From c171f784e60df236ce9d3cc03262cc2399f75477 Mon Sep 17 00:00:00 2001 From: "OpenPublishing.Build" Date: Mon, 9 Sep 2024 05:08:09 +0000 Subject: [PATCH 1/2] status --- ...anomaly-detection-conveyor-belt-content.md | 21 +++--- .../ai/risk-stratification-surgery-content.md | 28 ++++---- ...earning-in-regulated-industries-content.md | 32 +++++----- .../student-attrition-prediction-content.md | 4 +- .../aks-agic/aks-agic-content.md | 64 +++++++++---------- .../aks-front-door/aks-front-door-content.md | 40 ++++++------ 6 files changed, 93 insertions(+), 96 deletions(-) diff --git a/docs/example-scenario/ai/real-time-anomaly-detection-conveyor-belt-content.md b/docs/example-scenario/ai/real-time-anomaly-detection-conveyor-belt-content.md index 107b20b4184..dccf692a0fc 100644 --- a/docs/example-scenario/ai/real-time-anomaly-detection-conveyor-belt-content.md +++ b/docs/example-scenario/ai/real-time-anomaly-detection-conveyor-belt-content.md @@ -1,8 +1,8 @@ The manufacturing industry is undergoing revolutionary changes as an increasing number of firms adopt smart factory floors enabled by AI and machine learning. This article provides an overview of an architecture to enable real-time anomaly detection for conveyor belts. - + ## Architecture -:::image type="content" source="media/real-time-anomaly-detection.png" alt-text="Architecture diagram that shows a solution for real-time anomaly detection." lightbox="media/real-time-anomaly-detection.png" border="false"::: +:::image type="content" source="media/real-time-anomaly-detection.png" alt-text="Architecture diagram that shows a solution for real-time anomaly detection." lightbox="media/real-time-anomaly-detection.png" border="false"::: *Download a [Visio file](https://arch-center.azureedge.net/realtime-anomaly-detection.vsdx) of this architecture.* @@ -11,7 +11,7 @@ The manufacturing industry is undergoing revolutionary changes as an increasing 1. Data source A sophisticated data-collection sensor is a crucial Internet of Things (IoT) component. Sensors collect analog data from the physical world and translate it into digital data assets. Sensors can measure just about any aspect of the physical world. The calibration of sensors allows them to be tailored to application-specific functions. In this dataset, sensors are calibrated to accurately measure temperature and vibrations. - + On most factory floors, conveyor belts run on schedules. Anomaly detection of temperature and vibrations is needed when the conveyor belt is running. Time Series API is used to capture and relay conveyor belt status. 1. Ingest @@ -19,17 +19,17 @@ The manufacturing industry is undergoing revolutionary changes as an increasing We recommend [Azure IoT Hub](/azure/iot-fundamentals/iot-introduction) for streaming data from IoT sensors and connecting IoT devices. For ingesting data from Time Series API and data orchestration, we recommend [Azure Data Factory](/azure/data-factory/introduction). 1. Store - + Data collected from IoT sensors (temperature and vibrations) and Time Series API (conveyor belt status) are all time series. Time series data is a collection of observations obtained through repeated measurements over time. This data is collected as flat files. Each flat file is tagged with an IoT sensor ID and the date and time of collection and stored in [Azure Data Lake](https://azure.microsoft.com/solutions/data-lake). 1. AI / machine learning - data preparation and training *Data preparation* is the process of gathering, combining, structuring, and organizing data so it can be used to build machine learning models, business intelligence (BI), and analytics and data visualization applications. - + [Azure Databricks](/azure/databricks/scenarios/what-is-azure-databricks) is used to prepare the data before the data is used to build models. Azure Databricks provides an interactive workspace that enables collaboration between data engineers, data scientists, and machine learning engineers. In analytics workflow, Azure Databricks is used to read data from [Azure Data Lake](https://azure.microsoft.com/solutions/data-lake) to perform data wrangling and data exploration. *Model training* is the process of using a machine learning algorithm to learn patterns based on data and pick a suitable model for making predictions. - + [Azure Machine learning](https://azure.microsoft.com/services/machine-learning) is used to train the model. Azure Machine Learning is a cloud service that accelerates and manages the machine learning project lifecycle. The lifecycle includes training, deploying models, and managing machine learning operations (MLOps). 1. AI / machine learning - inference @@ -38,7 +38,7 @@ The manufacturing industry is undergoing revolutionary changes as an increasing The model registry is built into [Azure Machine Learning](https://azure.microsoft.com/services/machine-learning). It's used to store and version models in Azure. The model registry makes it easy to organize and keep track of trained models. - After a machine learning model is trained, the model needs to be deployed so that newly available data can be fed through it for inferencing. The recommended deployment target is an [Azure managed endpoint](/azure/machine-learning/concept-endpoints). + After a machine learning model is trained, the model needs to be deployed so that newly available data can be fed through it for inferencing. The recommended deployment target is an [Azure managed endpoint](/azure/machine-learning/concept-endpoints). 1. Analytical workload @@ -87,13 +87,12 @@ The data necessary to predictively maintain motors attached to conveyor belts ar **Temperature:** Sensors attached to conveyor belts and the factory floor can record the temperature of the motor and baseline the ambient temperature. Temperature is seasonally affected because of sunlight exposure, air conditioning settings, and numerous other factors. You need to address the seasonal aspect of temperature. There are many ways to do so. One method, if we take motor temperature as an example, is to subtract the baseline ambient temperature of the factory floor from the motor temperature: -*(Adjusted Temperature = Motor Temperature - Ambient Temperature)* +*(Adjusted Temperature = Motor Temperature - Ambient Temperature)* This sample graph shows temperatures recorded from motors and the ambient baseline temperature: :::image type="content" source="media/motor-ambient-baseline-temperatures.png" alt-text="Graph that shows temperatures recorded from motors and the ambient baseline temperature." lightbox="media/motor-ambient-baseline-temperatures.png" border="false"::: - The following sample graph shows how the temperature from a conveyor belt motor is adjusted for seasonality by using the ambient temperature of the factory floor. It also shows anomalies, in red, that are detected by a model that uses the architecture suggested in this article. :::image type="content" source="media/temperatures-adjusted-anomalies.png" alt-text="Graph that shows how temperatures are adjusted for seasonality. It also shows anomalies." lightbox="media/temperatures-adjusted-anomalies.png" border="false"::: @@ -118,7 +117,7 @@ You can apply this solution to the following scenarios: ## Considerations These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that you can use to improve the quality of a workload. For more information, see the [Microsoft Azure Well-Architected Framework](/azure/well-architected/). - + The technologies in this architecture were chosen for scalability and availability, with the aim of managing and controlling costs. Azure Industrial IoT can help you accelerate your path to modernize your connected factory. Also, Azure Digital Twins can help you to model the connected physical environments in a manufacturing setup. For more information, see these resources: @@ -182,7 +181,7 @@ Principal authors: Other contributors: -- [Mick Alberts](https://www.linkedin.com/in/mick-alberts-a24a1414) | Technical Writer +- [Mick Alberts](https://www.linkedin.com/in/mick-alberts-a24a1414) | Technical Writer - [Charitha Basani](https://www.linkedin.com/in/charitha-basani-54196031) | Senior Cloud Solution Architect, US National CSA Team *To see non-public LinkedIn profiles, sign in to LinkedIn.* diff --git a/docs/example-scenario/ai/risk-stratification-surgery-content.md b/docs/example-scenario/ai/risk-stratification-surgery-content.md index 7651023f1f8..0817ebad4fa 100644 --- a/docs/example-scenario/ai/risk-stratification-surgery-content.md +++ b/docs/example-scenario/ai/risk-stratification-surgery-content.md @@ -11,7 +11,7 @@ AI and machine learning play a pivotal role when it comes to surgical interventi 1. Data source Patient-centric data is sourced from [Fast Healthcare Interoperability Resources (FHIR®)](https://www.hl7.org/fhir/index.html), real-time Electronic Health Records (EHR), on-premises, and third-party data sources. - + > [!IMPORTANT] > When you use patient-centric data, you need to be sure that personally identifiable data is carefully handled and is excluded from the training and test dataset. @@ -20,32 +20,32 @@ AI and machine learning play a pivotal role when it comes to surgical interventi - Patient demographic information - Information about existing comorbidities and their severity - Information about the patient's current medication plan - - Patient pre-operative blood test information - - Other critical health-related information + - Patient pre-operative blood test information + - Other critical health-related information 1. Data preparation *Data preparation* is the process of gathering, combining, structuring, and organizing data so that you can use it to build machine learning models, business intelligence (BI), and analytics and data visualization applications. - - [Azure Data Factory](/azure/data-factory/introduction) transforms, orchestrates, and loads data that's ready for further processing. - - [Azure API for FHIR](/azure/healthcare-apis/azure-api-for-fhir/overview) enables the rapid exchange of data. - - [Azure Synapse Analytics](/azure/synapse-analytics/index) processes data and triggers Azure Machine Learning experiments. + - [Azure Data Factory](/azure/data-factory/introduction) transforms, orchestrates, and loads data that's ready for further processing. + - [Azure API for FHIR](/azure/healthcare-apis/azure-api-for-fhir/overview) enables the rapid exchange of data. + - [Azure Synapse Analytics](/azure/synapse-analytics/index) processes data and triggers Azure Machine Learning experiments. - [Azure Data Lake](https://azure.microsoft.com/solutions/data-lake) stores tabular data that describes patient-centric information in flat files. 1. AI / machine learning - training *Model training* is the process of using a machine learning algorithm to learn patterns based on data and picking a model that's capable of predicting the surgery risk of previously unseen patients. - - [Azure Machine Learning](/azure/machine-learning/overview-what-is-azure-machine-learning) trains the model. Azure Machine Learning is a cloud service that accelerates and manages the machine learning project lifecycle. The lifecycle includes training models, deploying models, and managing Machine Learning Operations (MLOps). - + + [Azure Machine Learning](/azure/machine-learning/overview-what-is-azure-machine-learning) trains the model. Azure Machine Learning is a cloud service that accelerates and manages the machine learning project lifecycle. The lifecycle includes training models, deploying models, and managing Machine Learning Operations (MLOps). + For this use case, you need to use models that can be explained. With the help of the interactive interpretability dashboard in [Responsible AI Toolbox](https://responsibleaitoolbox.ai), stakeholders can clearly understand the factors that play a key role in determining a particular risk for all patients. Responsible AI Toolbox also provides interpretation at the patient level. This interpretation helps clinicians to customize treatments for specific treatments. - Responsible AI Toolbox provides an interactive dashboard for detecting bias towards protected classes like gender and race in models. Because the training data is based on patients who have undergone the surgery, stakeholders need to understand any inherent biases in the data that the model has picked up. When the chosen model is biased towards protected classes, you can use Responsible AI Toolbox for model mitigation. + Responsible AI Toolbox provides an interactive dashboard for detecting bias toward protected classes like gender and race in models. Because the training data is based on patients who have undergone the surgery, stakeholders need to understand any inherent biases in the data that the model has picked up. When the chosen model is biased toward protected classes, you can use Responsible AI Toolbox for model mitigation. 1. AI / machine learning - inference *Machine learning inference* is the process of feeding previously unseen data points into a machine learning model to calculate an output, like a numerical score. In this case, it's used to determine risks to patients. - + The model registry is built into Azure Machine Learning. It's used to store and version models in the Azure cloud. The model registry makes it easy to organize and keep track of trained models. A trained machine learning model needs to be deployed so that new data can be fed through it for inferencing. The recommended deployment target is an [Azure managed endpoint](/azure/machine-learning/concept-endpoints). @@ -85,11 +85,11 @@ Advancements in data collection technologies and developments in data standards Risk stratification can use either a binary or a multiclass classification model. In the case of binary classification, outcomes are a surgery resulting in either a successful or a risky outcome. In the multiclass classification approach, there's an opportunity to further refine outcomes as successful, moderate, or severe/death. For either approach, you need patient-centric data, including demographic information, comorbidities, current medication plan, blood test reports, and anything else that can shed light on a patient's overall health. -Developing a transparent system that provides the ability to explain potential surgical outcomes to a patient must be the primary goal of models like this one. Transparency and interpretability help clinicians to have meaningful conversations with patients and lets them establish a treatment plan before surgery takes place. +Developing a transparent system that provides the ability to explain potential surgical outcomes to a patient must be the primary goal of models like this one. Transparency and interpretability help clinicians to have meaningful conversations with patients and lets them establish a treatment plan before surgery takes place. It's also important to acknowledge that patients come from diverse backgrounds. You need to create a model that's free from bias toward protected classes like gender and race. An unbiased model provides unbiased medical support for patients, irrespective of their backgrounds, to maximize their chances of a positive surgical outcome. The architecture in this article uses interpretability and bias-detection tools from the Responsible AI Toolbox. -One of the largest healthcare organizations in the world, National Health Services in the United Kingdom, uses the Azure machine learning platform and the Responsible AI Toolbox for risk stratification models for orthopedic surgery. For more information, see [Two NHS surgeons are using Azure AI to spot patients facing increased risks during surgery](https://news.microsoft.com/en-gb/features/two-nhs-surgeons-are-using-azure-ai-to-spot-patients-facing-increased-risks-during-surgery). +One of the largest healthcare organizations in the world, National Health Services in the United Kingdom, uses the Azure Machine Learning platform and the Responsible AI Toolbox for risk stratification models for orthopedic surgery. For more information, see [Two NHS surgeons are using Azure AI to spot patients facing increased risks during surgery](https://news.microsoft.com/en-gb/features/two-nhs-surgeons-are-using-azure-ai-to-spot-patients-facing-increased-risks-during-surgery). Or watch this short video: @@ -151,7 +151,7 @@ Operational excellence covers the operations processes that deploy an applicatio Follow MLOps guidelines to standardize and manage an end-to-end machine learning lifecycle that's scalable across multiple workspaces. Before going into production, ensure that the implemented solution supports ongoing inference with retraining cycles and automated redeployments of models. Here are some resources to consider: -- [MLOps v2](/azure/machine-learning/concept-model-management-and-deployment?view=azureml-api-2) +- [MLOps v2](/azure/machine-learning/concept-model-management-and-deployment?view=azureml-api-2) - [Azure MLOps (v2) solution accelerator](https://github.com/Azure/mlops-v2) Responsible AI as a part of Azure Machine Learning is based on the six pillars of AI development and use: fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. For an overview and implementation details, see [What is responsible AI?](/azure/machine-learning/concept-responsible-ml). diff --git a/docs/example-scenario/ai/scale-ai-and-machine-learning-in-regulated-industries-content.md b/docs/example-scenario/ai/scale-ai-and-machine-learning-in-regulated-industries-content.md index 5e49d261367..2f52a8af1f3 100644 --- a/docs/example-scenario/ai/scale-ai-and-machine-learning-in-regulated-industries-content.md +++ b/docs/example-scenario/ai/scale-ai-and-machine-learning-in-regulated-industries-content.md @@ -16,10 +16,10 @@ The architecture consists of the workflow described in the following sections. E #### Data management -2. **Data management zone** – The data management zone is responsible for data governance across the platform and enforces guardrails to provide more flexibility downstream in the data landing zones. It has its own subscription and hosts centralized services such as data cataloging, monitoring, audits, and so on. This environment is highly controlled and subject to stringent audits. All data classification types are stored in the central data catalog (Azure Purview). Depending on metadata, different policies and access patterns are enforced. There's only one data management zone subscription for the whole tenant. The data management zone is peered (through VNET peering) with all other data landing zones. Private endpoints are used whenever possible to ensure that the deployed services aren't accessible via public internet. +2. **Data management zone** – The data management zone is responsible for data governance across the platform and enforces guardrails to provide more flexibility downstream in the data landing zones. It has its own subscription and hosts centralized services such as data cataloging, monitoring, audits, and so on. This environment is highly controlled and subject to stringent audits. All data classification types are stored in the central data catalog (Azure Microsoft Purview). Depending on metadata, different policies and access patterns are enforced. There's only one data management zone subscription for the whole tenant. The data management zone is peered (through virtual network peering) with all other data landing zones. Private endpoints are used whenever possible to ensure that the deployed services aren't accessible via public internet. 1. **Networking resource group** – Azure Virtual Networks, network security groups, and all other networking-related resources needed for the data management zone are provisioned within the networking resource group. -1. **Deployment resource group** – A deployment resource group hosts private Azure DevOps CI/CD agents (virtual machines) needed for the data management zone and a Key Vault for storing any deployment-related secrets. -1. **Data governance resource group** – Azure Purview is used as a data governance and data catalog solution and is used to enforce the necessary guardrails for datasets to follow data requirements and data regulations that are imposed by law or other entities. Purview is hosted centrally within this resource group, along with a Key Vault instance for storing secrets. +1. **Deployment resource group** – A deployment resource group hosts private Azure DevOps CI/CD agents (virtual machines) needed for the data management zone and a key vault for storing any deployment-related secrets. +1. **Data governance resource group** – Azure Microsoft Purview is used as a data governance and data catalog solution and is used to enforce the necessary guardrails for datasets to follow data requirements and data regulations that are imposed by law or other entities. Microsoft Purview is hosted centrally within this resource group, along with a Key Vault instance for storing secrets. 1. **Centralized assets** – Centralized assets hosts important and valuable assets that are central to the platform, such as: - Azure Container Registries that host base images used in Azure Machine Learning-based data products (images that are previously scanned and vulnerability-free) - AI/Machine Learning models that are published and made available to consumers on the platform (so they can be deployed to one or more data landing zones if needed). @@ -29,26 +29,26 @@ The architecture consists of the workflow described in the following sections. E #### Data landing zones -10. **Data landing zone 001** – A data landing zone is a subscription that represents a unit of scale within the data platform. Data landing zones are deployed based on the core data landing zone architecture (blueprint), including all key capabilities to host an analytics and AI platform. There can be one or many data landing zones within the environment. Azure Policy is applied to keep access and configurations of various Azure services secure. The data landing zone is peered (through VNET peering) with all other data landing zones and the data management zone. Private endpoints are used whenever possible to ensure that the deployed services aren't accessible via public internet. +10. **Data landing zone 001** – A data landing zone is a subscription that represents a unit of scale within the data platform. Data landing zones are deployed based on the core data landing zone architecture (blueprint), including all key capabilities to host an analytics and AI platform. There can be one or many data landing zones within the environment. Azure Policy is applied to keep access and configurations of various Azure services secure. The data landing zone is peered (through virtual network peering) with all other data landing zones and the data management zone. Private endpoints are used whenever possible to ensure that the deployed services aren't accessible via public internet. 1. **Networking resource group** – Azure Virtual Networks, network security groups, and all other networking-related resources needed for the data landing zone are provisioned within this resource group. -1. **Deployment resource group** – A deployment resource group hosts private Azure DevOps CI/CD agents (virtual machines) needed for the data landing zone and a Key Vault for storing any deployment-related secrets. +1. **Deployment resource group** – A deployment resource group hosts private Azure DevOps CI/CD agents (virtual machines) needed for the data landing zone and a key vault for storing any deployment-related secrets. 1. **Data storage resource group** – A data storage resource group contains the main data storage accounts for this data landing zone, deployed as Azure Data Lake Storage Gen2, with hierarchical namespace. They're spread across three main areas: - **Raw** – Data is ingested from the data source in its original state - **Curated and Enriched** – Data is cleansed, validated, and aggregated - **Workspace** – Specific data products can store their datasets or the outputs of the Machine Learning models, and so on The arrows in the diagrams show the expected data flow, from raw data to curated and enriched (trusted) data, and over to workspace for exploration, analytics, and providing extra value out of the data product. -1. **Data integration resource group** – The data integration resource group hosts an Azure Data Factory that shares connectivity with the on-premises self-hosted integration runtime (SHIR). Its main purpose is to establish connectivity. Other Data Factory instances reuse it so that connectivity is maintained only in one place. Its other purpose is to host the self-hosted integration runtime for the Azure Purview service so that it can access the data sources on this data landing zone, for scanning purposes. -1. **Metadata management resource group** – The metadata management resource group hosts metadata for Azure Databricks (the Hive meta store) and Azure Data Factory ingestion and processing pipelines. It also hosts a Key Vault to store secrets for accessing this data. Azure SQL Database is used to host the metadata. +1. **Data integration resource group** – The data integration resource group hosts an Azure data factory that shares connectivity with the on-premises self-hosted integration runtime (SHIR). Its main purpose is to establish connectivity. Other Data Factory instances reuse it so that connectivity is maintained only in one place. Its other purpose is to host the self-hosted integration runtime for the Azure Microsoft Purview service so that it can access the data sources on this data landing zone, for scanning purposes. +1. **Metadata management resource group** – The metadata management resource group hosts metadata for Azure Databricks (the Hive meta store) and Azure Data Factory ingestion and processing pipelines. It also hosts a key vault to store secrets for accessing this data. Azure SQL Database is used to host the metadata. 1. **Data ingestion resource group** – The data ingestion resource group hosts an Azure Data Factory instance where all data ingestion pipelines specific for a data domain are deployed. Azure Databricks is used as a processing engine to load and transform the data and store it in the data lake accounts. 1. **Analytics resource group** – The analytics resource group includes two shared services for further data analytics and exploration: Azure Synapse and Azure Databricks. Both of these services provide extensive compute and scale for massive data exploration and analytics purposes. 1. **Data product resource group** – The data product resource group is a blueprint for a data product, with a resource group containing basic Azure resources that a data product might need. The deployment should be configurable through an Azure DevOps pipeline based on the specific needs of the business. The core Azure services deployed here are as follows: - Azure Machine Learning workspace as the basis for any enterprise machine learning project with related services such as Key Vault (for storing secrets) - Application Insights (for model monitoring) - - Azure storage (for storing datasets) - - An Azure Container Registry for storing model images during development + - Azure Storage (for storing datasets) + - An Azure container registry for storing model images during development - Cognitive Services is deployed as a bundle to provide API access to multiple AI-backed services, and Azure Machine Learning compute instance and compute clusters are used for development, model building, and testing purposes. Azure Data Factory is used to orchestrate batch scoring of models, if needed. Azure App Service and Azure Cosmos DB provide an extra layer for deployment of the data product, where a custom application or API can be hosted with its own internal data store. + Azure AI services is deployed as a bundle to provide API access to multiple AI-backed services, and Azure Machine Learning compute instance and compute clusters are used for development, model building, and testing purposes. Azure Data Factory is used to orchestrate batch scoring of models, if needed. Azure App Service and Azure Cosmos DB provide an extra layer for deployment of the data product, where a custom application or API can be hosted with its own internal data store. Regulated industries usually have strict data access restrictions, and usually allow production data to be hosted only within the production environment. Because of this reason, the development lifecycle of data products is occurring only in the production data landing zone, and a separate environment, or resource group, is provisioned for development, testing, and deployment purposes. 1. **Additional data products** – These resource groups host other data products, since one data landing zone can host one or many data products. @@ -80,11 +80,11 @@ In distributed organizations, business groups operate independently and with hig ## Scenario details -Scaling AI and machine learning initiatives in regulated environments poses significant challenges to organizations, no matter their digital maturity and size. In this article, we discuss key architectural decisions to consider when adopting Azure's data engineering and machine learning services in regulated industries. These decisions are based on what was learned from a recent implementation in a Fortune 500 global life sciences and healthcare company. +Scaling AI and machine learning initiatives in regulated environments poses significant challenges to organizations, no matter their digital maturity and size. In this article, we discuss key architectural decisions to consider when adopting the Azure data engineering and machine learning services in regulated industries. These decisions are based on what was learned from a recent implementation in a Fortune 500 global life sciences and healthcare company. The architecture presented in this article follows the enterprise-scale analytics and AI reference architecture design and was one of its first implementations. -If you set up data science projects and develop machine learning models in life sciences and healthcare environments, then in almost all cases, you need access to high business impact (HBI) data sources. For example, these sources can be clinical trial protocol information without patient data, molecule's chemical formulae, or manufacturing process secrets. +If you set up data science projects and develop machine learning models in life sciences and healthcare environments, then in almost all cases, you need access to high business impact (HBI) data sources. For example, these sources can be clinical trial protocol information without patient data, molecule's chemical formulas, or manufacturing process secrets. In regulated industries, IT systems are classified based on the classification of the data sources those systems access. AI and machine learning environments running on Azure are classified as HBI, and are required to comply with an extensive set of ISRM policies and controls. @@ -92,7 +92,7 @@ In regulated industries, IT systems are classified based on the classification o This architecture is based on the following principles: -- Enterprise-scale is an architectural approach and a reference implementation aligned with the Azure roadmap and part of the Microsoft Cloud Adoption Framework (CAF). It enables effective construction and operationalization of landing zones on Azure, at scale. The name *landing zone* is used as a boundary in which new or migrated applications land in Azure. In this scenario, it also refers to parts of the data platform that are used to host the data and the AI and Machine Learning models. +- Enterprise-scale is an architectural approach and a reference implementation aligned with the Azure roadmap and part of the Microsoft Cloud Adoption Framework. It enables effective construction and operationalization of landing zones on Azure, at scale. The name *landing zone* is used as a boundary in which new or migrated applications land in Azure. In this scenario, it also refers to parts of the data platform that are used to host the data and the AI and Machine Learning models. - Traditional monolithic data platform architectures have an inherent limitation that slows the delivery of features and values. The architecture described here lets organizations scale their data estate and address the challenges of a centralized monolithic data lake by using a decentralized approach with separation of ownership (data mesh). The approach lets organizations scale to thousands of ingest pipelines and data products, while keeping the data platform secure and maintainable by decoupling the core data platform and data management services (deployed in a separate landing zone called data management zone) from data domains and data products (deployed to one or more data landing zones). - Subscriptions are used as units of management and scale aligned with business needs and priorities. Scaling is achieved by providing new subscriptions (data landing zones) to business units based on criteria such as different business stakeholders, different business goals and requirements, and data residency requirements (where data needs to be hosted in a specific geo-region). - Azure Policy is used to provide guardrails and ensure continued compliance within the company's IT landscape. @@ -130,7 +130,7 @@ AI and data science development activities should be carried out in production e #### Encryption -IT systems accessing, storing, and processing sensitive business data are required to implement specific requirements on encryption keys management, like FIPS 140-2 level 2 or level 3 policies, with customer-managed keys (CMKs) integration. Protected data must always be encrypted at rest and in transit, using TLS 1.2 or higher protocols. +IT systems accessing, storing, and processing sensitive business data are required to implement specific requirements on encryption keys management, like FIPS 140-2 Level 2 or level 3 policies, with customer-managed keys (CMKs) integration. Protected data must always be encrypted at rest and in transit, using TLS 1.2 or higher protocols. During architecture design, a careful analysis of the support and integration of Azure services to an organization's CMK infrastructure is required. Any exceptions to data encryption must be documented. Support for hardware security module (HSM) vendors is always being expanded, and additional information can be found at [Azure Key Vault Managed Hardware Security Module](/azure/storage/common/customer-managed-keys-overview). @@ -156,7 +156,7 @@ Role-based access control uses security groups in Microsoft Entra ID. #### Multifactor authentication -Multifactor authentication must be in place and implemented for access to all environments running on Azure and classified as high business impact. Multifactor authentication can be enforced using Microsoft Entra multifactor authentication services. Application endpoints – including Azure DevOps, Azure Management Portal, Azure Machine Learning, Azure Databricks, and Azure Kubernetes Services – should be configured in multifactor authentication access control policies. +Multifactor authentication must be in place and implemented for access to all environments running on Azure and classified as high business impact. Multifactor authentication can be enforced using Microsoft Entra multifactor authentication services. Application endpoints – including Azure DevOps, Azure Management Portal, Azure Machine Learning, Azure Databricks, and Azure Kubernetes Service – should be configured in multifactor authentication access control policies. Multifactor authentication must be enforced to all users, including Azure service managers, data engineers, and data scientists. @@ -202,7 +202,7 @@ To scale AI and machine learning in regulated environments, and drive rapid adop **Acceleration of AI development** – To accelerate AI and machine learning solution development, the following KPIs are suggested: -- Number of different business units consuming Azure's AI and machine learning services +- Number of different business units consuming the Azure AI and machine learning services - Number of users onboarded, per category – for example, data engineers, data scientists, citizen data scientists, and business users - Number of experiments ran - Time between onboarding of users and active usage diff --git a/docs/example-scenario/ai/student-attrition-prediction-content.md b/docs/example-scenario/ai/student-attrition-prediction-content.md index 519273cd7ec..0c9727412b0 100644 --- a/docs/example-scenario/ai/student-attrition-prediction-content.md +++ b/docs/example-scenario/ai/student-attrition-prediction-content.md @@ -61,7 +61,7 @@ The information that's critical for the student attrition model consists of fact | Entry type | Early admission | Whether the student was admitted in advance of the usual notification date. | | Entry type | First time in college | Whether the student is enrolled in college for the first time. | | Entry type | Other | Other admission types, indicated as a numerical value. | -| Entry type | Re-entry | A numerical value that represents re-entry admission. | +| Entry type | Reentry | A numerical value that represents reentry admission. | | Entry type | Transfer | A numerical value that represents transfer admission. | | Academic standing | Academic probation | The period in which the student must improve academic standing, expressed as a normalized value in proportion to the enrollment period. | | Academic standing | Academic suspension | Whether the student has been suspended, expressed as a normalized value in proportion to the enrollment period. | @@ -84,7 +84,7 @@ The information that's critical for the student attrition model consists of fact - [Azure Data Lake](https://azure.microsoft.com/solutions/data-lake) offers limitless storage for data in different shapes and formats. Besides enterprise-grade security and monitoring support, Azure Data Lake integrates easily with Azure analytics tools. Built on top of [Azure Blob Storage](https://azure.microsoft.com/services/storage/blobs), Azure Data Lake can manage large amounts of unstructured data, such as archives and data lakes. The service is a good fit for high-performance computing, machine learning, and cloud-native workloads. This solution provides a local data store for the machine learning data and a premium data cache for training the machine learning model. -- [SQL Database](https://azure.microsoft.com/products/azure-sql/database) is a fully managed database engine for modern cloud applications. This database service offers built-in intelligent optimization, global scalability and availability, advanced security options, and dynamic scalability with no downtime. SQL Database can automatically process relational data and non-relational structures such as graphs and JSON, spatial, and XML data. For this service's availability guarantee, see [service-level agreement (SLA) for Azure SQL Database](https://azure.microsoft.com/support/legal/sla/azure-sql-database/v1_8). +- [SQL Database](https://azure.microsoft.com/products/azure-sql/database) is a fully managed database engine for modern cloud applications. This database service offers built-in intelligent optimization, global scalability and availability, advanced security options, and dynamic scalability with no downtime. SQL Database can automatically process relational data and non-relational structures such as graphs and JSON, spatial, and XML data. For this service's availability guarantee, see [Service-level agreement (SLA) for Azure SQL Database](https://azure.microsoft.com/support/legal/sla/azure-sql-database/v1_8). - [Data Factory](https://azure.microsoft.com/services/data-factory) is an orchestration and cloud extract, transform, load (ETL) tool. Besides offering over 90 built-in connectors across various data sources, Data Factory provides copy and transformation functionality in a no-code environment. You can use its diagram view to monitor and manage data integration processes. diff --git a/docs/example-scenario/aks-agic/aks-agic-content.md b/docs/example-scenario/aks-agic/aks-agic-content.md index d60118dc3bf..2498dadecb7 100644 --- a/docs/example-scenario/aks-agic/aks-agic-content.md +++ b/docs/example-scenario/aks-agic/aks-agic-content.md @@ -1,4 +1,4 @@ -In this solution, [Azure Web Application Firewall (WAF)](/azure/web-application-firewall/ag/ag-overview) provides centralized protection for web applications deployed on a multi-tenant Azure Kubernetes Service (AKS) cluster from common exploits and vulnerabilities. Web applications running on [Azure Kubernetes Service (AKS) cluster](/azure/aks/intro-kubernetes) and exposed via the [Application Gateway Ingress Controller (AGIC)](/azure/application-gateway/ingress-controller-overview) can be protected from malicious attacks, such as SQL injection and cross-site scripting, by using a [WAF Policy](/azure/web-application-firewall/ag/create-waf-policy-ag) on Azure Application Gateway. WAF Policy on Azure Application Gateway comes pre-configured with Open Worldwide Application Security Project (OWASP) core rule sets and can be changed to other supported OWASP Core Rule Set (CRS) versions. +In this solution, [Azure Web Application Firewall (WAF)](/azure/web-application-firewall/ag/ag-overview) provides centralized protection for web applications deployed on a multi-tenant Azure Kubernetes Service (AKS) cluster from common exploits and vulnerabilities. Web applications running on [Azure Kubernetes Service (AKS) cluster](/azure/aks/intro-kubernetes) and exposed via the [Application Gateway Ingress Controller (AGIC)](/azure/application-gateway/ingress-controller-overview) can be protected from malicious attacks, such as SQL injection and cross-site scripting, by using a [WAF Policy](/azure/web-application-firewall/ag/create-waf-policy-ag) on Azure Application Gateway. WAF Azure Policy on Azure Application Gateway comes pre-configured with Open Worldwide Application Security Project (OWASP) core rule sets and can be changed to other supported OWASP Core Rule Set (CRS) versions. ## Architecture @@ -34,27 +34,27 @@ The AKS cluster is composed of the following: A virtual machine (VM) is deployed in the same virtual network that is hosting the AKS cluster. When you deploy Azure Kubernetes Service as a private cluster, this VM can be used by system administrators to manage the cluster via the [Kubernetes command-line tool](https://kubernetes.io/docs/tasks/tools/). The boot diagnostics logs of the virtual machine are stored in an Azure Storage account. -An Azure Bastion host provides secure and seamless SSH connectivity to the jump-box VM, directly in the Azure portal over SSL. Azure Container Registry (ACR) is used to build, store, and manage container images and artifacts (such as Helm charts). +An Azure Bastion host provides secure and seamless SSH connectivity to the jump-box VM, directly in the Azure portal over SSL. Azure Container Registry is used to build, store, and manage container images and artifacts (such as Helm charts). -The architecture includes an Application Gateway that is used by the ingress controller. The Application Gateway is deployed to a dedicated subnet and exposed to the public internet via a public IP address that is shared by all the tenant workloads. A Web Access Firewall (WAF) Policy is associated to the Application Gateway at the root level and at the HTTP listener level, to protect tenant workloads from malicious attacks. The policy is configured in Prevention mode and uses [OWASP 3.1](https://owasp.org/www-project-application-security-verification-standard) to block intrusions and attacks that are detected by rules. The attacker receives a "403 unauthorized access" exception, and the connection is closed. Prevention mode records these attacks in the WAF logs. +The architecture includes an application gateway that is used by the ingress controller. The application gateway is deployed to a dedicated subnet and exposed to the public internet via a public IP address that is shared by all the tenant workloads. A Web Access Firewall (WAF) Azure Policy is associated to the application gateway at the root level and at the HTTP listener level, to protect tenant workloads from malicious attacks. The policy is configured in Prevention mode and uses [OWASP 3.1](https://owasp.org/www-project-application-security-verification-standard) to block intrusions and attacks that are detected by rules. The attacker receives a "403 unauthorized access" exception, and the connection is closed. Prevention mode records these attacks in the WAF logs. -A Key Vault is used as a secret store by workloads that run on Azure Kubernetes Service (AKS) to retrieve keys, certificates, and secrets via a client library, [Secrets Store CSI Driver](/azure/aks/csi-secrets-store-driver), or [Dapr](https://docs.dapr.io/developing-applications/building-blocks/secrets/secrets-overview). [Azure Private Link](/azure/private-link/private-link-overview) enables AKS workloads to access Azure platform as a service (PaaS) Services, such as Key Vault, over a private endpoint in the virtual network. +A key vault is used as a secret store by workloads that run on Azure Kubernetes Service (AKS) to retrieve keys, certificates, and secrets via a client library, [Secrets Store CSI Driver](/azure/aks/csi-secrets-store-driver), or [Dapr](https://docs.dapr.io/developing-applications/building-blocks/secrets/secrets-overview). [Azure Private Link](/azure/private-link/private-link-overview) enables AKS workloads to access Azure platform as a service (PaaS) Services, such as Key Vault, over a private endpoint in the virtual network. The sample topology includes the following private endpoints: - A private endpoint to the Blob Storage account -- A private endpoint to Azure Container Registry (ACR) +- A private endpoint to Azure Container Registry - A private endpoint to Key Vault - If you opt for a private AKS cluster, a private endpoint to the API server of the Kubernetes cluster The architecture also includes the following Private DNS Zones for the name resolution of the fully qualified domain name (FQDN) of a PaaS service to the private IP address of the associated private endpoint: - A Private DNS Zone for the name resolution of the private endpoint to the Azure Blob Storage account -- A Private DNS Zone for the name resolution of the private endpoint to Azure Container Registry (ACR) +- A Private DNS Zone for the name resolution of the private endpoint to Azure Container Registry - A Private DNS Zone for the name resolution of the private endpoint to Azure Key Vault - If you deploy the cluster as private, a Private DNS Zone for the name resolution of the private endpoint to the Kubernetes Server API -A Virtual Network Link exists between the virtual network hosting the AKS cluster and the above Private DNS Zones. A Log Analytics workspace is used to collect the diagnostics logs and metrics from the following sources: +A virtual network Link exists between the virtual network hosting the AKS cluster and the above Private DNS Zones. A Log Analytics workspace is used to collect the diagnostics logs and metrics from the following sources: - Azure Kubernetes Service cluster - Jump-box virtual machine @@ -70,7 +70,7 @@ A Virtual Network Link exists between the virtual network hosting the AKS cluste - [Azure Key Vault](/azure/key-vault/general/overview/) securely stores and controls access to secrets like API keys, passwords, certificates, and cryptographic keys. Azure Key Vault also lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates, for use with Azure and your internal connected resources. -- [Azure Application Gateway](/azure/application-gateway/overview) Azure Application Gateway is a web traffic load balancer that enables you to manage the inbound traffic to multiple downstream web applications and REST APIs. Traditional load balancers operate at the transport layer (Open Systems Interconnection (OSI) layer 4 - TCP and UDP), and they route traffic based on source IP address and port, to a destination IP address and port. The Application Gateway instead is an application layer (OSI layer 7) load balancer. (*OSI* stands for Open Systems Interconnection, *TCP* stands for Transmission Control Protocol, and *UDP* stands for User Datagram Protocol.) +- [Azure Application Gateway](/azure/application-gateway/overview) Azure Application Gateway is a web traffic load balancer that enables you to manage the inbound traffic to multiple downstream web applications and REST APIs. Traditional load balancers operate at the transport layer (Open Systems Interconnection (OSI) layer 4 - TCP and UDP), and they route traffic based on source IP address and port, to a destination IP address and port. The application gateway instead is an application layer (OSI layer 7) load balancer. (*OSI* stands for Open Systems Interconnection, *TCP* stands for Transmission Control Protocol, and *UDP* stands for User Datagram Protocol.) - [Web Application Firewall](/azure/application-gateway/waf-overview) or WAF is a service that provides centralized protection of web applications from common exploits and vulnerabilities. WAF is based on rules from the [OWASP (Open Worldwide Application Security Project) core rule sets](https://owasp.org/www-project-modsecurity-core-rule-set). Azure WAF allows you to create custom rules that are evaluated for each request that passes through a policy. These rules hold a higher priority than the rest of the rules in the managed rule sets. The custom rules contain a rule name, rule priority, and an array of matching conditions. If these conditions are met, an action is taken (to allow or block). @@ -78,11 +78,11 @@ A Virtual Network Link exists between the virtual network hosting the AKS cluste - [Azure Virtual Machines](https://azure.microsoft.com/services/virtual-machines) provides on-demand, scalable computing resources that give you the flexibility of virtualization, without having to buy and maintain the physical hardware. -- [Azure Virtual Network](/azure/virtual-network/virtual-networks-overview) is the fundamental building block for Azure private networks. With Virtual Network, Azure resources (like VMs) can securely communicate with each other, the internet, and on-premises networks. An Azure Virtual Network is similar to a traditional network that's on premises, but it includes Azure infrastructure benefits, such as scalability, availability, and isolation. +- [Azure Virtual Network](/azure/virtual-network/virtual-networks-overview) is the fundamental building block for Azure private networks. With Virtual Network, Azure resources (like VMs) can securely communicate with each other, the internet, and on-premises networks. An Azure virtual network is similar to a traditional network that's on-premises, but it includes Azure infrastructure benefits, such as scalability, availability, and isolation. -- [Virtual Network Interfaces](/azure/virtual-network/virtual-network-network-interface) let Azure virtual machines communicate with the internet, Azure, and on-premises resources. You can add several network interface cards to one Azure VM, so that child VMs can have their own dedicated network interface devices and IP addresses. +- [Virtual Network Interfaces](/azure/virtual-network/virtual-network-network-interface) let Azure Virtual Machines communicate with the internet, Azure, and on-premises resources. You can add several network interface cards to one Azure VM, so that child VMs can have their own dedicated network interface devices and IP addresses. -- [Azure Managed Disks](/azure/virtual-machines/windows/managed-disks-overview) provides block-level storage volumes that Azure manages on Azure VMs. The available types of disks are Ultra disks, Premium solid-state drives (SSDs), Standard SSDs, and Standard hard disk drives (HDDs). +- [Azure Managed Disks](/azure/virtual-machines/windows/managed-disks-overview) provides block-level storage volumes that Azure manages on Azure VMs. The available types of disks are Ultra Disk Storage, Premium solid-state drives (SSDs), Standard SSDs, and Standard hard disk drives (HDDs). - [Azure Blob Storage](/azure/storage/blobs/storage-blobs-introduction) is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn't adhere to a particular data model or definition, such as text or binary data. @@ -90,7 +90,7 @@ A Virtual Network Link exists between the virtual network hosting the AKS cluste ### Alternatives -In this architecture, the [Application Gateway Ingress Controller (AGIC)](https://azure.github.io/application-gateway-kubernetes-ingress) was installed using the [AGIC add-on for Azure Kubernetes Service (AKS)](/azure/application-gateway/tutorial-ingress-controller-add-on-new). You can also [install the Application Gateway Ingress Controller via a Helm chart](/azure/application-gateway/ingress-controller-install-existing#install-ingress-controller-as-a-helm-chart). For a new setup, by using one line in Azure CLI, you can deploy a new Application Gateway and a new AKS cluster (with AGIC enabled as an add-on). The add-on is also a fully managed service, which provides added benefits, such as automatic updates and increased support. Both ways of deploying AGIC (Helm and the AKS add-on) are fully supported by Microsoft. Additionally, the add-on allows for better integration with AKS, as a first class add-on. +In this architecture, the [Application Gateway Ingress Controller (AGIC)](https://azure.github.io/application-gateway-kubernetes-ingress) was installed using the [AGIC add-on for Azure Kubernetes Service (AKS)](/azure/application-gateway/tutorial-ingress-controller-add-on-new). You can also [install the Application Gateway Ingress Controller via a Helm chart](/azure/application-gateway/ingress-controller-install-existing#install-ingress-controller-as-a-helm-chart). For a new setup, by using one line in the Azure CLI, you can deploy a new application gateway and a new AKS cluster (with AGIC enabled as an add-on). The add-on is also a fully managed service, which provides added benefits, such as automatic updates and increased support. Both ways of deploying AGIC (Helm and the AKS add-on) are fully supported by Microsoft. Additionally, the add-on allows for better integration with AKS, as a first class add-on. The Application Gateway Ingress Controller (AGIC) add-on is still deployed as a pod in your AKS cluster. However, there are a few differences between the Helm deployment version and the add-on version of AGIC. The following list includes the differences between the two versions: @@ -99,11 +99,11 @@ The Application Gateway Ingress Controller (AGIC) add-on is still deployed as a - `usePrivateIp` will be set to be `false` by default; this can be overwritten by the `use-private-ip` annotation - `shared` is not supported by the add-on -- AGIC deployed via Helm supports `ProhibitedTargets`, which means AGIC can configure the Application Gateway specifically for AKS clusters, without affecting other existing backends. +- AGIC deployed via Helm supports `ProhibitedTargets`, which means AGIC can configure the application gateway specifically for AKS clusters, without affecting other existing backends. - Since the AGIC add-on is a managed service, it is automatically updated to the latest version of the AGIC add-on, unlike AGIC deployed through Helm (where you must manually update AGIC). -- You can only deploy one AGIC add-on per AKS cluster, and each AGIC add-on currently can only target one Application Gateway instance. For deployments that require more than one AGIC per cluster, or multiple AGICs targeting one Application Gateway, you can continue to use AGIC deployed via Helm. +- You can only deploy one AGIC add-on per AKS cluster, and each AGIC add-on currently can only target one Application Gateway instance. For deployments that require more than one AGIC per cluster, or multiple AGICs targeting one application gateway, you can continue to use AGIC deployed via Helm. -A single instance of the Azure Application Gateway Kubernetes Ingress Controller (AGIC) can ingest events from multiple Kubernetes namespaces. Should the AKS administrator decide to use the Application Gateway as an ingress, all namespaces will use the same instance of Application Gateway. A single installation of Ingress Controller will monitor accessible namespaces and will configure the Application Gateway that it is associated with. For more information, see [Enable multiple Namespace support in an AKS cluster with Application Gateway Ingress Controller](/azure/application-gateway/ingress-controller-multiple-namespace-support). +A single instance of the Azure Application Gateway Kubernetes Ingress Controller (AGIC) can ingest events from multiple Kubernetes namespaces. Should the AKS administrator decide to use the application gateway as an ingress, all namespaces will use the same instance of Application Gateway. A single installation of Ingress Controller will monitor accessible namespaces and will configure the application gateway that it is associated with. For more information, see [Enable multiple Namespace support in an AKS cluster with Application Gateway Ingress Controller](/azure/application-gateway/ingress-controller-multiple-namespace-support). To enable multi-namespace support, do the following: @@ -118,15 +118,15 @@ To enable multi-namespace support, do the following: Once deployed with the ability to observe multiple namespaces, AGIC will do the following: - List ingress resources from all the accessible namespaces -- Filter to ingress resources that are annotated with kubernetes.io/ingress.class: azure/application-gateway +- Filter to ingress resources that are annotated with kubernetes.io/ingress.class: Azure/application-gateway - Compose combined [Application Gateway config](https://github.com/Azure/azure-sdk-for-go/blob/37f3f4162dfce955ef5225ead57216cf8c1b2c70/services/network/mgmt/2016-06-01/network/models.go#L1710-L1744) -- Apply the config to the associated Application Gateway via [ARM](/azure/azure-resource-manager/management/overview) +- Apply the config to the associated application gateway via [ARM](/azure/azure-resource-manager/management/overview) ## Scenario details A multitenant Kubernetes cluster is shared by multiple users and workloads that are commonly referred to as "tenants". This definition includes Kubernetes clusters that are shared by different teams or divisions within an organization. It also includes clusters that are shared by per-customer instances of a software-as-a-service (SaaS) application. Cluster multitenancy is an alternative to managing many single-tenant dedicated clusters. The operators of a multitenant Kubernetes cluster must isolate tenants from each other. This isolation minimizes the damage that a compromised or malicious tenant can do to the cluster and to other tenants. When several users or teams share the same cluster with a fixed number of nodes, there is a concern that one team could use more than its fair share of resources. [Resource Quotas](https://kubernetes.io/docs/concepts/policy/resource-quotas) is a tool for administrators to address this concern. -When you plan to build a multitenant Azure Kubernetes Service (AKS) cluster, you should consider the layers of resource isolation that are provided by Kubernetes: cluster, namespace, node, pod, and container. You should also consider the security implications of sharing different types of resources among multiple tenants. For example, scheduling pods from different tenants on the same node could reduce the number of machines needed in the cluster. On the other hand, you might need to prevent certain workloads from being colocated. For example, you might not allow untrusted code from outside of your organization to run on the same node as containers that process sensitive information. [Azure Policy](/azure/aks/policy-reference) can be used to limit the deployment to AKS from only trusted registries. +When you plan to build a multitenant Azure Kubernetes Service (AKS) cluster, you should consider the layers of resource isolation that are provided by Kubernetes: cluster, namespace, node, pod, and container. You should also consider the security implications of sharing different types of resources among multiple tenants. For example, scheduling pods from different tenants on the same node could reduce the number of machines needed in the cluster. On the other hand, you might need to prevent certain workloads from being colocated. For example, you might not allow untrusted code from outside of your organization to run on the same node as containers that process sensitive information. [Azure Policy](/azure/aks/policy-reference) can be used to limit the deployment to AKS from only trusted registries. Although Kubernetes cannot guarantee perfectly secure isolation between tenants, it does offer features that may be sufficient for specific use cases. As a best practice, you should separate each tenant and its Kubernetes resources into their own namespaces. You can then use [Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac) and [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to enforce tenant isolation. (*RBAC* stands for role-based access control.) For example, the following picture shows the typical SaaS Provider Model that hosts multiple instances of the same application on the same cluster, one for each tenant. Each application lives in a separate namespace. When tenants need a higher level of physical isolation and guaranteed performance, their workloads can be deployed to a dedicated set of nodes, dedicated pool, or even a dedicated cluster. @@ -134,9 +134,9 @@ Although Kubernetes cannot guarantee perfectly secure isolation between tenants, *Download a [Visio file](https://arch-center.azureedge.net/aks-agic.vsdx) of this architecture.* -The [Application Gateway Ingress Controller (AGIC)](/azure/application-gateway/ingress-controller-overview) is a Kubernetes application, which makes it possible for [Azure Kubernetes Service (AKS)](/azure/aks/intro-kubernetes) customers to use an [Azure Application Gateway](/azure/application-gateway/overview) to expose their containerized applications to the Internet. AGIC monitors the Kubernetes cluster that it is hosted on and continuously updates an Application Gateway, so that the selected services are exposed to the Internet. The Ingress Controller runs in its own pod on the customer's AKS instance. AGIC monitors a subset of Kubernetes Resources for changes. The state of the AKS cluster is translated to Application Gateway-specific configuration and applied to the [Azure Resource Manager](/azure/azure-resource-manager/management/overview). This architecture sample shows proven practices to deploy a public or private [Azure Kubernetes Service (AKS) cluster](/azure/aks/intro-kubernetes), with an [Azure Application Gateway](/azure/application-gateway/overview) and an [Application Gateway Ingress Controller](/azure/application-gateway/ingress-controller-overview) add-on. +The [Application Gateway Ingress Controller (AGIC)](/azure/application-gateway/ingress-controller-overview) is a Kubernetes application, which makes it possible for [Azure Kubernetes Service (AKS)](/azure/aks/intro-kubernetes) customers to use an [Azure Application Gateway](/azure/application-gateway/overview) to expose their containerized applications to the Internet. AGIC monitors the Kubernetes cluster that it is hosted on and continuously updates an application gateway, so that the selected services are exposed to the Internet. The Ingress Controller runs in its own pod on the customer's AKS instance. AGIC monitors a subset of Kubernetes Resources for changes. The state of the AKS cluster is translated to Application Gateway-specific configuration and applied to the [Azure Resource Manager](/azure/azure-resource-manager/management/overview). This architecture sample shows proven practices to deploy a public or private [Azure Kubernetes Service (AKS) cluster](/azure/aks/intro-kubernetes), with an [Azure Application Gateway](/azure/application-gateway/overview) and an [Application Gateway Ingress Controller](/azure/application-gateway/ingress-controller-overview) add-on. -A single instance of the [Azure Application Gateway Kubernetes Ingress Controller (AGIC)](/azure/application-gateway/ingress-controller-multiple-namespace-support) can ingest events from and observe multiple namespaces. Should the AKS administrator decide to use Application Gateway as an ingress, all namespaces will use the same instance of Application Gateway. A single installation of Ingress Controller will monitor accessible namespaces and will configure the Application Gateway that it is associated with. +A single instance of the [Azure Application Gateway Kubernetes Ingress Controller (AGIC)](/azure/application-gateway/ingress-controller-multiple-namespace-support) can ingest events from and observe multiple namespaces. Should the AKS administrator decide to use Application Gateway as an ingress, all namespaces will use the same instance of Application Gateway. A single installation of Ingress Controller will monitor accessible namespaces and will configure the application gateway that it is associated with. ### Potential use cases @@ -151,7 +151,7 @@ Although some of the following considerations are not fully pertaining to multit - Design AKS clusters for multitenancy. Kubernetes provides features that let you logically isolate teams and workloads in the same cluster. The goal should be to provide the least number of privileges, scoped to the resources that each team needs. A [Namespace](/azure/aks/concepts-clusters-workloads#namespaces) in Kubernetes creates a logical isolation boundary. - Use logical isolation to separate teams and projects. Try to minimize the number of physical AKS clusters that you deploy to isolate teams or applications. The logical separation of clusters usually provides a higher pod density than physically isolated clusters. - Use dedicated node pools, or dedicated AKS clusters, whenever you need to implement a strict physical isolation. For example, you can dedicate a pool of worker nodes or an entire cluster, to a team or a tenant in a multitenant environment. - - You can use a combination of [taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to control the deployment of pods to a specific node pool. Please note that a node in AKS can be tainted only at the time of node pool creation. Alternately, [labels and nodePool selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) can be used to control the deployment of workload to specific node pools. + - You can use a combination of [taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to control the deployment of pods to a specific node pool. Please note that a node in AKS can be tainted only at the time of node pool creation. Alternately, [labels and nodePool selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) can be used to control the deployment of workload to specific node pools. ### Security considerations @@ -173,7 +173,7 @@ Although the security considerations are not fully pertaining to multitenancy in - Deploy AKS clusters with Microsoft Entra integration. For more information, see [AKS-managed Microsoft Entra integration](/azure/aks/managed-aad). Using Microsoft Entra ID centralizes the identity management component. Any change in user account or group status is automatically updated in access to the AKS cluster. Use [Roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) or [ClusterRoles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) and [Bindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) to scope users or groups to the least number of permissions needed. - Use Kubernetes RBAC to define the permissions that users or groups have to resources in the cluster. Create roles and bindings that assign the least number of permissions required. [Integrate Kubernetes RBAC with Microsoft Entra ID](/azure/aks/azure-ad-rbac) so any change in user status or group membership is automatically updated and access to cluster resources is current. - Use Azure RBAC to define the minimum required permissions that users or groups have to AKS resources in one or more subscriptions. For more information, see [Kubernetes RBAC](/azure/aks/operator-best-practices-identity#use-kubernetes-role-based-access-control-kubernetes-rbac) and [Use Azure RBAC for Kubernetes authorization (AuthZ)](/azure/aks/manage-azure-rbac). -- Consider using [Microsoft Entra Workload ID](/azure/aks/workload-identity-overview) to assign a managed identity for an Azure resource to individual microservices, which they can then use to access managed resources (such as Azure Key Vault, SQL Database, Service Bus, and Cosmos DB). All without the need to store and retrieve use connection strings or credentials from Kubernetes secrets. +- Consider using [Microsoft Entra Workload ID](/azure/aks/workload-identity-overview) to assign a managed identity for an Azure resource to individual microservices, which they can then use to access managed resources (such as Azure Key Vault, SQL Database, Service Bus, and Azure Cosmos DB). All without the need to store and retrieve use connection strings or credentials from Kubernetes secrets. - Consider using the [Secret Store CSI Driver for Azure Key Vault](/azure/key-vault/general/key-vault-integrate-kubernetes) to access secrets, such as credentials and connections strings from Key Vault, rather than from Kubernetes secrets. - Consider using the [Dapr Secrets Stores](https://docs.dapr.io/developing-applications/building-blocks/secrets/secrets-overview/) building block, with the [Azure Key Vault store with Managed Identities on Kubernetes](https://docs.dapr.io/developing-applications/integrations/azure/azure-authentication/authenticating-azure/), to retrieve secrets (such as credentials and connection strings) from Key Vault. @@ -185,7 +185,7 @@ Although the security considerations are not fully pertaining to multitenancy in - Use the [AppArmor](https://kubernetes.io/docs/tutorials/clusters/apparmor) Linux kernel security module to limit the actions that containers can do. - Regularly upgrade your AKS clusters to the latest Kubernetes version to take advantage of new features and bug fixes. - AKS automatically downloads and installs security fixes on each Linux node, but it doesn't automatically reboot the node if necessary. Use [kured](https://github.com/kubereboot/kured) to watch for pending reboots, cordon and drain nodes, and finally, apply your updates. For Windows Server nodes, regularly run an AKS upgrade operation to safely cordon and drain pods and to deploy any updated nodes. -- Consider using HTTPS and gRPC secure transport protocols for all intra-pod communications and to use a more advanced authentication (AuthN) mechanism that does not require you to send the plain credentials on every request, like Open Authorization (OAuth) or JWT. Secure intra-service communication can be achieved by leveraging a service mesh, like [Istio](https://istio.io/), [Linkerd](https://linkerd.io), or [Consul](https://www.consul.io) or by using [Dapr](https://docs.dapr.io/developing-applications/building-blocks/service-invocation/service-invocation-overview). +- Consider using HTTPS and gRPC secure transport protocols for all intra-pod communications and to use a more advanced authentication (AuthN) mechanism that does not require you to send the plain credentials on every request, like Open Authorization (OAuth) or JWT. Secure intra-service communication can be achieved by using a service mesh, like [Istio](https://istio.io/), [Linkerd](https://linkerd.io), or [Consul](https://www.consul.io) or by using [Dapr](https://docs.dapr.io/developing-applications/building-blocks/service-invocation/service-invocation-overview). #### Azure Container Registry @@ -196,7 +196,7 @@ Although the security considerations are not fully pertaining to multitenancy in Although the performance considerations are not fully pertaining to multitenancy in Azure Kubernetes Service (AKS), we believe they are essential requirements when deploying this solution: -- For low latency workloads, consider deploying a dedicated node pool in a proximity placement group. When deploying your application in Azure, spreading Virtual Machine (VM) instances across regions or availability zones creates network latency, which may impact the overall performance of your application. A proximity placement group is a logical grouping that's used to make sure Azure compute resources are physically located close to each other. Some use cases (such as gaming, engineering simulations, and high-frequency trading (HFT)) require low latency and tasks that complete quickly. For high-performance computing (HPC) scenarios such as these, consider using [proximity placement groups (PPGs)](/azure/virtual-machines/co-location#proximity-placement-groups) for your cluster's node pools. +- For low latency workloads, consider deploying a dedicated node pool in a proximity placement group. When deploying your application in Azure, spreading Virtual Machine (VM) instances across regions or availability zones creates network latency, which may affect the overall performance of your application. A proximity placement group is a logical grouping that's used to make sure Azure compute resources are physically located close to each other. Some use cases (such as gaming, engineering simulations, and high-frequency trading (HFT)) require low latency and tasks that complete quickly. For high-performance computing (HPC) scenarios such as these, consider using [proximity placement groups (PPGs)](/azure/virtual-machines/co-location#proximity-placement-groups) for your cluster's node pools. - Always use smaller container images, as it helps you to create faster builds. Smaller images are also less vulnerable to attack vectors, because of a reduced attack surface. - Use Kubernetes autoscaling to dynamically scale out the number of worker nodes of an AKS cluster when the traffic increases. With [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale) and a cluster autoscaler, node and pod volumes get adjusted dynamically in real-time, to match the traffic condition and to avoid downtimes that are caused by capacity issues. For more information, see [Use the cluster autoscaler in Azure Kubernetes Service (AKS)](/azure/aks/cluster-autoscaler). @@ -217,11 +217,11 @@ Although the availability and reliability considerations are not fully pertainin #### Container registry -- We suggest storing container images in Azure Container Registry, and then geo-replicate the registry to each AKS region using [Azure Container Registry geo-replication](/azure/container-registry/container-registry-geo-replication). Geo-replication is a feature of Premium SKU ACR registries. +- We suggest storing container images in Azure Container Registry, and then geo-replicate the registry to each AKS region using [Azure Container Registry geo-replication](/azure/container-registry/container-registry-geo-replication). Geo-replication is a feature of Premium SKU Container Registry registries. - Scan your container images for vulnerabilities, and only deploy images that have passed validation. Regularly update the base images and application runtime, and then redeploy your workloads in the AKS cluster. - Limit the image registries that pods and deployments can use. Only allow trusted registries, where you validate and control the images that are available. -- As you use base images for application images, use automation to build new images, when the base image is updated. Because those base images typically include security fixes, update any downstream application container images. We recommend that you scan the container images for vulnerabilities as part of CI/CD pipeline before you publish the images to container registry. [Azure Defender for Containers](/azure/defender-for-cloud/defender-for-containers-cicd) can be integrated to CI/CD workflows. -- Leverage [ACR Tasks](/azure/container-registry/container-registry-tasks-overview) in Azure Container Registry to automate OS and framework patching for your Docker containers. ACR Tasks supports automated build execution, when a container's base image is updated, such as when you patch the OS or application framework in one of your base images. +- As you use base images for application images, use automation to build new images, when the base image is updated. Because those base images typically include security fixes, update any downstream application container images. We recommend that you scan the container images for vulnerabilities as part of CI/CD pipeline before you publish the images to Container Registry. [Azure Defender for Containers](/azure/defender-for-cloud/defender-for-containers-cicd) can be integrated to CI/CD workflows. +- Use [ACR Tasks](/azure/container-registry/container-registry-tasks-overview) in Azure Container Registry to automate OS and framework patching for your Docker containers. ACR Tasks supports automated build execution, when a container's base image is updated, such as when you patch the OS or application framework in one of your base images. #### Intra-region resiliency @@ -239,7 +239,7 @@ Although the availability and reliability considerations are not fully pertainin - Store your container images in [Azure Container Registry](/azure/container-registry/container-registry-intro), and geo-replicate the registry to each AKS region. For more information, see [Geo-replication in Azure Container Registry](/azure/container-registry/container-registry-geo-replication). - Where possible, don't store service state inside the container. Instead, use an Azure platform as a service (PaaS) that supports multi-region replication. - If you use Azure Storage, prepare and test how to migrate your storage from the primary region to the backup region. -- Consider deploying the cluster configuration using [GitOps](/azure/architecture/example-scenario/gitops-aks/gitops-blueprint-aks). Using GitOps provides uniformity between primary and DR clusters and a quick way to rebuild new cluster in case of cluster loss. +- Consider deploying the cluster configuration using [GitOps](/azure/architecture/example-scenario/gitops-aks/gitops-blueprint-aks). Using GitOps provides uniformity between primary and DR clusters and a quick way to rebuild new cluster in case of cluster loss. - Consider backup/restore of the cluster configuration using tools such as [Azure Kubernetes Service backup](/azure/backup/azure-kubernetes-service-backup-overview) or [Velero](https://github.com/vmware-tanzu/velero). ### Storage considerations @@ -251,7 +251,6 @@ Although the storage considerations are not fully pertaining to multitenancy in - Each node size supports a maximum number of disks. Different node sizes also provide different amounts of local storage and network bandwidth. Plan for your application demands to deploy the appropriate size of nodes. - To reduce management overhead and let you scale, don't statically create and assign persistent volumes. Use dynamic provisioning. In your storage classes, define the appropriate reclaim policy to minimize unneeded storage costs, once pods are deleted. - ### Scheduler considerations Although some of the scheduler considerations are not fully pertaining to multitenancy in Azure Kubernetes Service (AKS), we believe they are essential requirements when deploying this solution: @@ -280,9 +279,9 @@ Although the service mesh considerations are not fully pertaining to multitenanc - As an alternative, you can use the traffic-management capabilities that are provided by a service mesh implementation. For more information, see:

- [Istio traffic management](https://istio.io/latest/docs/concepts/traffic-management/) - + - Use Azure Container Registry or another container registry (like Docker Hub), to store the private Docker images that are deployed to the cluster. AKS can authenticate with Azure Container Registry, by using its Microsoft Entra identity. -- If there is a need to change settings on Application Gateway, make the change using the exposed configuration on the ingress controller or other Kubernetes objects, such as using supported annotations. After an Application Gateway is linked to Application Gateway Ingress Controller (AGIC), nearly all configuration of that gateway will be synced and controlled by the ingress controller. If you are trying to directly configure Application Gateway imperatively or through infrastructure as code, those changes will eventually be overwritten by the ingress controller. +- If there is a need to change settings on Application Gateway, make the change using the exposed configuration on the ingress controller or other Kubernetes objects, such as using supported annotations. After an application gateway is linked to Application Gateway Ingress Controller (AGIC), nearly all configuration of that gateway will be synced and controlled by the ingress controller. If you are trying to directly configure Application Gateway imperatively or through infrastructure as code, those changes will eventually be overwritten by the ingress controller. ### Monitoring considerations @@ -304,13 +303,12 @@ After you assess these aspects, go to the [Azure pricing calculator](https://azu ## Deploy this scenario -The source code for this scenario is available [on GitHub](https://github.com/Azure-Samples/aks-agic). You can also find a demo application, as shown in the following figure, in [this GitHub repository](https://github.com/Azure-Samples/aks-multi-tenant-agic). +The source code for this scenario is available [on GitHub](https://github.com/Azure-Samples/aks-agic). You can also find a demo application, as shown in the following figure, in [This GitHub repository](https://github.com/Azure-Samples/aks-multi-tenant-agic). :::image type="content" border="false" source="./media/aks-agic-sample.png" alt-text="The diagram shows the deployment of this AGIC with AKS architecture." lightbox="./media/aks-agic-sample.png"::: *Download a [Visio file](https://arch-center.azureedge.net/aks-agic.vsdx) of this architecture.* - ### Prerequisites For online deployments, you must have an existing Azure account. If you need one, create a [free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. diff --git a/docs/example-scenario/aks-front-door/aks-front-door-content.md b/docs/example-scenario/aks-front-door/aks-front-door-content.md index c9359a620ac..850f423bc3e 100644 --- a/docs/example-scenario/aks-front-door/aks-front-door-content.md +++ b/docs/example-scenario/aks-front-door/aks-front-door-content.md @@ -4,7 +4,7 @@ This article describes how to securely expose and protect a workload that runs i :::image type="content" border="false" source="./media/aks-front-door.svg" alt-text="Diagram that shows an architecture that securely exposes and protects a workload that runs in AKS." lightbox="./media/aks-front-door.svg"::: -*The Grafana logo is a trademark of its respective company. No endorsement is implied by the use of this mark.* +*The Grafana logo is a trademark of its respective company. No endorsement is implied by the use of this mark.* *Download a [Visio file](https://arch-center.azureedge.net/aks-front-door.vsdx) of this architecture.* @@ -24,15 +24,15 @@ The following steps describe the deployment process. This workflow corresponds t 1. A platform engineer specifies the necessary information in the *main.bicepparams* Bicep parameters file and deploys the Bicep modules to create the Azure resources. The necessary information includes: - A prefix for the Azure resources. - - - The name and resource group of the existing Azure key vault that holds the TLS certificate for the workload hostname and the Azure Front Door custom domain. + + - The name and resource group of the existing Azure Key Vault that holds the TLS certificate for the workload hostname and the Azure Front Door custom domain. - The name of the certificate in the key vault. - The name and resource group of the DNS zone that's used to resolve the Azure Front Door custom domain. 1. The [deployment script](/azure/azure-resource-manager/bicep/deployment-script-bicep) uses Helm and YAML manifests to create the [NGINX ingress controller](https://docs.nginx.com/nginx-ingress-controller/intro/overview/) and a sample [httpbin](https://httpbin.org/) web application. The script defines a `SecretProviderClass` that retrieves the TLS certificate from the specified Azure key vault by using the user-defined managed identity of the [Azure Key Vault provider for Secrets Store CSI Driver](/azure/aks/csi-secrets-store-driver). The script also creates a Kubernetes secret. The deployment and ingress objects are configured to use the certificate that's stored in the Kubernetes secret. -1. An Azure Front Door [secret resource](/azure/templates/microsoft.cdn/profiles/secrets) is used to manage and store the TLS certificate that's in the Azure key vault. This certificate is used by the [custom domain](/azure/templates/microsoft.cdn/profiles/customdomains) that's associated with the Azure Front Door endpoint. +1. An Azure front door [secret resource](/azure/templates/microsoft.cdn/profiles/secrets) is used to manage and store the TLS certificate that's in the Azure key vault. This certificate is used by the [custom domain](/azure/templates/microsoft.cdn/profiles/customdomains) that's associated with the Azure Front Door endpoint. > [!NOTE] -> At the end of the deployment, you need to approve the private endpoint connection before traffic can pass to the origin privately. For more information, see [Secure your origin with Private Link in Azure Front Door Premium](/azure/frontdoor/private-link). To approve private endpoint connections, use the Azure portal, Azure CLI, or Azure PowerShell. For more information, see [Manage a private endpoint connection](/azure/private-link/manage-private-endpoint). +> At the end of the deployment, you need to approve the private endpoint connection before traffic can pass to the origin privately. For more information, see [Secure your origin with Private Link in Azure Front Door Premium](/azure/frontdoor/private-link). To approve private endpoint connections, use the Azure portal, the Azure CLI, or Azure PowerShell. For more information, see [Manage a private endpoint connection](/azure/private-link/manage-private-endpoint). #### Runtime workflow @@ -40,7 +40,7 @@ The following steps describe the message flow for a request that an external cli 1. The client application uses its custom domain to send a request to the web application. The DNS zone that's associated with the custom domain uses a [CNAME record](https://en.wikipedia.org/wiki/CNAME_record) to redirect the DNS query for the custom domain to the original hostname of the Azure Front Door endpoint. -1. Azure Front Door traffic routing occurs in several stages. Initially, the request is sent to one of the [Azure Front Door points of presence](/azure/frontdoor/edge-locations-by-region). Then Azure Front Door uses the configuration to determine the appropriate destination for the traffic. Various factors can influence the routing process, such as the Azure Front Door caching, web application firewall (WAF), routing rules, rules engine, and caching configuration. For more information, see [Routing architecture overview](/azure/frontdoor/front-door-routing-architecture). +1. Azure Front Door traffic routing occurs in several stages. Initially, the request is sent to one of the [Azure Front Door points of presence](/azure/frontdoor/edge-locations-by-region). Then Azure Front Door uses the configuration to determine the appropriate destination for the traffic. Various factors can influence the routing process, such as the Azure front door caching, web application firewall (WAF), routing rules, rules engine, and caching configuration. For more information, see [Routing architecture overview](/azure/frontdoor/front-door-routing-architecture). 1. Azure Front Door forwards the incoming request to the [Azure private endpoint](/azure/private-link/private-endpoint-overview) that's connected to the [Private Link service](/azure/private-link/private-link-service-overview) that exposes the AKS-hosted workload. 1. The request is sent to the Private Link service. 1. The request is forwarded to the *kubernetes-internal* AKS internal load balancer. @@ -58,18 +58,18 @@ The architecture consists of the following components: - A *user node pool* that hosts user workloads and artifacts in a dedicated subnet. - The deployment requires [role-based access control (RBAC) role assignments](/azure/role-based-access-control/role-assignments), including: - - A *Grafana Admin* role assignment on Azure Managed Grafana for the Microsoft Entra ID user whose `objectID` is defined in the `userId` parameter. The *Grafana Admin* role provides full control of the instance, including managing role assignments, viewing, editing, and configuring data sources. For more information, see [How to share access to Azure Managed Grafana](/azure/managed-grafana/how-to-share-grafana-workspace). + - A *Grafana Admin* role assignment on Azure Managed Grafana for the Microsoft Entra user whose `objectID` is defined in the `userId` parameter. The *Grafana Admin* role provides full control of the instance, including managing role assignments, viewing, editing, and configuring data sources. For more information, see [How to share access to Azure Managed Grafana](/azure/managed-grafana/how-to-share-grafana-workspace). - A *Key Vault Administrator* role assignment on the existing Key Vault resource that contains the TLS certificate for the user-defined managed identity that the [Key Vault provider for Secrets Store CSI Driver](/azure/aks/csi-secrets-store-driver) uses. This assignment provides access to the CSI driver so that it can read the certificate from the source key vault. - [Azure Front Door Premium](/azure/frontdoor/front-door-overview) is a Layer-7 global load balancer and modern cloud content delivery network. It provides fast, reliable, and secure access between your users' and your applications' static and dynamic web content across the globe. You can use Azure Front Door to deliver your content by using Microsoft's global edge network. The network has hundreds of [global and local points of presence](/azure/frontdoor/edge-locations-by-region) distributed around the world. So you can use points of presence that are close to your enterprise and consumer customers. In this solution, Azure Front Door is used to expose an AKS-hosted sample web application via a [Private Link service](/azure/private-link/private-link-service-overview) and the [NGINX ingress controller](https://docs.nginx.com/nginx-ingress-controller/intro/overview/). Azure Front Door is configured to expose a custom domain for the Azure Front Door endpoint. The custom domain is configured to use the Azure Front Door secret that contains a TLS certificate that's read from [Key Vault](/azure/key-vault/general/overview). -- [Azure Web Application Firewall](/azure/web-application-firewall/afds/afds-overview) protects the AKS-hosted applications that are exposed via [Azure Front Door](/azure/frontdoor/front-door-overview) from common web-based attacks, such as [The Open Web Application Security Project (OWASP)](https://owasp.org) vulnerabilities, SQL injections, and cross-site scripting. This cloud-native, pay-as-you-use technology doesn't require licensing. Azure Web Application Firewall provides protection for your web applications and defends your web services against common exploits and vulnerabilities. +- [Azure Web Application Firewall](/azure/web-application-firewall/afds/afds-overview) protects the AKS-hosted applications that are exposed via [Azure Front Door](/azure/frontdoor/front-door-overview) from common web-based attacks, such as The [Open Web Application Security Project (OWASP)](https://owasp.org) vulnerabilities, SQL injections, and cross-site scripting. This cloud-native, pay-as-you-use technology doesn't require licensing. Azure Web Application Firewall provides protection for your web applications and defends your web services against common exploits and vulnerabilities. - An [Azure DNS zone](/azure/dns/dns-overview) is used for the name resolution of the Azure Front Door custom domain. You can use Azure DNS to host your DNS domain and manage your DNS records. - The [CNAME](/azure/templates/microsoft.network/dnszones/cname) record is used to create an alias or pointer from one domain name to another. You can configure a [CNAME record](https://en.wikipedia.org/wiki/CNAME_record) to redirect DNS queries for the custom domain to the original hostname of the Azure Front Door endpoint. - + - The [Text (TXT)](/azure/templates/microsoft.network/dnszones/txt) record contains the validation token for the custom domain. You can use a TXT record within a DNS zone to store arbitrary text information that's associated with a domain. -- A [Private Link service](/azure/private-link/private-link-service-overview) is configured to reference the *kubernetes-internal* internal load balancer of the AKS cluster. When you enable Private Link to your origin in Azure Front Door Premium, Front Door creates a private endpoint from an Azure Front Door-managed regional private network. You receive an Azure Front Door private endpoint request at the origin for your approval. For more information, see [Secure your origin with Private Link in Azure Front Door Premium](/azure/frontdoor/private-link). +- A [Private Link service](/azure/private-link/private-link-service-overview) is configured to reference the *kubernetes-internal* internal load balancer of the AKS cluster. When you enable Private Link to your origin in Azure Front Door Premium, Azure Front Door creates a private endpoint from an Azure Front Door-managed regional private network. You receive an Azure Front Door private endpoint request at the origin for your approval. For more information, see [Secure your origin with Private Link in Azure Front Door Premium](/azure/frontdoor/private-link). - [Azure Virtual Network](/azure/virtual-network/virtual-networks-overview) is used to create a single virtual network with six subnets: - *SystemSubnet* is used for the agent nodes of the system node pool. @@ -95,7 +95,7 @@ The architecture consists of the following components: - [Azure network security groups](/azure/virtual-network/network-security-groups-overview) are used to filter inbound and outbound traffic for the subnets that host VMs and Azure Bastion hosts. - An [Azure Monitor workspace](/azure/azure-monitor/essentials/azure-monitor-workspace-overview) is a unique environment for data that [Monitor](/azure/azure-monitor/essentials/data-platform-metrics) collects. Each workspace has its own data repository, configuration, and permissions. Azure Monitor Logs workspaces contain logs and metrics data from multiple Azure resources, whereas Monitor workspaces contain metrics related to [Prometheus](/azure/azure-monitor/essentials/prometheus-metrics-overview) only. - You can use managed service for Prometheus to collect and analyze metrics at scale by using a Prometheus-compatible monitoring solution that's based on [Prometheus](https://prometheus.io/). You can use the [Prometheus query language (PromQL)](https://prometheus.io/docs/prometheus/latest/querying/basics/) to analyze and alert on the performance of monitored infrastructure and workloads without having to operate the underlying infrastructure. + You can use managed service for Prometheus to collect and analyze metrics at scale by using a Prometheus-compatible monitoring solution that's based on [Prometheus](https://prometheus.io/). You can use the [Prometheus query language (PromQL)](https://prometheus.io/docs/prometheus/latest/querying/basics/) to analyze and alert on the performance of monitored infrastructure and workloads without having to operate the underlying infrastructure. - An [Azure Managed Grafana](/azure/managed-grafana/overview) instance is used to visualize the [Prometheus metrics](/azure/azure-monitor/containers/prometheus-metrics-enable) that the Bicep module-deployed [AKS](/azure/aks/intro-kubernetes) cluster generates. You can connect your [Monitor workspace](/azure/azure-monitor/essentials/azure-monitor-workspace-overview) to [Azure Managed Grafana](/azure/managed-grafana/overview), and use a set of built-in and custom Grafana dashboards to visualize Prometheus metrics. Grafana Enterprise supports Azure Managed Grafana, which provides extensible data visualizations. You can quickly and easily deploy Grafana dashboards that have built-in high availability. You can also use Azure security measures to control access to the dashboards. - An [Azure Monitor Logs](/azure/azure-monitor/logs/log-analytics-workspace-overview) workspace is used to collect the diagnostic logs and metrics from Azure resources, including: - AKS clusters @@ -110,13 +110,13 @@ The architecture consists of the following components: ### Alternatives -To automatically create a managed Private Link service to the AKS cluster load balancer, you can use the [Private Link service](/azure/private-link/private-link-service-overview) feature. To provide private connectivity, you must create private endpoint connections to your service. You can use annotations to expose a Kubernetes service via a Private Link service. The architecture in this article manually creates a Private Link service to reference the cluster Azure load balancer. +To automatically create a managed Private Link service to the AKS cluster load balancer, you can use the [Private Link service](/azure/private-link/private-link-service-overview) feature. To provide private connectivity, you must create private endpoint connections to your service. You can use annotations to expose a Kubernetes service via a Private Link service. The architecture in this article manually creates a Private Link service to reference the cluster Azure Load Balancer. ## Scenario details -This scenario uses [Azure Front Door Premium](/azure/frontdoor/front-door-overview), [end-to-end TLS encryption](/azure/frontdoor/end-to-end-tls), [Azure Web Application Firewall](/azure/web-application-firewall/afds/afds-overview), and a [Private Link service](/azure/private-link/private-link-service-overview) to securely expose and protect a workload that runs in [AKS]( /azure/aks/intro-kubernetes). +This scenario uses [Azure Front Door Premium](/azure/frontdoor/front-door-overview), [end-to-end TLS encryption](/azure/frontdoor/end-to-end-tls), [Azure Web Application Firewall](/azure/web-application-firewall/afds/afds-overview), and a [Private Link service](/azure/private-link/private-link-service-overview) to securely expose and protect a workload that runs in [AKS](/azure/aks/intro-kubernetes). -This architecture uses the Azure Front Door TLS and Secure Sockets Layer (SSL) offload capability to terminate the TLS connection and decrypt the incoming traffic at the front door. The traffic is re-encrypted before it's forwarded to the origin, which is a web application that's hosted in an AKS cluster. HTTPS is configured as the forwarding protocol on Azure Front Door when Azure Front Door connects to the AKS-hosted workload that's configured as an origin. This practice enforces end-to-end TLS encryption for the entire request process, from the client to the origin. For more information, see [Secure your origin with Private Link in Azure Front Door Premium](/azure/frontdoor/private-link). +This architecture uses the Azure Front Door TLS and Secure Sockets Layer (SSL) offload capability to terminate the TLS connection and decrypt the incoming traffic at the front door. The traffic is reencrypted before it's forwarded to the origin, which is a web application that's hosted in an AKS cluster. HTTPS is configured as the forwarding protocol on Azure Front Door when Azure Front Door connects to the AKS-hosted workload that's configured as an origin. This practice enforces end-to-end TLS encryption for the entire request process, from the client to the origin. For more information, see [Secure your origin with Private Link in Azure Front Door Premium](/azure/frontdoor/private-link). The [NGINX ingress controller](https://docs.nginx.com/nginx-ingress-controller/intro/overview/) exposes the AKS-hosted web application. The NGINX ingress controller is configured to use a private IP address as a front-end IP configuration of the `kubernetes-internal` internal load balancer. The NGINX ingress controller uses HTTPS as the transport protocol to expose the web application. For more information, see [Create an ingress controller by using an internal IP address](/azure/aks/ingress-basic#create-an-ingress-controller-using-an-internal-ip-address). @@ -151,7 +151,7 @@ These recommendations are essential for single-tenant AKS solutions and aren't s - Enable [zone redundancy in Container Registry](/azure/container-registry/zone-redundancy) for intra-region resiliency and high availability. - Use [topology spread constraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints) to control how you spread pods across your AKS cluster among failure domains like regions, availability zones, and nodes. - Use the Standard or Premium tier for your production AKS clusters. These tiers include the [uptime service-level agreement (SLA) feature](/azure/aks/uptime-sla), which guarantees 99.95% availability of the Kubernetes API server endpoint for clusters that use [availability zones](/azure/aks/availability-zones) and 99.9% availability for clusters that don't use availability zones. For more information, see [Free, Standard, and Premium pricing tiers for AKS cluster management](/azure/aks/free-standard-pricing-tiers). -- Enable [zone redundancy](/azure/availability-zones/az-overview#availability-zones) if you use Container Registry to store container images and Oracle cloud infrastructure (OCI) artifacts. Container Registry supports optional zone redundancy and [geo-replication](/azure/container-registry/container-registry-geo-replication). Zone redundancy provides resiliency and high availability to a registry or replication resource (replica) in a specific region. Geo-replication replicates registry data across one or more Azure regions to provide availability and reduce latency for regional operations. +- Enable [zone redundancy](/azure/availability-zones/az-overview#availability-zones) if you use Container Registry to store container images and Oracle Cloud Infrastructure (OCI) artifacts. Container Registry supports optional zone redundancy and [geo-replication](/azure/container-registry/container-registry-geo-replication). Zone redundancy provides resiliency and high availability to a registry or replication resource (replica) in a specific region. Geo-replication replicates registry data across one or more Azure regions to provide availability and reduce latency for regional operations. #### Disaster recovery and business continuity @@ -160,7 +160,7 @@ These recommendations are essential for single-tenant AKS solutions and aren't s - Script, document, and periodically test regional failover processes in a quality assurance (QA) environment. - Test failback procedures to validate that they work as expected. - Store your container images in [Container Registry](/azure/container-registry/container-registry-intro). Geo-replicate the registry to each region where you deploy your AKS solution. -- Don't store service state in a container if possible. Instead, store service state in an Azure platform as a service (PaaS) storage solution that supports multiregion replication. This approach improves resiliency and simplifies disaster recovery because you can preserve each service's critical data across regions. +- Don't store service state in a container if possible. Instead, store service state in an Azure platform as a service (PaaS) storage solution that supports multiregion replication. This approach improves resiliency and simplifies disaster recovery because you can preserve each service's critical data across regions. - Prepare and test processes to migrate your storage from the primary region to the backup region if you use Storage. ### Security @@ -178,7 +178,7 @@ Security provides assurances against deliberate attacks and the abuse of your va - Use a [WAF policy](/azure/application-gateway/waf-overview) to help protect public-facing AKS-hosted workloads from attacks when you use [Application Gateway](/azure/application-gateway/overview) in front of the AKS cluster. - Use [Kubernetes network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to control which components can communicate with one another, which segregates and helps secure intraservice communications. By default, all pods in a Kubernetes cluster can send and receive traffic without limitations. To improve security, you can use Azure network policies or Calico network policies to define rules that control the traffic flow between various microservices. Use Azure network policies to enforce network-level access control. Use Calico network policies to implement fine-grained network segmentation and security policies in your AKS cluster. For more information, see [Secure traffic between pods by using network policies in AKS](/azure/aks/use-network-policies). - Don't expose remote connectivity to your AKS nodes. Create an Azure Bastion host, or jumpbox, in a management virtual network. Use the Azure Bastion host to route traffic to your AKS cluster. -- Consider using a [private AKS cluster](/azure/aks/private-clusters) in your production environment. Or, at a minimum, use [authorized IP address ranges](/azure/aks/api-server-authorized-ip-ranges) in AKS to secure access to the API server. When you use authorized IP address ranges on a public cluster, allow all the egress IP addresses in the Azure Firewall network rule collection. In-cluster operations consume the Kubernetes API server. +- Consider using a [private AKS cluster](/azure/aks/private-clusters) in your production environment. Or, at a minimum, use [authorized IP address ranges](/azure/aks/api-server-authorized-ip-ranges) in AKS to secure access to the API server. When you use authorized IP address ranges on a public cluster, allow all the egress IP addresses in the Azure firewall network rule collection. In-cluster operations consume the Kubernetes API server. ### Cost optimization @@ -191,7 +191,7 @@ Cost optimization is about looking at ways to reduce unnecessary expenses and im - Implement the [vertical pod autoscaler](/azure/aks/vertical-pod-autoscaler) to analyze and set CPU and memory resources that pods require. This approach optimizes resource allocation. - Choose the appropriate [VM size](/azure/virtual-machines/sizes) for node pools based on workload requirements. - Create multiple [node pools](/azure/aks/use-multiple-node-pools) with different VM sizes for specific workloads. Use node labels, node selectors, and affinity rules to optimize resource allocation. -- [Stop node pools](/azure/aks/start-stop-nodepools) or [scale down AKS clusters](/azure/aks/start-stop-cluster) when you don't use them. +- [Stop node pools](/azure/aks/start-stop-nodepools) or [scale down AKS clusters](/azure/aks/start-stop-cluster) when you don't use them. - Take advantage of cost management tools, such as [Azure Advisor](/azure/advisor/advisor-overview), [Azure reservations](/azure/cost-management-billing/reservations/save-compute-costs-reservations), and [Azure savings plans](/azure/cost-management-billing/savings-plan/savings-plan-compute-overview), to monitor and optimize costs. - Consider using [spot node pools](/azure/aks/spot-node-pool) to benefit from unused capacity in Azure and reduce cost. - Use tools like [Kubecost](https://www.kubecost.com/) to monitor and govern AKS costs. @@ -204,10 +204,10 @@ Operational excellence covers the operations processes that deploy an applicatio #### DevOps -- Use a [Helm](https://helm.sh) chart in a continuous integration and continuous delivery (CI/CD) pipeline to deploy your workloads to AKS. +- Use a [Helm](https://helm.sh) chart in a continuous integration and continuous delivery (CI/CD) pipeline to deploy your workloads to AKS. - Use A/B testing and canary deployments in your application lifecycle management to properly test an application before you make it available to users. -- Use [Container Registry](/azure/container-registry/container-registry-intro) or a non-Microsoft container registry, such as [Harbor](https://goharbor.io/) or [Docker Hub](https://hub.docker.com/), to store private container images that are deployed to the cluster. +- Use [Container Registry](/azure/container-registry/container-registry-intro) or a non-Microsoft Container Registry, such as [Harbor](https://goharbor.io/) or [Docker Hub](https://hub.docker.com/), to store private container images that are deployed to the cluster. - Test ingress and egress on your workloads in a separate preproduction environment that mirrors the network topology and firewall rules of your production environment. #### Monitoring From 2dfc5587000379b8547d1763447926ff5993f803 Mon Sep 17 00:00:00 2001 From: Chad Kittel Date: Mon, 9 Sep 2024 08:14:29 -0500 Subject: [PATCH 2/2] Revert changes --- ...nd-machine-learning-in-regulated-industries-content.md | 4 ++-- docs/example-scenario/aks-agic/aks-agic-content.md | 8 ++++---- .../aks-front-door/aks-front-door-content.md | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/example-scenario/ai/scale-ai-and-machine-learning-in-regulated-industries-content.md b/docs/example-scenario/ai/scale-ai-and-machine-learning-in-regulated-industries-content.md index 2f52a8af1f3..5fabf19afd0 100644 --- a/docs/example-scenario/ai/scale-ai-and-machine-learning-in-regulated-industries-content.md +++ b/docs/example-scenario/ai/scale-ai-and-machine-learning-in-regulated-industries-content.md @@ -16,10 +16,10 @@ The architecture consists of the workflow described in the following sections. E #### Data management -2. **Data management zone** – The data management zone is responsible for data governance across the platform and enforces guardrails to provide more flexibility downstream in the data landing zones. It has its own subscription and hosts centralized services such as data cataloging, monitoring, audits, and so on. This environment is highly controlled and subject to stringent audits. All data classification types are stored in the central data catalog (Azure Microsoft Purview). Depending on metadata, different policies and access patterns are enforced. There's only one data management zone subscription for the whole tenant. The data management zone is peered (through virtual network peering) with all other data landing zones. Private endpoints are used whenever possible to ensure that the deployed services aren't accessible via public internet. +2. **Data management zone** – The data management zone is responsible for data governance across the platform and enforces guardrails to provide more flexibility downstream in the data landing zones. It has its own subscription and hosts centralized services such as data cataloging, monitoring, audits, and so on. This environment is highly controlled and subject to stringent audits. All data classification types are stored in the central data catalog (Microsoft Purview). Depending on metadata, different policies and access patterns are enforced. There's only one data management zone subscription for the whole tenant. The data management zone is peered (through virtual network peering) with all other data landing zones. Private endpoints are used whenever possible to ensure that the deployed services aren't accessible via public internet. 1. **Networking resource group** – Azure Virtual Networks, network security groups, and all other networking-related resources needed for the data management zone are provisioned within the networking resource group. 1. **Deployment resource group** – A deployment resource group hosts private Azure DevOps CI/CD agents (virtual machines) needed for the data management zone and a key vault for storing any deployment-related secrets. -1. **Data governance resource group** – Azure Microsoft Purview is used as a data governance and data catalog solution and is used to enforce the necessary guardrails for datasets to follow data requirements and data regulations that are imposed by law or other entities. Microsoft Purview is hosted centrally within this resource group, along with a Key Vault instance for storing secrets. +1. **Data governance resource group** – Microsoft Purview is used as a data governance and data catalog solution and is used to enforce the necessary guardrails for datasets to follow data requirements and data regulations that are imposed by law or other entities. Microsoft Purview is hosted centrally within this resource group, along with a Key Vault instance for storing secrets. 1. **Centralized assets** – Centralized assets hosts important and valuable assets that are central to the platform, such as: - Azure Container Registries that host base images used in Azure Machine Learning-based data products (images that are previously scanned and vulnerability-free) - AI/Machine Learning models that are published and made available to consumers on the platform (so they can be deployed to one or more data landing zones if needed). diff --git a/docs/example-scenario/aks-agic/aks-agic-content.md b/docs/example-scenario/aks-agic/aks-agic-content.md index 2498dadecb7..4cbbdd57bca 100644 --- a/docs/example-scenario/aks-agic/aks-agic-content.md +++ b/docs/example-scenario/aks-agic/aks-agic-content.md @@ -1,4 +1,4 @@ -In this solution, [Azure Web Application Firewall (WAF)](/azure/web-application-firewall/ag/ag-overview) provides centralized protection for web applications deployed on a multi-tenant Azure Kubernetes Service (AKS) cluster from common exploits and vulnerabilities. Web applications running on [Azure Kubernetes Service (AKS) cluster](/azure/aks/intro-kubernetes) and exposed via the [Application Gateway Ingress Controller (AGIC)](/azure/application-gateway/ingress-controller-overview) can be protected from malicious attacks, such as SQL injection and cross-site scripting, by using a [WAF Policy](/azure/web-application-firewall/ag/create-waf-policy-ag) on Azure Application Gateway. WAF Azure Policy on Azure Application Gateway comes pre-configured with Open Worldwide Application Security Project (OWASP) core rule sets and can be changed to other supported OWASP Core Rule Set (CRS) versions. +In this solution, [Azure Web Application Firewall (WAF)](/azure/web-application-firewall/ag/ag-overview) provides centralized protection for web applications deployed on a multi-tenant Azure Kubernetes Service (AKS) cluster from common exploits and vulnerabilities. Web applications running on [Azure Kubernetes Service (AKS) cluster](/azure/aks/intro-kubernetes) and exposed via the [Application Gateway Ingress Controller (AGIC)](/azure/application-gateway/ingress-controller-overview) can be protected from malicious attacks, such as SQL injection and cross-site scripting, by using a [WAF Policy](/azure/web-application-firewall/ag/create-waf-policy-ag) on Azure Application Gateway. WAF policy on Azure Application Gateway comes pre-configured with Open Worldwide Application Security Project (OWASP) core rule sets and can be changed to other supported OWASP Core Rule Set (CRS) versions. ## Architecture @@ -36,7 +36,7 @@ A virtual machine (VM) is deployed in the same virtual network that is hosting t An Azure Bastion host provides secure and seamless SSH connectivity to the jump-box VM, directly in the Azure portal over SSL. Azure Container Registry is used to build, store, and manage container images and artifacts (such as Helm charts). -The architecture includes an application gateway that is used by the ingress controller. The application gateway is deployed to a dedicated subnet and exposed to the public internet via a public IP address that is shared by all the tenant workloads. A Web Access Firewall (WAF) Azure Policy is associated to the application gateway at the root level and at the HTTP listener level, to protect tenant workloads from malicious attacks. The policy is configured in Prevention mode and uses [OWASP 3.1](https://owasp.org/www-project-application-security-verification-standard) to block intrusions and attacks that are detected by rules. The attacker receives a "403 unauthorized access" exception, and the connection is closed. Prevention mode records these attacks in the WAF logs. +The architecture includes an application gateway that is used by the ingress controller. The application gateway is deployed to a dedicated subnet and exposed to the public internet via a public IP address that is shared by all the tenant workloads. A Web Access Firewall (WAF) policy is associated to the application gateway at the root level and at the HTTP listener level, to protect tenant workloads from malicious attacks. The policy is configured in Prevention mode and uses [OWASP 3.1](https://owasp.org/www-project-application-security-verification-standard) to block intrusions and attacks that are detected by rules. The attacker receives a "403 unauthorized access" exception, and the connection is closed. Prevention mode records these attacks in the WAF logs. A key vault is used as a secret store by workloads that run on Azure Kubernetes Service (AKS) to retrieve keys, certificates, and secrets via a client library, [Secrets Store CSI Driver](/azure/aks/csi-secrets-store-driver), or [Dapr](https://docs.dapr.io/developing-applications/building-blocks/secrets/secrets-overview). [Azure Private Link](/azure/private-link/private-link-overview) enables AKS workloads to access Azure platform as a service (PaaS) Services, such as Key Vault, over a private endpoint in the virtual network. @@ -118,7 +118,7 @@ To enable multi-namespace support, do the following: Once deployed with the ability to observe multiple namespaces, AGIC will do the following: - List ingress resources from all the accessible namespaces -- Filter to ingress resources that are annotated with kubernetes.io/ingress.class: Azure/application-gateway +- Filter to ingress resources that are annotated with `kubernetes.io/ingress.class: azure/application-gateway` - Compose combined [Application Gateway config](https://github.com/Azure/azure-sdk-for-go/blob/37f3f4162dfce955ef5225ead57216cf8c1b2c70/services/network/mgmt/2016-06-01/network/models.go#L1710-L1744) - Apply the config to the associated application gateway via [ARM](/azure/azure-resource-manager/management/overview) @@ -217,7 +217,7 @@ Although the availability and reliability considerations are not fully pertainin #### Container registry -- We suggest storing container images in Azure Container Registry, and then geo-replicate the registry to each AKS region using [Azure Container Registry geo-replication](/azure/container-registry/container-registry-geo-replication). Geo-replication is a feature of Premium SKU Container Registry registries. +- We suggest storing container images in Azure Container Registry, and then geo-replicate the registry to each AKS region using [Azure Container Registry geo-replication](/azure/container-registry/container-registry-geo-replication). Geo-replication is a feature of the Premium SKU. - Scan your container images for vulnerabilities, and only deploy images that have passed validation. Regularly update the base images and application runtime, and then redeploy your workloads in the AKS cluster. - Limit the image registries that pods and deployments can use. Only allow trusted registries, where you validate and control the images that are available. - As you use base images for application images, use automation to build new images, when the base image is updated. Because those base images typically include security fixes, update any downstream application container images. We recommend that you scan the container images for vulnerabilities as part of CI/CD pipeline before you publish the images to Container Registry. [Azure Defender for Containers](/azure/defender-for-cloud/defender-for-containers-cicd) can be integrated to CI/CD workflows. diff --git a/docs/example-scenario/aks-front-door/aks-front-door-content.md b/docs/example-scenario/aks-front-door/aks-front-door-content.md index 850f423bc3e..eaeabad087c 100644 --- a/docs/example-scenario/aks-front-door/aks-front-door-content.md +++ b/docs/example-scenario/aks-front-door/aks-front-door-content.md @@ -64,7 +64,7 @@ The architecture consists of the following components: - [Azure Front Door Premium](/azure/frontdoor/front-door-overview) is a Layer-7 global load balancer and modern cloud content delivery network. It provides fast, reliable, and secure access between your users' and your applications' static and dynamic web content across the globe. You can use Azure Front Door to deliver your content by using Microsoft's global edge network. The network has hundreds of [global and local points of presence](/azure/frontdoor/edge-locations-by-region) distributed around the world. So you can use points of presence that are close to your enterprise and consumer customers. In this solution, Azure Front Door is used to expose an AKS-hosted sample web application via a [Private Link service](/azure/private-link/private-link-service-overview) and the [NGINX ingress controller](https://docs.nginx.com/nginx-ingress-controller/intro/overview/). Azure Front Door is configured to expose a custom domain for the Azure Front Door endpoint. The custom domain is configured to use the Azure Front Door secret that contains a TLS certificate that's read from [Key Vault](/azure/key-vault/general/overview). -- [Azure Web Application Firewall](/azure/web-application-firewall/afds/afds-overview) protects the AKS-hosted applications that are exposed via [Azure Front Door](/azure/frontdoor/front-door-overview) from common web-based attacks, such as The [Open Web Application Security Project (OWASP)](https://owasp.org) vulnerabilities, SQL injections, and cross-site scripting. This cloud-native, pay-as-you-use technology doesn't require licensing. Azure Web Application Firewall provides protection for your web applications and defends your web services against common exploits and vulnerabilities. +- [Azure Web Application Firewall](/azure/web-application-firewall/afds/afds-overview) protects the AKS-hosted applications that are exposed via [Azure Front Door](/azure/frontdoor/front-door-overview) from common web-based attacks, such as the [Open Web Application Security Project (OWASP)](https://owasp.org) vulnerabilities, SQL injections, and cross-site scripting. This cloud-native, pay-as-you-use technology doesn't require licensing. Azure Web Application Firewall provides protection for your web applications and defends your web services against common exploits and vulnerabilities. - An [Azure DNS zone](/azure/dns/dns-overview) is used for the name resolution of the Azure Front Door custom domain. You can use Azure DNS to host your DNS domain and manage your DNS records. - The [CNAME](/azure/templates/microsoft.network/dnszones/cname) record is used to create an alias or pointer from one domain name to another. You can configure a [CNAME record](https://en.wikipedia.org/wiki/CNAME_record) to redirect DNS queries for the custom domain to the original hostname of the Azure Front Door endpoint. @@ -207,7 +207,7 @@ Operational excellence covers the operations processes that deploy an applicatio - Use a [Helm](https://helm.sh) chart in a continuous integration and continuous delivery (CI/CD) pipeline to deploy your workloads to AKS. - Use A/B testing and canary deployments in your application lifecycle management to properly test an application before you make it available to users. -- Use [Container Registry](/azure/container-registry/container-registry-intro) or a non-Microsoft Container Registry, such as [Harbor](https://goharbor.io/) or [Docker Hub](https://hub.docker.com/), to store private container images that are deployed to the cluster. +- Use [Azure Container Registry](/azure/container-registry/container-registry-intro) or a non-Microsoft container registry, such as [Harbor](https://goharbor.io/) or [Docker Hub](https://hub.docker.com/), to store private container images that are deployed to the cluster. - Test ingress and egress on your workloads in a separate preproduction environment that mirrors the network topology and firewall rules of your production environment. #### Monitoring