DevOps Classroom notes 23/Aug/2025

Azure kubernetes services

  • AKS can be used in 3 possible plans
    • Free
    • Standard
    • Premium Tier
  • Refer Here for official docs on pricing tiers
  • Networking choice: AKS has following networking choices
    • Azure CNI
    • Cilium data plane
  • Identity Model:
    • Managed Identities
    • Microsoft entra workload ID
  • Ingress on AKS:
    • Nginx
    • Application Gateway
  • Storage:
    • CSI Drivers:
      • Auzre Disk
      • Azure Files
      • Azure Blob
  • Monitoring
  • Scaling
  • Security & Governance
  • Upgrades and maintenance
  • Backup/DR
  • Azure Service Mesh

Lets create a production grade k8s cluster in AKS

  • Refer below for the script
# variables
RG=rg-aks-demo
LOC=eastus
AKS=aks-demo
VNET=vnet-aks
SUBNET=aks-subnet

# create resource group
az group create -n $RG -l $LOC

# Virtual network with a subnet for AKS
az network vnet create \
    -g $RG \
    -n $VNET \
    --address-prefixes 10.0.0.0/8 \
    --subnet-name $SUBNET \
    --subnet-prefix 10.1.0.0/16 

SUBNET_ID=$(az network vnet subnet show -g $RG --vnet-name $VNET --query id -o tsv -n $SUBNET)


az aks create \
    --resource-group $RG \
    --name $AKS \
    --tier standard \
    --generate-ssh-keys \
    --node-count 2 \
    --node-vm-size Standard_D2as_v4 \
    --vnet-subnet-id  $SUBNET_ID \
    --network-plugin azure \
    --network-policy azure


az aks get-credentials -g $RG -n $AKS

Network Policy

  • Network policy controls which pods can talk to which pods
  • when we dont write network policy k8s allows all communication.
  • Network Policy requires CNI support
  • we can write ingress (incoming rules) and egress (outgoing)
  • Consider the folowing
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: web
spec:
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - name: web
        image: nginx
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: web-svc
spec:
  selector:
    app: web
  ports:
  - port: 80
    targetPort: 80
  • This pod can be communicated by any one
  • Now lets write a default ingress+ egress rule to deny all
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
    - Ingress
    - Egress
  ingress: []
  egress: []
  • Allow same namespace access to port 80 from pods with a specific label
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-web-from-access-web
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              access: web
      ports:
        - port: 80
          protocol: TCP
  • Now in the same way we can write rules for
    • ip range
    • namespace
    • dns

Azure Specific annotations

Load Balancer

Annotation Key Purpose Example
service.beta.kubernetes.io/azure-load-balancer-ipv4 Assign a specific IPv4 address to the LoadBalancer frontend. Preferred over LoadBalancerIP YAML field. (Microsoft Learn) yaml annotations: <br> service.beta.kubernetes.io/azure-load-balancer-ipv4: "10.240.0.25"
service.beta.kubernetes.io/azure-load-balancer-ipv6 Assign a specific IPv6 address to the LoadBalancer frontend. (Microsoft Learn) yaml annotations: <br> service.beta.kubernetes.io/azure-load-balancer-ipv6: "2001:db8::1"
service.beta.kubernetes.io/azure-load-balancer-internal Create an internal (private) LoadBalancer within the VNet. (Microsoft Learn, Medium) yaml annotations: <br> service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-pip-name Use a named Public IP resource for the LoadBalancer; helps avoid throttling and speeds up provisioning. (Microsoft Learn) yaml annotations: <br> service.beta.kubernetes.io/azure-pip-name: "myStaticPublicIP"
service.beta.kubernetes.io/azure-load-balancer-resource-group Specify the resource group where the Public IP resides (helps when managing resources in different groups). (Microsoft Learn) yaml annotations: <br> service.beta.kubernetes.io/azure-load-balancer-resource-group: "myNetworkResourceGroup"
service.beta.kubernetes.io/azure-load-balancer-disable-tcp-reset (deprecated) Disable or enable TCP RESET packets when the idle timeout expires—can help applications detect session termination. Marked deprecated. (Kubernetes) yaml annotations: <br> service.beta.kubernetes.io/azure-load-balancer-disable-tcp-reset: "false"
service.beta.kubernetes.io/azure-dns-label-name Set a DNS label for the LoadBalancer, enabling access via <label>.<region>.cloudapp.azure.com. (Microsoft Learn) yaml annotations: <br> service.beta.kubernetes.io/azure-dns-label-name: "test"

Nginx ingress

Annotation Key Purpose Example
nginx.ingress.kubernetes.io/proxy-body-size Set maximum client request body size before a 413 error is returned nginx.ingress.kubernetes.io/proxy-body-size: 4m (Microsoft Learn)
nginx.ingress.kubernetes.io/proxy-read-timeout Increase timeout for reading response from backend nginx.ingress.kubernetes.io/proxy-read-timeout: "120" (Microsoft Learn)
nginx.ingress.kubernetes.io/backend-protocol Route traffic to backend using HTTPS or gRPC instead of HTTP nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" (Microsoft Learn)
nginx.ingress.kubernetes.io/enable-cors Enable Cross-Origin Resource Sharing nginx.ingress.kubernetes.io/enable-cors: "true" (Microsoft Learn)
nginx.ingress.kubernetes.io/ssl-redirect Disable automatic HTTP-to-HTTPS redirect (if TLS is enabled) nginx.ingress.kubernetes.io/ssl-redirect: "false" (Microsoft Learn)
nginx.ingress.kubernetes.io/rewrite-target Rewrite request paths for backend routing nginx.ingress.kubernetes.io/rewrite-target: /$2 (with use-regex: "true") (Microsoft Learn)

Azure Application Gateway

| Annotation Key | Purpose | Example |
| ————————————————————– | ————————————————————————– | ———————————————- |
| kubernetes.io/ingress.class: azure/application-gateway | Enables AGIC to manage the Ingress resource | — (Microsoft Learn) |
| appgw.ingress.kubernetes.io/backend-path-prefix | Override backend request path prefix | /test/ (Microsoft Learn, GitHub) |
| appgw.ingress.kubernetes.io/backend-hostname | Set specific hostname for backend requests | — (Microsoft Learn) |
| appgw.ingress.kubernetes.io/health-probe-hostname | Customize hostname used for health probes | Defaults to 127.0.0.1 (Microsoft Learn) |
| appgw.ingress.kubernetes.io/health-probe-port | Set port used for health probes | Default 80 (Microsoft Learn) |
| appgw.ingress.kubernetes.io/health-probe-path | Set path used for health probes | Default / (Microsoft Learn) |
| appgw.ingress.kubernetes.io/health-probe-status-codes | Health probe acceptable response codes | Default 200-399 (Microsoft Learn) |
| appgw.ingress.kubernetes.io/health-probe-interval | Interval (in seconds) between health probes | Default 30 (Microsoft Learn) |
| appgw.ingress.kubernetes.io/health-probe-timeout | Timeout (in seconds) for health probes | Default 30 (Microsoft Learn) |
| appgw.ingress.kubernetes.io/health-probe-unhealthy-threshold | Consecutive probe failures before marking backend unhealthy | Default 3 (Microsoft Learn) |
| appgw.ingress.kubernetes.io/ssl-redirect | Enable automatic redirect to HTTPS | false (Microsoft Learn) |
| appgw.ingress.kubernetes.io/connection-draining | Enable connection draining (graceful shutdown) | false (Microsoft Learn) |
| appgw.ingress.kubernetes.io/connection-draining-timeout | Connection draining timeout (in seconds) | Default 30 (Microsoft Learn) |
| appgw.ingress.kubernetes.io/use-private-ip | Use private IP for inbound connections | false (Microsoft Learn) |
| appgw.ingress.kubernetes.io/override-frontend-port | Override frontend port used by Application Gateway | false (Microsoft Learn) |
| appgw.ingress.kubernetes.io/cookie-based-affinity | Enable session affinity using cookies | false (Microsoft Learn) |
| appgw.ingress.kubernetes.io/request-timeout | Set request timeout (in seconds) for HTTP settings | Default 30 (Microsoft Learn) |
| appgw.ingress.kubernetes.io/backend-protocol | Protocol used for backend: http or https | http (Microsoft Learn) |
| appgw.ingress.kubernetes.io/hostname-extension | Add additional hostnames for HTTP listener | — (Azure) |
| appgw.ingress.kubernetes.io/appgw-ssl-certificate | Use a pre-installed certificate on Application Gateway for TLS termination | — (Azure Docs) |
| appgw.ingress.kubernetes.io/waf-policy-for-path | Apply a specific WAF policy to a path | — (Microsoft Learn) |
| appgw.ingress.kubernetes.io/rewrite-rule-set | Apply a named rewrite rule set | — (Microsoft Learn) |
| appgw.ingress.kubernetes.io/rule-priority | Set priority for a specific listener/rule | — (Microsoft Learn) |

Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Plugin for Social Media by Acurax Wordpress Design Studio

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%