/aks-fabrikam-dronedelivery

AKS Fabrikam Drone Delivery :heart: AKS Secure Baseline

Primary LanguageMustacheMIT LicenseMIT

Azure Kubernetes Service (AKS) Fabrikam Drone Delivery

This reference implementation shows a set of best practices for building and running a microservices architecture on Microsoft Azure. This content is built on top of the AKS Secure Baseline, which is the recommended starting (baseline) infrastructure architecture for an AKS cluster.

To quickly understand how the AKS Fabrikam Drone Delivery expands the AKS Secure Baseline, please refer to the following table:

AKS Secure Baseline AKS Fabrikam Drone Delivery
Egress restriction using Azure Firewall
Ingress Controller
Azure Active Directory Pod Identity
Resource Limits
Other Infrastructure aspects
Zero Trust Network Policies
Horizontal Pod Autoscaling
Cluster Autoscaling
Readiness/Liveness Probes
Helm charts
Distributed Monitoring

AKS Fabrikam Drone Delivery is not just workload focused, but also incorporates the infrastructure journey by expanding the AKS Secure Baseline. Similar to what organizations might get into while trying to implement their solutions based on the AKS Secure Baseline, this reference implementation carefully modifies or interchanges small pieces like using a different kind of ingress controller or deploying a different workload on top of the cluster. If you or your team are on day 0 or looking for infrastructure-related aspects only, the recommendation is to start with the AKS Secure Baseline. If you want more comprehensive guidance for deploying a more interesting workload, this is the proper guidance to follow.

Azure Architecture Center guidance

This project has a companion set of articles that describe challenges, design patterns, and best practices for a secure AKS cluster. You can find these articles on the Azure Architecture Center:

Architecture

This architecture integrates with many Azure services to demonstrate workload with distributed tracing, messaging, and storage. This architecture also implements recommended native Kubernetes features such as auto-scaling capabilities, probes, network policies, and other standards like Helm charts and more. As a result of expanding the AKS Secure Baseline, this architecture should also be considered your starting point for pre-production and production stages.

An important distinction of this architecture is that it implements the Azure Application Gateway Ingress Controller instead of using Traefik as in the baseline.

Throughout the reference implementation, you will see reference to Fabrikam Drone Delivery Shipping App. Fabrikam, Inc. (a fictional company) is starting a drone delivery service and has made the architectural decision of implementing its solution on top of the AKS Secure Baseline since it covers all the infrastructure aspects they are requested to operate. The company manages a fleet of drone aircraft. Businesses register with the service, and users can request a drone to pick up goods for delivery. When a customer schedules a pickup, a backend system assigns a drone and notifies the user with an estimated delivery time. While the delivery is in progress, the customer can track the drone's location with a continuously updated ETA.

Core architecture components

Azure platform

In-cluster OSS components

Network diagram depicting a hub-spoke network with two peered VNets, each with three subnets and main Azure resources.

Deploy the reference implementation

Here are the required sections to follow for deploying the AKS Fabrikam Drone Delivery reference implementation.

Next Steps

This reference implementation intentionally does not cover all scenarios. If you are looking for other topics that are not addressed here, please visit AKS Secure Baseline for the complete list of covered scenarios around AKS.

Contributions

Please see our contributor guide.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

With ❤️ from Microsoft Patterns & Practices, Azure Architecture Center.