The Technology Chronicle

AKS is evolving at a dizzying pace and there have been quite  a number of changes since I wrote about AKS namespace isolation and AAD integration . The major update is in terms of creating and Azure AD integrated AKS cluster. You no longer need to create and manage the server and client application, it is handled by the AKS resource provider.  There are few limitations with this approach though before you get started   - You cannot disable the AKS-managed Azure AD integration once it is enabled   - Process is supported only for RBAC enabled clusters   - Azure AD tenant once integrated cannot be switched to a different one Lets start with creating an Azure AD group. You can also use an existing one if you want to. Note that creating an Azure AD group would need Global administrator rights I am executing these steps from Azure cloud shell , where all the required tools like Azure CLI and Kubectl are preinstalled 1. Create the Azure AD group for your cluster admin...

Once you have decided to run your workloads in AKS service in Azure, there are certain best practices to be followed during design and implementation. In this blog we will discuss two of these recommended practices and the practical aspects of their implementation- Azure AD integration and name space isolation While AAD helps to authenticate users to your AKS cluster using the existing users and groups in your Azure AD, name space isolation provides logical isolation of resources used by them. It is useful in multi tenant scenarios where the same cluster is being used by different teams/departments to run their workloads. It is also useful in running say a dev, test and QA environment for organization in the same cluster. Combining AAD integration with name spaces allow users to login to their namespace using their Azure AD credentials AAD integration with AKS : The following Microsoft document will get you started  with AAD integration of AKS cluster.: https://docs.micr...

Infrastructure as code , at high level is how you can configure and manage your infrastructure the same way that you would manage your application code .It leverages the concepts of continuous integration and deployment to update or provision your environment based on the changes made to the code. In Azure you can leverage ARM template , which is essentially a json file to implement this concept.  In this blog series we will explore the concepts of Infrastructure as a code deployment for Azure environments using ARM templates. The  Continuous Integration and Deployment pipeline leverages  VSTS for build and deployment and the source code repository will be Git. The code in this case is the ARM template json file and the related parameter files.  The following blog gives a nice explanation on how to get started with VSTS and integrate  it with the Git repository  : https://blog.kloud.com.au/2017/06/24/azure-build-pipeline-using-arm-te...

Security in the cloud is a priority for every organization planning to adopt public cloud for mission critical applications. In Azure, these security concerns are addressed at different layers starting from the platform layer up to the VM OS layer. This picture shows an overview of the different layers of security in Azure     Any traffic directed to your applications hosted in Azure will first hit the platform's native DDOS protection mechanism. If a DOS attack is happening a specific IP is targeted, the DDOS protection mechanism will blackhole the traffic and the endpoint will be brought down. Thereby the surrounding resources will be protected. If you have resiliency built in, you can bring up another endpoint and ensure that your service is available At the next layer you have endpoints, ie traffic will be received only at the designated endpoints in case of classic model, or as defined in NSGs in case of ARM model. The VMs can be placed in dif...

This is Part 2 of my blog post on DRaaS using Azure. You can view first part of the blog here In first part, we discussed how to protect your on-prem physical servers using Azure Site Recovery services. Having a DR strategy and enabling protection is not always enough. You should ensure that your DR strategy will work as expected when a disaster strikes. In case of usual DR solutions, it is not always possible to test the DR strategy without downtimes. However, Azure Site Recovery provides you with an option to test your DR strategy and keep it well oiled and battle ready!! Test failover to the rescue..  Lets see how we can do a test failover of on-prem physical services to Azure. Select the vault where your replicated data resides. Select the settings, and choose the replicated items. Select the option "Test failover" Select the settings of the test failover. The failover direction will be automatically selected, ie from on-prem to Azure. You can select the reco...

Azure Point-to-Site enables VPN connectivity from client machines to Azure Vnet. This is especially useful for mobile users,  who could be travelling and is not connected to your office network. There is a very good documentation available on how to configure Point 2 site VPN for a new Vnet, both for classic and new portal . It  can be found here : https://azure.microsoft.com/en-in/documentation/articles/vpn-gateway-point-to-site-create/ What if  you already have a Vnet in Azure with resources connected to it ? In this blog, I will elaborate on how to enable Point-to-Site VPN for an existing Vnet . It is documented based on the testing done in new portal. The Vnet was already existing, and a VPN gateway was created from the new portal using the graphical interface and connected to the Vnet. For the remaining steps, PowerShell was used. 1. Create VPN gateway . Go to new portal->Virtual network gateway and create new. You will have to select the Vnet for which ...

Microsoft recommends usage of ARM for all new deployments in Azure. All new developments/features/services will be available in ARM going forward.  But  there are lot of services that are yet to be migrated to ARM. What if one of the services that you want to use is not currently available in ARM and you have already set up rest of your environment in ARM?  In such a scenario, you can always set up a site to site VPN between the classic V1 VNET and the ARM VNET. This process is also well documented: https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-arm-asm-s2s-howto/   That being the case,  what if we want to test the interoperability of services and you want to move few already set up VMS in ARM to classic? I know that it is not a very common scenario. Also it is not a recommended approach for production deployment, ARM is definitely the way to go. However, for enabling that test run you might very badly...

Azure automation can be an Azure administrator's best friend and can  ease up your day to day administration work. There are three options available in Azure automation- Graphical runbooks, PowerShell Work flow and Powershell based runbooks   If you want to play around with Azure automation and want to quickly automate some daily mundane tasks, graphical runbooks are the easiest to start with . You can find many templates in the runbooks gallery in Azure that can easily get the job done easily  for you. Lets start with the basics. One of the common tasks that needs to be done is to start or stop VM at a scheduled time, say for eg: your Dev/Test machines that should be shutdown after office hours. The runbooks for this are readily available in the gallery. In this blogpost we will focus on a graphical runbook available in the gallery that can be used to start or stop VMs at a scheduled time.             ...