Azure AKS Deployment Guide
Step-by-step guide to deploy a production-ready Azure Kubernetes Service (AKS) cluster
Deploying an Azure AKS Cluster
Azure Kubernetes Service (AKS) is a managed Kubernetes offering that simplifies deploying, managing, and scaling containerized applications on Microsoft Azure. AKS handles much of the complexity and operational overhead of running Kubernetes by offloading that responsibility to Azure.
This guide walks you through the process of setting up a production-ready AKS cluster using best practices.
Prerequisites
Before you begin, ensure you have the following:
- An Azure account with an active subscription
- Azure CLI installed
- kubectl installed
- (Optional) Helm for deploying applications
Setting Up Your Environment
1. Install the Azure CLI
Follow the official installation guide for your operating system.
2. Log in to Azure
az login
A browser window will open for you to authenticate with your Azure account.
3. Set Your Subscription
If you have multiple subscriptions, select the one you want to use:
# List subscriptions
az account list --output table
# Set subscription by name or ID
az account set --subscription "Your Subscription Name"
4. Create a Resource Group
az group create --name myAKSResourceGroup --location eastus
Creating an AKS Cluster
Option 1: Using Azure CLI (Recommended)
az aks create \
--resource-group myAKSResourceGroup \
--name myAKSCluster \
--node-count 3 \
--enable-addons monitoring \
--generate-ssh-keys \
--kubernetes-version 1.27.3 \
--node-vm-size Standard_DS2_v2 \
--network-plugin azure \
--zones 1 2 3 \
--enable-cluster-autoscaler \
--min-count 1 \
--max-count 5
This command creates a production-ready AKS cluster with:
- 3 nodes initially (autoscaling between 1-5 nodes)
- Azure Monitor for Containers enabled
- Spread across 3 availability zones for high availability
- Azure CNI networking plugin
Option 2: Using the Azure Portal
If you prefer a visual interface:
- Go to the Azure Portal
- Search for "Kubernetes services" and select it
- Click "Create" > "Create a Kubernetes cluster"
- Fill in the basic settings:
- Subscription and Resource Group
- Cluster name: myAKSCluster
- Region: East US (or your preferred region)
- Kubernetes version: 1.27.3 (or latest available)
- Availability zones: Enable for high availability
- Configure node pools:
- Node size: Standard_DS2_v2
- Scale method: Autoscale
- Node count range: 1-5
- Enable virtual nodes: Optional
- Configure Authentication, Networking, Integrations as needed
- Review and create
Configuring kubectl to Connect to Your AKS Cluster
Once your cluster is created, configure kubectl:
az aks get-credentials --resource-group myAKSResourceGroup --name myAKSCluster
Verify your connection:
kubectl get nodes
Setting Up Core Add-ons
1. Azure Container Registry Integration
Create an Azure Container Registry (ACR) to store your container images:
# Create ACR
az acr create --resource-group myAKSResourceGroup --name myAcrRegistry --sku Standard
# Grant AKS access to ACR
az aks update --name myAKSCluster --resource-group myAKSResourceGroup --attach-acr myAcrRegistry
2. Configure Azure Application Gateway Ingress Controller (AGIC)
Application Gateway provides advanced load balancing with WAF capabilities.
# Enable the AGIC add-on with a new Application Gateway
az aks enable-addons \
--resource-group myAKSResourceGroup \
--name myAKSCluster \
--addons ingress-appgw \
--appgw-name myApplicationGateway \
--appgw-subnet-cidr "10.2.0.0/16"
Create an ingress resource for AGIC:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
3. Azure Storage Classes
AKS provides several storage classes by default. Use the managed-premium class for production workloads:
kubectl get storageclass
Create a PVC using Azure managed disks:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: azure-managed-disk
spec:
accessModes:
- ReadWriteOnce
storageClassName: managed-premium
resources:
requests:
storage: 10Gi
For file storage (ReadWriteMany), use Azure Files:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: azure-file-share
spec:
accessModes:
- ReadWriteMany
storageClassName: azurefile
resources:
requests:
storage: 100Gi
Setting Up Monitoring and Logging
Azure Monitor for Containers
Azure Monitor is enabled by default if you used the --enable-addons monitoring flag during cluster creation. If not, you can enable it:
az aks enable-addons --addons monitoring --name myAKSCluster --resource-group myAKSResourceGroup
Access monitoring:
- Go to the AKS cluster in the Azure Portal
- Select "Insights" or "Logs" in the menu
- View performance metrics, container logs, and health status
Setting Up Azure Log Analytics
For more advanced logging:
# Create Log Analytics workspace
az monitor log-analytics workspace create \
--resource-group myAKSResourceGroup \
--workspace-name myAKSLogAnalytics
# Get the workspace ID
workspaceId=$(az monitor log-analytics workspace show \
--resource-group myAKSResourceGroup \
--workspace-name myAKSLogAnalytics \
--query id \
--output tsv)
# Configure AKS to use this workspace
az aks update \
--resource-group myAKSResourceGroup \
--name myAKSCluster \
--enable-addons monitoring \
--workspace-resource-id $workspaceId
Implementing Security Best Practices
Enable Azure AD Integration
Secure your cluster with Azure Active Directory authentication:
# First create an Azure AD group
az ad group create --display-name myAKSAdminGroup --mail-nickname myAKSAdminGroup
# Get the group objectId
groupObjectId=$(az ad group show --group myAKSAdminGroup --query id --output tsv)
# Enable AD integration when creating the cluster
az aks create \
--resource-group myAKSResourceGroup \
--name myAKSCluster \
--enable-aad \
--aad-admin-group-object-ids $groupObjectId \
--other-parameters as-needed
Enable Azure Policy for AKS
Azure Policy helps enforce organizational standards and compliance:
az aks enable-addons --addons azure-policy --name myAKSCluster --resource-group myAKSResourceGroup
Configure Network Security
Enable network policies to control pod-to-pod traffic:
# For new clusters
az aks create \
--resource-group myAKSResourceGroup \
--name myAKSCluster \
--network-policy azure \
--other-parameters as-needed
# For existing clusters
az aks update \
--resource-group myAKSResourceGroup \
--name myAKSCluster \
--network-policy azure
Create a simple network policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
Enable Pod Security Policies
Use Security Context for your pods:
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
containers:
- name: secure-container
image: nginx
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
Setting Up CI/CD with Azure DevOps
- Create an Azure DevOps project
- Add your source code repository
- Create a build pipeline (azure-pipelines.yml):
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
variables:
acrName: 'myAcrRegistry'
imageName: 'myapp'
imageTag: '$(Build.BuildId)'
stages:
- stage: Build
jobs:
- job: BuildAndPush
steps:
- task: Docker@2
inputs:
containerRegistry: 'myAzureRegistry'
repository: '$(imageName)'
command: 'buildAndPush'
Dockerfile: 'Dockerfile'
tags: |
$(imageTag)
latest
- stage: Deploy
jobs:
- deployment: DeployToAKS
environment: 'production'
strategy:
runOnce:
deploy:
steps:
- task: KubernetesManifest@0
inputs:
action: 'deploy'
kubernetesServiceConnection: 'myAKSConnection'
namespace: 'default'
manifests: '$(Pipeline.Workspace)/k8s/**/*.yaml'
containers: '$(acrName).azurecr.io/$(imageName):$(imageTag)'
Scaling and Upgrading Your AKS Cluster
Manual Scaling
# Scale the node pool
az aks nodepool scale \
--resource-group myAKSResourceGroup \
--cluster-name myAKSCluster \
--name nodepool1 \
--node-count 5
Cluster Autoscaler (Already Enabled)
If you enabled the cluster autoscaler during creation, it will automatically scale based on pod scheduling demands.
Upgrading Your Cluster
Check available upgrades:
az aks get-upgrades --resource-group myAKSResourceGroup --name myAKSCluster
Upgrade the cluster:
az aks upgrade \
--resource-group myAKSResourceGroup \
--name myAKSCluster \
--kubernetes-version 1.28.0
Cleaning Up
When you're done with your cluster:
# Delete the AKS cluster
az aks delete --resource-group myAKSResourceGroup --name myAKSCluster --yes --no-wait
# Optionally delete the resource group entirely
az group delete --name myAKSResourceGroup --yes
Troubleshooting
Common Issues
- Insufficient quota: Request quota increases from Azure support
- Network connectivity issues: Check NSG rules and routing tables
- Authentication failures: Verify Azure AD configuration and permissions
Getting Logs and Diagnostics
# Check cluster events
kubectl get events --sort-by='.lastTimestamp'
# Verify node status
kubectl describe node <node-name>
# View container logs
kubectl logs <pod-name>
# Run AKS diagnostics
az aks kollect --resource-group myAKSResourceGroup --name myAKSCluster
Additional Resources
This guide provides a foundation for deploying a production-ready AKS cluster. For specific use cases or additional configuration, refer to the official Azure documentation.
KubeSchool just got started, and we're gradually adding more content.
We'd love to get requests for specific topics you'd like to see, or just general feedback.