Requesting clarification on Baseline architecture for an AKS cluster

anil kumar 1,641 Reputation points
2022-07-17T04:14:34.72+00:00

Hello,

Could you please clarify on this diagram? I am new to K8s so bear with me If I am asking something silly.

  1. Has internal load balancer (ILB) been created for distributing the incoming traffic from a service to one of its pods?
  2. Do we need multiple ILBs in case there are multiple services in AKS configured for lead balancing in AKS?
  3. If network topology selected for AKS is CNI - Does AKS still need ILB?
  4. Charges would be same if you use only Application Gateway WAF or all AG WAF, AGIC and AG ?
  5. Is Traefik not a Ingress which can take route internet traffic to various services in a AKS using its ingress controller ?
  6. Why WAF feature of AG is needed - Is Traefik lacks any security feature provided by AG WAF?
  7. It seems Traefik is the ingress but how does it work together with Application Gateway as both are layer 7 load balancers.
  8. Why do we need Azure Bastion service when we don't interact directly with Virtual Machine Scale set (VMSS) used by AKS for hosting worker nodes and we are already using Azure Firewall, WAF and Traefik for security hardening?

221465-image.png

Appreciate your insightful response, thank you !!

Diagram is taken from:
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks

Azure Web Application Firewall
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,845 questions
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
397 questions
0 comments
Accepted answer
  1. shiva patpi 13,131 Reputation points Microsoft Employee
    2022-07-18T22:09:49.42+00:00

    Has internal load balancer (ILB) been created for distributing the incoming traffic from a service to one of its pods? -
    YES

    //////////////////////////////////
    Do we need multiple ILBs in case there are multiple services in AKS configured for lead balancing in AKS? -
    No. One ILS is enough for multiple services. Once you create an Internal LB - a corresponding LB with name kubernetes-internal gets created. If you want to deploy another ILB it uses the same kubernetes-internal but the LB rules gets updated with the new service.

    Example to create an Internal LB:

    apiVersion: v1
    kind: Service
    metadata:
    name: internal-app
    annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    spec:
    type: LoadBalancer
    ports:

    • port: 80
      selector:
      app: internal-app

    ////////////////////////////////////////////

    If network topology selected for AKS is CNI - Does AKS still need ILB?

    ILB is independent of AKS Network topology (i.e. Azure CNI vs Kubenet)

    ///////////////////////////////

    Charges would be same if you use only Application Gateway WAF or all AG WAF, AGIC and AG ?

    Charges are different for each one of the service, please take a look at the document https://azure.microsoft.com/en-us/pricing/details/application-gateway/
    and play around by selecting multiple options in the drop down.

    FYI - When you enable AGIC add-on , it will create an APPGW which incurs some charges.
    //////////////////////////////////

    Is Traefik not a Ingress which can take route internet traffic to various services in a AKS using its ingress controller ?

    Definitely you can make use of Traefik ingress controller which internally creates a service of type LoadBalancer;
    You also have an option to create Internal LB service with Traefik ingress controller

    There are multiple ingress controllers like Nginx , AGIC , Traefix depending upon your requirements you can make use of it. It all depends on the features
    https://stackshare.io/stackups/nginx-vs-traefik

    You can take a look at the detailed documentation w.r.t AGIC: https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/

    /////////////////////////////////////////

    Why WAF feature of AG is needed - Is Traefik lacks any security feature provided by AG WAF?

    Well , AGIC WAF provides much more security! Mainly WAF2
    AGIC can be customized up to maximum extent: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview

    /////////////////////////////////

    It seems Traefik is the ingress but how does it work together with Application Gateway as both are layer 7 load balancers.

    Inner details of How APPGW works and it's corresponding WAF:
    https://learn.microsoft.com/en-us/azure/application-gateway/how-application-gateway-works

    ////////////////////////

    Why do we need Azure Bastion service when we don't interact directly with Virtual Machine Scale set (VMSS) used by AKS for hosting worker nodes and we are already using Azure Firewall, WAF and Traefik for security hardening?

    Bastion is mainly used to RDP to the VMSS nodes securely
    https://learn.microsoft.com/en-us/azure/bastion/bastion-connect-vm-scale-set

    //////////////////////////////////

    Let us know if you have additional follow-up questions! Happy to help out.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. LAILA.TAIK 121 Reputation points
    2022-07-17T14:28:13.117+00:00

    Hello
    I hope this link will help you.

    https://aztoso.com/aks/baseline-part-1/

    I hope you could accepte my answer.
    Thanks in advance

  2. Alok Kumar 0 Reputation points
    2023-05-27T01:34:27.8866667+00:00

    I am planning to use two different kind of Ingress controller 1. Gloo from solo.io and 2. Another NGINX ingress controller. We can run these controller on NodePort. For Layer 7 routing and WAF we will have application gateway.

    Question is, do we still need Internal Load balancer? Can we directly configure the application gateway to use the VMSS (of the node pool) to point to all the Node ports?

    0 comments