Welcome to this lesson on configuring and securing Azure Container Registry (ACR) and Azure Kubernetes Service (AKS). In this lesson, you will learn how to effectively set up and secure your container registry and Kubernetes cluster, enabling you to deploy and manage containerized applications with confidence. By following the step-by-step tasks outlined in this lesson, you will gain practical knowledge and hands-on experience in configuring ACR and AKS to meet your organization's requirements.
The objective of this lesson is to provide you with the necessary skills and knowledge to configure and secure Azure Container Registry and Azure Kubernetes Service. By the end of this lesson, you will be able to:
- Create an Azure Container Registry (ACR) to store and manage container images.
- Build container images and push them to ACR for deployment.
- Create an Azure Kubernetes Service (AKS) cluster to orchestrate and manage containerized applications.
- Grant necessary permissions to AKS cluster for accessing ACR and its virtual network.
- Deploy external and internal services to AKS and verify their accessibility.
By achieving these objectives, you will have a solid foundation in configuring and securing ACR and AKS, enabling you to effectively leverage these services to deploy and manage your containerized applications in a secure and scalable manner.
Configuring and Securing ACR and AKS
Estimated Timing: 45 minutes
In this lesson, you will learn how to configure and secure Azure Container Registry (ACR) and Azure Kubernetes Service (AKS). Follow the step-by-step tasks below:
Sign in to the Azure portal using an account with Owner or Contributor role in the Azure subscription and Global Administrator role in the Azure AD tenant.
Open the Cloud Shell and ensure Bash is selected.
Create a new resource group for the lab:
az group create --name AZ500LAB09 --location southcentralus
Verify the resource group creation:
az group list --query "[?name=='AZ500LAB09']" -o table
Create a new Azure Container Registry (ACR) instance:
az acr create --resource-group AZ500LAB09 --name az500$RANDOM$RANDOM --sku Basic
Confirm the ACR creation:
az acr list --resource-group AZ500LAB09
Create a Dockerfile for an Nginx-based image:
echo FROM nginx > Dockerfile
Build the image and push it to ACR: Set the ACR name:
ACRNAME=$(az acr list --resource-group AZ500LAB09 --query '[].{Name:name}' --output tsv)
Build and push the image:
Note: The trailing period at the end of the command line is required. It designates the current directory as the location of Dockerfile.
az acr build --resource-group AZ500LAB09 --image sample/nginx:v1 --registry $ACRNAME --file Dockerfile .
Verify the image in ACR:
Navigate to the ACR instance in the Azure portal, go to Repositories, and check the sample/nginx:v1 image.
v1 image
Create an AKS cluster:
-
Search for Kubernetes services in the Azure portal.
-
Click + Create and select + Create a Kubernetes cluster.
-
Configure the cluster settings and deploy it.
Setting | Value |
---|---|
Subscription | the name of the Azure subscription you are using in this lab |
Resource group | AZ500LAB09 |
Kubernetes cluster name | MyKubernetesCluster |
Region | (US) South Central US |
Availability zones | None |
Scale method | Manual |
Node count | 1 |
Grant AKS cluster permissions to access ACR:
az aks update -n MyKubernetesCluster -g AZ500LAB09 --attach-acr $ACRNAME
Grant AKS cluster Contributor role to its virtual network:
Define variables:
RG_AKS=AZ500LAB09, AKS_VNET_NAME=AZ500LAB09-vnet, AKS_CLUSTER_NAME=MyKubernetesCluster
Grant Contributor role:
AKS_VNET_ID=$(az network vnet show --name $AKS_VNET_NAME --resource-group $RG_AKS --query id -o tsv) and az role assignment create --assignee $AKS_MANAGED_ID --role "Contributor" --scope $AKS_VNET_ID
Upload the manifest files for the external service. In the Bash session within the Cloud Shell pane, run the following to identify the name of the Azure Container Registry instance:
echo $ACRNAME
Note: Record the Azure Container Registry instance name. You will need it later in this task.
In the Bash session within the Cloud Shell pane, run the following to open the nginxexternal.yaml file, so you can edit its content.
code ./nginxexternal.yaml
Note: This is the external yaml file.
In the editor pane, scroll down to line 24 and replace the placeholder with the ACR name.
In the editor pane, in the upper right corner, click the ellipses icon, click Save and then click Close editor.
Replace the ACR name in the nginxexternal.yaml file. Apply the changes to the cluster:
kubectl apply -f nginxexternal.yaml
In the Bash session within the Cloud Shell pane, review the output of the command you run in the previous task to verify that the deployment and the corresponding service have been created.
deployment.apps/nginxexternal created
service/nginxexternal created
Retrieve information about the nginxexternal service:
kubectl get service nginxexternal
Access the external service using the External-IP in a web browser.
Edit the nginxinternal.yaml file to replace the ACR name. In the Bash session within the Cloud Shell pane, run the following to open the nginxintenal.yaml file, so you can edit its content.
code ./nginxinternal.yaml
Apply the changes to the cluster:
kubectl apply -f nginxinternal.yaml
Retrieve information about the nginxinternal service:
kubectl get service nginx internal
Step 1: List the pods in the default namespace on the AKS cluster
Open the Bash session within the Cloud Shell pane.
Run the following command to list the pods in the default namespace on the AKS cluster:
kubectl get pods
Locate the first entry in the NAME column of the pod listing and make note of its name. This pod will be used in the subsequent steps.
Step 2: Connect interactively to the first pod
In the same Bash session within the Cloud Shell pane, run the following command, replacing <pod_name> with the name of the pod you copied in the previous step:
kubectl exec -it <pod_name> -- /bin/bash
This command will connect you interactively to the selected pod, enabling you to run commands within its environment.
Step 3: Verify the availability of the internal service
In the Bash session within the Cloud Shell pane (connected to the pod), run the following command, replacing <internal_IP> with the IP address you recorded in the previous task:
curl http://<internal_IP>
This command will verify that the nginx web site is accessible via the private IP address of the internal service.
Step 4: Close the Cloud Shell pane
Close the Cloud Shell pane to conclude this task.
Note: You have successfully verified access to an internal AKS-hosted service within your AKS cluster. By following the steps in this lesson, you gained hands-on experience in listing pods, connecting to a specific pod, and verifying the availability of an internal service using the recorded IP address.
Clean up resources: As a best practice, it is essential to remove any unused Azure resources to avoid unexpected costs. In this lab, you created resource groups specifically for this exercise. To clean up these resources:
Open the Azure portal and click the first icon in the top right to access the Cloud Shell.
Select PowerShell from the drop-down menu in the upper-left corner of the Cloud Shell pane and confirm when prompted.
Run the following command in the PowerShell session within the Cloud Shell pane to remove the resource groups created in this lab:
Remove-AzResourceGroup -Name "AZ500LAB09" -Force -AsJob
Close the Cloud Shell pane to complete the cleanup process.
By removing the unnecessary resources, you ensure a clean and cost-effective environment for future deployments.
In this lab exercise, I configured and secured an Azure Container Registry (ACR) and an Azure Kubernetes Service (AKS) in the South Central (US) region. I completed tasks such as creating a resource group, creating an ACR instance, building a Docker image and pushing it to the ACR, creating an AKS cluster, granting AKS cluster permissions to access the ACR and manage its virtual network, deploying external and internal services to AKS, and verifying the accessibility of both services. We also cleaned up the resources afterward. Overall, the exercise involved creating and configuring ACR and AKS, deploying container images, managing permissions, and verifying service accessibility. It has been quite experience working with these technologies.