Azure Container Apps

Hi!

At Ignite November 2021, Microsoft released Azure Container Apps as a public preview. Azure Container Apps manages the details of Kubernetes and container orchestrations for you. Containers in Azure Container Apps can use any runtime, programming language, or development stack of your choice.

Azure Container Apps: Containers

Azure Container Apps supports:

  • Any Linux-based container image
  • Containers from any public or private container registry

Azure Container Apps enables you to run microservices and containerized applications on a serverless platform. Common uses of Azure Container Apps include:

  • Deploying API endpoints
  • Hosting background processing applications
  • Handling event-driven processing
  • Running microservices

Applications built on Azure Container Apps can dynamically scale based on the following characteristics:

  • HTTP traffic
  • Event-driven processing
  • CPU or memory load
  • Any KEDA-supported scaler

With Azure Container Apps, you can:

  • Run multiple container revisions and manage the container app’s application lifecycle.
  • Autoscale your apps based on any KEDA-supported scale trigger. Most applications can scale to zero1.
  • Enable HTTPS ingress without having to manage other Azure infrastructure.
  • Split traffic across multiple versions of an application for Blue/Green deployments and A/B testing scenarios.
  • Use internal ingress and service discovery for secure internal-only endpoints with built-in DNS-based service discovery.
  • Build microservices with Dapr and access its rich set of APIs.
  • Run containers from any registry, public or private, including Docker Hub and Azure Container Registry (ACR).
  • Use the Azure CLI extension or ARM templates to manage your applications.
  • Securely manage secrets directly in your application.
  • View application logs using Azure Log Analytics.

Deploy an Azure Container Apps:

# - Install the Azure Container Apps extensions to the CLI
az extension add \
  --source https://workerappscliextension.blob.core.windows.net/azure-cli-extension/containerapp-0.2.0-py2.py3-none-any.whl 

# - Register the Microsoft.Web namespace
az provider register --namespace Microsoft.Web

# - Setup environment variables
RESOURCE_GROUP="my-containerapps"
LOCATION="canadacentral"
LOG_ANALYTICS_WORKSPACE="containerapps-logs"
CONTAINERAPPS_ENVIRONMENT="containerapps-env"

# - Create a resource group
az group create \
  --name $RESOURCE_GROUP \
  --location "$LOCATION"

# - Create a new Log Analytics workspace
az monitor log-analytics workspace create \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $LOG_ANALYTICS_WORKSPACE

# - Retrieve the Log Analytics Client ID and client secret
LOG_ANALYTICS_WORKSPACE_CLIENT_ID=`az monitor log-analytics workspace show --query customerId -g $RESOURCE_GROUP -n $LOG_ANALYTICS_WORKSPACE --out tsv`
LOG_ANALYTICS_WORKSPACE_CLIENT_SECRET=`az monitor log-analytics workspace get-shared-keys --query primarySharedKey -g $RESOURCE_GROUP -n $LOG_ANALYTICS_WORKSPACE --out tsv`

# - Create the Azure Container Apps environment
az containerapp env create \
  --name $CONTAINERAPPS_ENVIRONMENT \
  --resource-group $RESOURCE_GROUP \
  --logs-workspace-id $LOG_ANALYTICS_WORKSPACE_CLIENT_ID \
  --logs-workspace-key $LOG_ANALYTICS_WORKSPACE_CLIENT_SECRET \
  --location "$LOCATION"

# - Create a container app
az containerapp create \
  --name my-container-app \
  --resource-group $RESOURCE_GROUP \
  --environment $CONTAINERAPPS_ENVIRONMENT \
  --image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest \
  --target-port 80 \
  --ingress 'external' \
  --query configuration.ingress.fqdn

Maxime.

AKS | Open Service Mesh add-on for AKS

Hi!

During Microsoft Ignite 2021, Microsoft released in general availability the open service mesh add-on for AKS.

Open Service Mesh (OSM) runs an Envoy-based control plane on Kubernetes, can be configured with SMI APIs, and works by injecting an Envoy proxy as a sidecar container next to each instance of your application. The Envoy proxy contains and executes rules around access control policies, implements routing configuration, and captures metrics. The control plane continually configures proxies to ensure policies and routing rules are up to date and ensures proxies are healthy.

OSM provides the following set of capabilities and features to provide a cloud native service mesh for your Azure Kubernetes Service (AKS) clusters:

  • OSM has been integrated into the AKS service to provide a fully supported and managed service mesh experience with the convenience of the AKS feature add-on
  • Secure service to service communication by enabling mTLS
  • Easily onboard applications onto the mesh by enabling automatic sidecar injection of Envoy proxy
  • Easily and transparent configurations for traffic shifting on deployments
  • Ability to define and execute fine grained access control policies for services
  • Observability and insights into application metrics for debugging and monitoring services
  • Integration with external certificate management services/solutions with a pluggable interface

OSM can assist your AKS deployments with the following scenarios:

  • Provide encrypted communications between service endpoints deployed in the cluster
  • Traffic authorization of both HTTP/HTTPS and TCP traffic in the mesh
  • Configuration of weighted traffic controls between two or more services for A/B or canary deployments
  • Collection and viewing of KPIs from application traffic
Deploy an AKS cluster with OSM add-on
az aks create -n <my-osm-aks-cluster-name> -g <my-osm-aks-cluster-rg> --node-osdisk-type Ephemeral --node-osdisk-size 30 --network-plugin azure --enable-managed-identity -a open-service-mesh

Enable OSM AKS add-on for an existing AKS cluster
az aks enable-addons --addons open-service-mesh -g <my-osm-aks-cluster-rg> -n <my-osm-aks-cluster-name>

Validate the AKS OSM add-on installation
az aks list -g <my-osm-aks-cluster-rg> -o json | jq -r '.[].addonProfiles.openServiceMesh.enabled'

Check OSM add-on version
kubectl get deployment -n kube-system osm-controller -o=jsonpath='{$.spec.template.spec.containers[:1].image}'

AKS OSM add-on configuration
kubectl get meshconfig osm-mesh-config -n kube-system -o yaml

Disable OSM AKS add-on for an existing AKS cluster
az aks disable-addons -n <AKS-cluster-name> -g <AKS-resource-group-name> -a open-service-mesh

Maxime.

Azure Security Center and Azure Defender become Microsoft Defender for Cloud

Hi!

During Microsoft Ignite 2021, Microsoft announced a new rebranding of Azure Security Center and Azure Defender unified as Microsoft Defender for Cloud.

Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and workload protection solution that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and protects workloads across multi-cloud and hybrid environments.

Maxime.