Cloud Native development considerations on Microsoft Azure
It is a hot trend to move to cloud, whether it is public cloud, private cloud, Kubernetes/OpenShift-based containers. A new paradigm 1, 2 of cloud-native application is also emerging. To leverage cloud computing model, you need to know what is available for you to leverage. This article talks about interesting Azure features that help with cloud-native development.
Major cloud providers now use well-architected framework to architect applications, e.g. AWS, Azure, Google Cloud WAF. It is good for architects to talk in same language. We will category features according to well-architected framework pillar.
Chaos engineering is the discipline of experimenting on a software system in production in order to build confidence in the system’s capability to withstand turbulent and unexpected conditions. This is important that application on cloud should be expecting transient failures. Therefore, your application should be handled as cattle, rather than a pet.
Data protection at rest and transit
With zero-trust, you should protect your data with greatest care, trusting no one (especially your administrator).
Protect sensitive data with Azure key vault. Encrypt resources “at rest” and “in transit”
Data protection in use
Confidential Computing protects data in use by performing computation in a hardware-based Trusted Execution Environment. These secure and isolated environments prevent unauthorized access or modification of applications and data while in use, thereby increasing the security assurances for organizations that manage sensitive and regulated data.
Use Azure confidential computing to protect your sensitive data from other applications, administrators, and cloud providers with a hardware backed trusted execution container environments
It is important to protect your attack surface from every angle. In Azure, usually it means protecting virtual network.
If you can avoid traffic going through Internet, the exposure risk is lower.
Access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.
Azure Kubernetes cluster identity access management
Use Azure AD integration to integrate on-premises identities into AKS clusters to provide a single source for account management and security. Use Azure RBAC, to provide users (or identities) with granular access to AKS resources.
Generally, you should avoid using password/keys for your service access resources. It is suggested to use some sort of service identity.
For workloads on Kubernetes, use pod-managed identity to authenticate pods themselves with other services.
Azure Kubernetes cluster compliance enforcement
Use Azure Policy to enforce organizational standards and to assess compliance at-scale.
Stop and Start Azure Kubernetes service
Use to Stop and start feature to optimize development/test AKS cluster
Spot node pool for Azure Kubernetes service
Consider spot VMs for nodes with AKS cluster to take advantage of unutilized capacity in Azure at a significant cost savings
Azure Cosmos DB serverless
Use Azure Cosmos DB serverless for scenarios where you expect intermittent and unpredictable traffic with long idle times
Azure SQL Database serverless
Use Azure SQL Database serverless for single databases with intermittent, unpredictable usage patterns that can afford some delay in compute warm-up after idle usage periods
Azure DevTest Labs and Azure Lab Services
In Lab Services, you can give each student a limited number of hours for using the VMs. A DevTest Labs lab owner can set a lab schedule to specify when lab VMs are accessible to users. The schedule can automatically shut down and start up VMs at specified times
Azure's Well-Architected Framework | Pillar 5: Security - US Partner Community Blog - Microsoft
This blog series on Microsoft's Well-Architected Framework for Azure will equip you with the foundational knowledge…
Kubernetes identity management via Azure RBAC and Azure AD
Use Azure AD and Kubernetes RBAC for clusters - Azure Kubernetes Service
Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (AD) for user authentication. In this…
Manage Azure RBAC in Kubernetes From Azure - Azure Kubernetes Service
Today you can already leverage integrated authentication between Azure Active Directory (Azure AD) and AKS. When…
Concepts - Access and identity in Azure Kubernetes Services (AKS) - Azure Kubernetes Service
You can authenticate, authorize, secure, and control access to Kubernetes clusters in a variety of ways. Using…
Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview) - Azure…
Azure Active Directory (Azure AD) pod-managed identities use Kubernetes primitives to associate managed identities for…
Best practices for managing identity - Azure Kubernetes Service
As you deploy and maintain clusters in Azure Kubernetes Service (AKS), you implement ways to manage access to resources…
Confidential computing nodes on Azure Kubernetes Service (AKS)
Azure confidential computing allows you to protect your sensitive data while it's in use. The underlying confidential…
Confidential computing nodes (DCSv2) on Azure Kubernetes Service (AKS) is generally available |…
Published date: March 02, 2021 AKS now supports enclave aware containers that are programmed for the trusted execution…
Use Azure Policy to secure your cluster - Azure Kubernetes Service
To improve the security of your Azure Kubernetes Service (AKS) cluster, you can apply and enforce built-in security…
Learn Azure Policy for Kubernetes - Azure Policy
Azure Policy extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale…
Built-in policy definitions for Azure Kubernetes Service - Azure Kubernetes Service
Lists Azure Policy built-in policy definitions for Azure Kubernetes Service. These built-in policy definitions provide…