It is a hot trend to move to cloud, whether it is public cloud, private cloud, Kubernetes/OpenShift-based containers. A new paradigm 1, 2 of cloud-native application is also emerging. To leverage cloud computing model, you need to know what is available for you to leverage. This article talks about interesting Azure features that help with cloud-native development.
Major cloud providers now use well-architected framework to architect applications, e.g. AWS, Azure, Google Cloud WAF. It is good for architects to talk in same language. We will category features according to well-architected framework pillar.
Reliability
Chaos engineering
Chaos engineering is the discipline of experimenting on a software system in production in order to build confidence in the system’s capability to withstand turbulent and unexpected conditions. This is important that application on cloud should be expecting transient failures. Therefore, your application should be handled as cattle, rather than a pet.
Consideration
Use Azure chaos studio to performance failure mode analysis
Security
Data protection at rest and transit
With zero-trust, you should protect your data with greatest care, trusting no one (especially your administrator).
Consideration
Protect sensitive data with Azure key vault. Encrypt resources “at rest” and “in transit”
Data protection in use
Confidential Computing protects data in use by performing computation in a hardware-based Trusted Execution Environment. These secure and isolated environments prevent unauthorized access or modification of applications and data while in use, thereby increasing the security assurances for organizations that manage sensitive and regulated data.
Consideration
Use Azure confidential computing to protect your sensitive data from other applications, administrators, and cloud providers with a hardware backed trusted execution container environments
Network
It is important to protect your attack surface from every angle. In Azure, usually it means protecting virtual network.
Protect all public endpoints with Azure Front Door, Application Gateway, Azure Firewall, Azure DDoS Protection.
Private access
If you can avoid traffic going through Internet, the exposure risk is lower.
Access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.
Azure Kubernetes cluster identity access management
Use Azure AD integration to integrate on-premises identities into AKS clusters to provide a single source for account management and security. Use Azure RBAC, to provide users (or identities) with granular access to AKS resources.
Credential protection
Generally, you should avoid using password/keys for your service access resources. It is suggested to use some sort of service identity.
For workloads on Kubernetes, use pod-managed identity to authenticate pods themselves with other services.
Azure Kubernetes cluster compliance enforcement
Use Azure Policy to enforce organizational standards and to assess compliance at-scale.
Cost optimization
Stop and Start Azure Kubernetes service
Use to Stop and start feature to optimize development/test AKS cluster
Spot node pool for Azure Kubernetes service
Consider spot VMs for nodes with AKS cluster to take advantage of unutilized capacity in Azure at a significant cost savings
Azure Cosmos DB serverless
Use Azure Cosmos DB serverless for scenarios where you expect intermittent and unpredictable traffic with long idle times
Azure SQL Database serverless
Use Azure SQL Database serverless for single databases with intermittent, unpredictable usage patterns that can afford some delay in compute warm-up after idle usage periods
Azure DevTest Labs and Azure Lab Services
In Lab Services, you can give each student a limited number of hours for using the VMs. A DevTest Labs lab owner can set a lab schedule to specify when lab VMs are accessible to users. The schedule can automatically shut down and start up VMs at specified times
Appendix
Kubernetes identity management via Azure RBAC and Azure AD
Confidential computing
Azure policy
