This reference implementation shows a set of best practices for building and running a microservices architecture on Microsoft Azure. This content is built on top of the AKS Secure Baseline, which is the recommended starting (baseline) infrastructure architecture for an AKS cluster.
To quickly understand how the AKS Fabrikam Drone Delivery expands the AKS Secure Baseline, please refer to the following table:
AKS Secure Baseline | AKS Fabrikam Drone Delivery | |
---|---|---|
Egress restriction using Azure Firewall | ✅ | ✅ |
Ingress Controller | ✅ | ✅ |
Microsoft Entra Workload ID | ✅ | ✅ |
Resource Limits | ✅ | ✅ |
Other Infrastructure aspects | ✅ | ✅ |
Zero Trust Network Policies | ❌ | ✅ |
Horizontal Pod Autoscaling | ❌ | ✅ |
Cluster Autoscaling | ❌ | ✅ |
Readiness/Liveness Probes | ❌ | ✅ |
Helm charts | ❌ | ✅ |
Distributed Monitoring | ❌ | ✅ |
AKS Fabrikam Drone Delivery is not just workload focused, but also incorporates the infrastructure journey by expanding the AKS Secure Baseline. Similar to what organizations might get into while trying to implement their solutions based on the AKS Secure Baseline, this reference implementation carefully modifies or interchanges small pieces like using a different kind of ingress controller or deploying a different workload on top of the cluster. If you or your team are on day 0 or looking for infrastructure-related aspects only, the recommendation is to start with the AKS Secure Baseline. If you want more comprehensive guidance for deploying a more interesting workload, this is the proper guidance to follow.
This project has a companion set of articles that describe challenges, design patterns, and best practices for a secure AKS cluster. You can find these articles on the Azure Architecture Center:
- Designing, building, and operating microservices on Azure with Kubernetes
- Microservices architecture on Azure Kubernetes Service (AKS)
- Azure Kubernetes Service (AKS) Baseline Cluster
This architecture integrates with many Azure services to demonstrate workload with distributed tracing, messaging, and storage. This architecture also implements recommended native Kubernetes features such as auto-scaling capabilities, probes, network policies, and other standards like Helm charts and more. As a result of expanding the AKS Secure Baseline, this architecture should also be considered your starting point for pre-production and production stages.
An important distinction of this architecture is that it implements the Azure Application Gateway Ingress Controller instead of using Traefik as in the baseline.
Throughout the reference implementation, you will see reference to Fabrikam Drone Delivery Shipping App. Fabrikam, Inc. (a fictional company) is starting a drone delivery service and has made the architectural decision of implementing its solution on top of the AKS Secure Baseline since it covers all the infrastructure aspects they are requested to operate. The company manages a fleet of drone aircraft. Businesses register with the service, and users can request a drone to pick up goods for delivery. When a customer schedules a pickup, a backend system assigns a drone and notifies the user with an estimated delivery time. While the delivery is in progress, the customer can track the drone's location with a continuously updated ETA.
- AKS v1.28
- System and User node pool separation
- AKS-managed Microsoft Entra ID
- Managed Identities
- Azure CNI
- Azure Monitor for containers
- Azure Virtual Networks (hub-spoke)
- Azure Application Gateway (WAF)
- AKS-managed Internal Load Balancers
- Azure Firewall
- Azure Service Bus
- Azure CosmosDb
- Azure MongoDb
- Azure Redis Cache
- Flux GitOps Operator
- Azure Application Gateway Ingress Controller
- Microsoft Entra Workload ID
- Azure KeyVault Secret Store CSI Provider
- Kured
Here are the required sections to follow for deploying the AKS Fabrikam Drone Delivery reference implementation.
- Install and meet the prerequisites
- Procure client-facing and AKS Ingress Controller TLS certificates
- Plan your Microsoft Entra integration
- Build the hub-spoke network
- Deploy the AKS cluster and supporting services
- Place the cluster under GitOps management
- Workload prerequisites to address
- Configure AKS Ingress Controller with Azure Key Vault integration
- Deploy the workload
- Perform end-to-end deployment validation
- Cleanup all resources
This reference implementation intentionally does not cover all scenarios. If you are looking for other topics that are not addressed here, please visit AKS Secure Baseline for the complete list of covered scenarios around AKS.
Please see our contributor guide.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
With ❤️ from Microsoft Patterns & Practices, Azure Architecture Center.