Multi-Regional Azure Kubernetes Service (AKS) at the Enterprise

by Facundo Gauna | Wednesday, Sep 16, 2020 | Azure Kubernetes Service Azure Landing Zones

Many enterprise organizations invest heavily in creating secure, scalable, and well-governed Landing Zones on Azure. In fact, Azure Landing Zones are often crucial to enabling a hybrid cloud set-up between on-premise resources and Azure. They facilitate security, centralized management, and visibility across workloads in the enterprise.

What are Azure Landing Zones?

From the Microsoft documentation:

Azure landing zones are the output of a multi-subscription Azure environment that accounts for scale, security, governance, networking, and identity. Azure landing zones enable application migrations and green-field development at an enterprise scale in Azure. These zones consider all platform resources that are required to support the customer's application portfolio and don't differentiate between infrastructure as a service or platform as a service.

The Problem

Unlike other Azure services such as CosmosDB, Azure Kubernetes Service (AKS) clusters cannot span multiple regions. Instead, web traffic has to be routed to the applications in these clusters using global services like Azure Front Door or Traffic Manager. In addition, there is even more complexity when designing AKS clusters with connectivity to on-premise resources and vice-versa.

This makes it very challenging to design secure, scalable, and well-governed AKS clusters on these Azure Landing Zones. It takes time, buy-in, and planning to design clusters at this scale. There can also be a significant lead time for application teams to leverage these AKS clusters.

In many cases, application teams across the enterprise will end up deploying their own AKS clusters for their application instead of waiting for a well-designed solution. This is called physical isolation and it is not recommended. In addition to increasing attack surface and the complexity of managing many different AKS clusters within an organization, it also limits one of the main benefits of Kubernetes - automated bin packing.

AKS at the Enterprise

In non-trivial scenarios, it is likely that an enterprise-grade, multi-regional AKS design will require:

• Strong Azure foundations including proper Azure subscription design, deployment automation, and centralized identity, permissions, policies, and other governance aspects
• Integration with on-premise systems through one or more Express Route circuits.
• Integration with third-party firewall appliances from vendors such as Palo Alto Networks or Barracuda Networks.
• Sufficient planning to enable several teams across multiple business units to use the same AKS clusters and leverage logical isolation.
• GitOps deployment methodologies to synchronize configuration between regional clusters.
• Additional planning to enable teams to use the same Azure Container Registry that is geo-replicated to several Azure regions closest to the AKS clusters.
• A well-designed hub/spoke architecture to enable Central IT teams to centrally monitor, govern, and secure workloads across various business units and teams.

Further Reading

If you want to learn more about Azure Landing Zones, AKS, or other Azure services, feel free to contact us.

• Enterprise Scale Landing Zone
• AKS Best Practices
• AKS Production Baseline