AKS subnet subnet Azure
Azure services in the same VNet Express
AKS cluster SQL Server Route

3. Use Express Route to connect to

on-premises infrastructure
Azure SQL
PaaS DB
5
4. Use VNet peering to connect to 2
other VNets
Service
Endpoint
5. Connect AKS cluster securely and VNet peering
privately to other Azure resources Other peered
using VNet endpoints VNets

4
AKS VNet integration works seamlessly

with your existing network

Identity and access management through Entra ID and RBAC

1. A developer authenticates to the

Entra ID token issuance endpoint
and requests an access token
Entra ID

2. The Entra ID token issuance

endpoint issues the access token 1

3. The access token is used to Developer

authenticate to the secured Token 2 AKS
resource
4. Data from the secured resource is
returned to the web application 3
Token

Azure delivers a streamlined identity

and access management solution with
Entra ID and Azure Kubernetes
Services (AKS)
Azure Policy for clusters

1. Cloud architect assigns a

deployment policy across Cloud Azure
cluster(s) Architect Policy
2. Developer uses standard
Kubernetes API to deploy to the 1
cluster
3. Real-time deployment Compliance reports
enforcement (acceptance/denial)
provided to developer based on Cluster-1 Cluster-2 Cluster-3


4
policy
4. Cloud architect obtains
compliance report for the entire
environment and can drill down
to individual pod level
Develop AKS
er
3 Cluster-1 Cluster-2 Cluster-3

2
Azure Pipelines build audit & enforcement using Azure Policy

1. Cloud architect assigns a policy Cloud Azure

across clusters; policy can be set to Architect Policy
block non-compliance (deny) or
generate non-compliance warnings 1
(audit)
2. Developer makes code change that
kicks off an Azure Pipelines build

3. Azure Pipelines evaluates the Azure Pipelines

request for policy compliance 4
Deny policy
Develop Yes </> No
4. If policy is set to deny, Azure Fail
Compliance
er 5
Pipelines rejects the build attempt if check
AKS
any non-compliance is identified
2 </> 3 Cluster-1 Cluster-2 Cluster-3
5. If policy is set to audit, a non-
compliance event is logged and the
build is allowed to proceed Pass
Azure Application Gateway Ingress Controller (AGIC)

1. Fully managed Ingress Controller

2. Ingress Controller is supported

exclusively by Standard_v2 and
WAF_v2 SKUs, which also brings you
autoscaling benefits. Application
Gateway can react in response to an
increase or decrease in traffic load and
scale accordingly, without consuming
any resources from your AKS cluster.
3. Native Application Gateway L7 load
balancer:
- URL routing
- Cookie-based affinity
- SSL termination
- End-to-end SSL
- Support for public, private, and
hybrid web sites
- Integrated web application firewall
Azure Monitor for containers

Visualization
Visualize overall health and
performance from clusters to
containers with drill downs and
Observability filters
Insights
Provide insights with multi-cluster
Azure Kubernete Azure Monitor
s control for containers
health roll up view
Pipelines

Monitor & Analyze

Monitor and analyze Kubernetes and
container deployment performance,
events, health, and logs
NEW!
Response
ACI
Native alerting with integration to
issue managements and ITSM tools

Observability
Observe live container logs on
container deployment status
 Azure Monitor for containers
4
3
2
1

1. Get detailed insights about your

workloads with Azure Monitor

2. See graphical insights about

clusters
3. Filter for details about nodes,
controllers, and containers

4. Pull events and logs for detailed

activity analysis
Thank you.

© Copyright Microsoft Corporation. All rights reserved.