Scribd Logo
Upload

Welcome to Scribd!

  • Module 9 Homework

    Uploaded by

    Shiva Singh
    3 views5 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views5 pages

    Module 9 Homework

    Uploaded by

    Shiva Singh

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Azure DevOps Lab

    MICROSOFT AZURE

    Module 9 HW

    This document contains privileged and/or confidential information and may not be
    Legal Notice:
    disclosed, distributed or reproduced without the prior written permission of EPAM®.

    CONFIDENTIAL | Effective Date: 25-Jan-19


    CONTENTS
    1. AGENDA .......................................................................................................... 3
    2. TASK .............................................................................................................. 3
    3. TASK DETAILS ................................................................................................... 3
    4. TASK RESULT .................................................................................................... 4
    5. USEFUL LINKS ................................................................................................... 5

    CONFIDENTIAL | Effective Date:25-Jan-19 2


    1. AGENDA
    Azure Kubernetes Service (AKS) offers a managed Kubernetes cluster on Azure. For more
    information, see Azure Kubernetes Service.
    AKS clusters are deployed on a virtual network. This network can be managed (created by AKS) or
    custom (pre-configured by the user beforehand). In either case, the cluster has outbound
    dependencies on services outside of that virtual network (the service has no inbound
    dependencies). For management and operational purposes, nodes in an AKS cluster need to access
    certain ports and fully qualified domain names (FQDNs) describing these outbound dependencies.
    This is required for various functions including, but not limited to, the nodes that communicate
    with the Kubernetes API server. They download and install core Kubernetes cluster components and
    node security updates, or pull base system container images from Microsoft Container Registry
    (MCR), and so on. These outbound dependencies are almost entirely defined with FQDNs, which
    don't have static addresses behind them. The lack of static addresses means that Network Security
    Groups can't be used to lock down outbound traffic from an AKS cluster. For this reason, by
    default, AKS clusters have unrestricted outbound (egress) Internet access. This level of network
    access allows nodes and services you run to access external resources as needed.
    However, in a production environment, communications with a Kubernetes cluster should be
    protected to prevent against data exfiltration along with other vulnerabilities. All incoming and
    outgoing network traffic must be monitored and controlled based on a set of security rules. If you
    want to do this, you'll have to restrict egress traffic, but a limited number of ports and addresses
    must remain accessible to maintain healthy cluster maintenance tasks and satisfy those outbound
    dependencies previously mentioned.

    2. TASK

    • Create Azure Kubernetes cluster with simple app inside it.


    • Create Azure Firewall service and configure all inbound and outbound traffic to k8s run trough
    it.
    • The final infra should use best practices from module 5-8
    • Infrastructure can be deployed in deferent environments.
    • Use Terraform lifecycle for adding public address (delete old one and add new)
    • (Additional) all system AKS internet traffic run through separated NSG and LB solution.

    3. TASK DETAILS

    • Minimal Terraform version is 1.5.0.


    • All resource names should use a common name pattern and be aligned with Azure abbreviation
    examples. No resource names are hardcoded, so TF configuration is reusable.
    • TF configuration has usable outputs, that are used to access to resources, such as storage
    account name, vault name, cdn endpoint, etc.
    • No resource names are hardcoded, so TF templates are reusable.
    • All k8s traffic should run through the Firewall.
    • Firewall should have minimum three inbound and outbound custom rules.
    • Application deployed to k8s shall de accessible from the internet

    CONFIDENTIAL | Effective Date:25-Jan-19 3


    4. TASK RESULT
    • TF configuration for an initial deployment
    • Firewall controlling inbound and outbound k8s traffic.
    • AKS exposing any application to the internet.
    • Solution should be based on modules structure.
    • In task you need to use dynamic blocks, locals, variables, outputs.
    • Archive .zip with your source code named: <name-surname>-<module number> uploaded to
    learn portal

    Example architecture of the deployment:

    CONFIDENTIAL | Effective Date:25-Jan-19 4


    5. USEFUL LINKS
    https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview
    https://docs.microsoft.com/en-us/azure/aks/intro-kubernetes
    https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/
    https://learn.microsoft.com/en-us/azure/aks/limit-egress-traffic
    Terraform import command
    Terraform import block
    Terraform templatefile function

    CONFIDENTIAL | Effective Date:25-Jan-19 5

    You might also like