min.io Azure Gateway
Overview and deployed resources
This template deploys an AKS cluster running min.io configured as an Azure storage gateway to provision a private S3 API into a VNET to enable the deployment of solutions which have a dependency on S3 object storage.
The deployment provides the following:
- Storage account with Private Endpoint
- Private DNS zone to enable Private Link
- AKS cluster with cluster autoscaler enabled
- Installation of min.io Helm chart
- Internal Standard Load Balancer exposing the min.io S3 endpoint
This is an overview of the solution
The following resources are deployed as part of the solution
Storage
- min.io Storage Account: Storage account backing the S3 endpoint presented by min.io
- Deployment Script Storage Account: Storage account used as file share for deployment script resource, including inputs and logs
Network
- Virtual Network: Virtual Network within which all resources are provisioned
- Private Endpoint: Private Endpoint to enable private access to min.io Storage Account
- Private Endpoint Network Interface: Network Interface bound to Private Endpoint
- Private DNS Zone: Private DNS zone to support private connectivity to Storage Account
Compute
- AKS Cluster: Managed Kubernetes cluster as runtime environment for min.io containers
- Azure Container Instance: Container Instance used as Deployment Script runtime for installation of min.io
Identity
- Managed Identity: Managed Identity bound to Deployment Script resource
- Role Assignment: Provides roles required for execution of Deployment Script
Prerequisites
An Azure subscription with available compute quota to deploy the AKS cluster
Deployment steps
You can click the "deploy to Azure" button at the beginning of this document or follow the instructions for command line deployment using the scripts in the root of this repo.
Usage
The deployment contains an output which provides the private IP address of the S3 endpoint. This API requires the storage account name and key for authentication.
Connect
As connectivity to the min.io service is fully private within the VNET, you must follow these steps to access the min.io web UI from your client device:
- Use the Azure CLI to obtain the storage account key
- Use the Azure CLI to authenticate with the AKS cluster
- Execute kubectl get pods and capture one of the pod names, such as minio-55c5f4ccd5-7t9t7
- Execute kubectl port-forward [pod name] 9000 to establish a tunnel to the pod
- Browse to http://localhost:9000 to access the web UI
- Use the storage account name and key to authenticate with the web UI
Tags: splunk, min.io, minio, smartstore, s3, Microsoft.Network/virtualNetworks, Microsoft.Storage/storageAccounts, blobServices/containers, Microsoft.Network/privateDnsZones, virtualNetworkLinks, Microsoft.Network/privateEndpoints, Microsoft.Network/privateEndpoints/privateDnsZoneGroups, Microsoft.ManagedIdentity/userAssignedIdentities, Microsoft.Authorization/roleAssignments, Microsoft.Resources/deploymentScripts, UserAssigned, Microsoft.ContainerService/managedClusters, SystemAssigned, VirtualMachineScaleSets