6/21/2023 0 Comments Interior architect az![]() ![]() ComponentsĪzure Firewall is a cloud-native, intelligent network firewall security service that provides threat protection for cloud workloads that run in Azure. There's a virtual network link between the hub-and-spoke virtual networks that host the AKS cluster and the private DNS zones described earlier.Ī Log Analytics workspace is used to collect the diagnostics logs and metrics from Azure services. The API server of the Kubernetes cluster.The topology includes private endpoints and private DNS zones for these services: Azure Private Link enables AKS workloads to access Azure PaaS services, like Azure Key Vault, over a private endpoint in the virtual network. We highly recommend that you use the Premium SKU of Azure Firewall because it provides advanced threat protection.Ī Key Vault is used as a secret store by workloads that run on AKS to retrieve keys, certificates, and secrets via the Azure AD workload identity, Secrets Store CSI Driver, or Dapr. A route table and user-defined routes are used to route the outbound traffic from the private AKS cluster to the Azure Firewall. The Azure Firewall and Bastion are deployed to a hub virtual network that's peered with the virtual network that hosts the private AKS cluster. It also helps protect workloads by using threat intelligence-based filtering. The architecture includes an Azure Firewall that's used to control the inbound and outbound traffic via DNAT rules, network rules, and application rules. Azure Container Registry is used to build, store, and manage container images and artifacts (like Helm charts). The boot diagnostics logs of the VM are stored in an Azure Storage account.Īn Azure Bastion host provides improved-security SSH connectivity to the jump-box VM over SSL. When you deploy AKS as a private cluster, system administrators can use this VM to manage the cluster via the Kubernetes command-line tool. A user node pool that hosts user workloads and artifactsĪ VM is deployed in the virtual network that's hosting the AKS cluster. ![]() A system node pool that hosts only critical system pods and services.The AKS cluster is composed of the following pools: Dynamic allocation of IPs and enhanced subnet support.Managed identity in place of a service principal.Azure RBAC for Kubernetes Authorization.AKS-managed Azure Active Directory integration.Container Storage Interface (CSI) drivers for Azure disks and Azure Files. ![]() The Terraform modules allow you to optionally deploy an AKS cluster that has these features: The AKS cluster uses a user-defined managed identity to create additional resources, like load balancers and managed disks in Azure.
0 Comments
Leave a Reply. |