Category Archives: Azure Kubernetes

Building modern IT architectures for Machine Learning

For most companies, the ability to continuously provide and integrate artificial intelligence solutions within their own applications and business workflows, is considered a particularly complex evolution. In the rapidly evolving artificial intelligence landscape, machine learning (ML) plays a fundamental role together with "data science". Therefore, to increase the successes of certain artificial intelligence projects, organizations must have modern and efficient IT architectures for machine learning. This article describes how these architectures can be built anywhere thanks to the integration between Kubernetes, Azure Arc ed Azure Machine Learning.

Azure Machine Learning

Azure Machine Learning (AzureML) is a cloud service that you can use to accelerate and manage the life cycle of machine learning projects, bringing ML models into a secure and reliable production environment.

Kubernetes as a compute target for Azure Machine Learning

Azure Machine Learning recently introduced the ability to activate a new target for computing: AzureML Kubernetes compute. In fact,, it is possible to use an Azure Kubernetes Service cluster (AKS) existing or an Azure Arc-enabled Kubernetes cluster as a compute target for Azure Machine Learning and use it to validate and deploy ML models.

Figure 1 - Overview on how to take Azure ML anywhere thanks to K8s and Azure Arc

AzureML Kubernetes compute supports two types of Kubernetes clusters:

  • Cluster AKS (in Azure environment). Using an Azure Kubernetes Service managed cluster (AKS), you can get a flexible environment, secure and capable of meeting compliance requirements for ML workloads.
  • Arc-enabled Kubernetes Cluster (in environments other than Azure). Thanks to Azure Arc-enabled Kubernetes it is possible to manage Kubernetes running in different environments from Azure clusters (on-premises or on other clouds) and use them to deploy ML models.

To enable and use a Kubernetes cluster to run AzureML workloads you need to follow the following steps:

  1. Activate and configure an AKS cluster or an Arc-enabled Kubernetes cluster. In this regard it is also recalled the possibility of activate AKS in Azure Stack HCI environment.
  2. Distribute the extension AzureML on the cluster.
  3. Connect the Kubernetes cluster to the Azure ML workspace.
  4. Use the Kubernetes compute target from CLI v2, SDK v2 and the Studio UI.

Figure 2 - Step to enable and use a K8s cluster for AzureML workloads

Infrastructure management for ML workloads can be complex and Microsoft recommends that it be done by the IT-operations team, so that the data science team can focus on the efficiency of the ML models. In light of this consideration, the division of roles can be as follows:

  • The IT-operation Team is responsible for the former 3 steps above. Furthermore, typically performs the following activities for the data science team:
    • Make configurations of aspects related to networking and security
    • Create and manage instance types for different ML workload scenarios in order to achieve efficient use of compute resources.
    • It deals with troubleshooting the workload of Kubernetes clusters.
  • The Data science Team, completed the activation activities in charge of IT-operation Team , can locate a list of compute targets and instance types available in the AzureML workspace. These compute resources can be used for training or inference workloads. The compute target is chosen by the team using specific tools such as AzureML CLI v2, Python SDK v2 or Studio UI.

Usage scenarios

The ability to use Kubernetes as a compute target for Azure Machine Learning, combined with the potential of Azure Arc, allows you to create, train and deploy ML models in any on-premises infrastructure or on different clouds.

This possibility activates different new usage scenarios, previously unthinkable using only the cloud environment. The following table provides a summary of the use scenarios made possible by Azure ML Kubernetes compute, specifying where the data resides, the motivation that drives each usage model and how it is implemented at the infrastructure and Azure ML level.

Table 1 - New usage scenarios made possible by Azure ML Kubernetes compute


Gartner expects that by 2025, due to the rapid spread of AI initiatives, the 70% of organizations will have operationalized IT architectures for artificial intelligence. Microsoft, thanks to the integration between different solutions, offers a series of possibilities to activate flexible and cutting-edge architectures for Machine Learning, an integral part of artificial intelligence.

How to accelerate the application modernization process with Azure

There are several companies that undertake a digital transformation process centered on the public cloud with the aim of increasing innovation, agility and operational efficiency. As part of this path, application modernization is fast becoming a milestone that allows important benefits to be achieved. This article explores how it is possible to undertake and accelerate the modernization process of applications with the solutions available in Microsoft Azure and which opportunities can be seized.

Microsoft Azure offers the flexibility to choose from a wide range of options to host your applications, covering the spectrum of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Container-as-a-Service (CaaS) and serverless.

The tendency to develop modern applications, that need microservices-based architectures, make containers the ideal solution for efficiently deploying software and operating on a large scale. In addition to the ability to make consistent deployments, reliable and repeatable in all environments, it is possible to obtain a better use of the infrastructure and a standardization of management practices.

Furthermore, customers can increasingly use containers even for applications that are not specifically designed to use microservices-based architectures. In these cases, it is possible to implement a migration strategy for existing applications that only involves minimal changes to the application code or changes to configurations. These are strictly necessary changes to optimize the application in order to be hosted on PaaS and CaaS solutions.

This migration technique is usually used when:

  • You want to leverage an existing code base
  • Code portability is important
  • The application can be easily packaged to run in an Azure environment
  • The application must be more scalable and there must be the ability to be deployed faster
  • We want to promote business agility through continuous innovation by adopting DevOps techniques

Repackage application with Azure Migrate: App Containerization

To facilitate this migration process you can use the Azure Migrate solution which includes many tools and features, including the tool App Containerization. This tool offers a "point-and-containerize" approach to "repackage" applications using containers and making, only if necessary, minimal changes to the code. The tool currently supports containerization of ASP.NET applications and Java web applications running on Apache Tomcat.

Figure 1 – Application modernization capabilities by adopting Azure Migrate: App Containerization

The tool App Containerization allows you to perform the following activities:

  • Remotely connect to application servers to discover applications and their configurations.
  • Parameterize configurations and application dependencies, such as database connection strings, to enable consistent and repeatable deployments.
  • Outsource any static content and states stored on the file system, moving them to persistent storage.
  • Create and publish container images using Azure Container Registry.
  • Customize and reuse artifacts generated by tools like Dockerfile, container images and Kubernetes resource definition files. This allows you to integrate them directly into the continuous integration and continuous delivery pipeline (CI / CD).

Furthermore, in Azure Migrate: App Containerization is expected to use Azure Key Vault to manage secrets and automatic integration to monitor Java applications with Azure Application Insights.

Azure App Service vs Azure Kubernetes Service (AKS): which one to choose?

App Containerization allows you to migrate containerized applications using Azure App Service or Azure Kubernetes Service (AKS). The following paragraphs contain some considerations for evaluating which service is best suited to host your applications.

Azure App Service: Azure Web App for Containers

For web-based workloads, there is the ability to run containers from Azure App Service, the Azure web hosting platform, using the serviceAzure Web App for Containers, with the advantage of being able to exploit the distribution methodologies, scalability and monitors inherent in the solution.

The automation and management tasks of a large number of containers and the ways in which they interact with each other is known as orchestration. In case therefore there is a need to orchestrate more containers it is necessary to adopt more sophisticated solutions such asAzure Kubernetes Service (AKS).

Azure Kubernetes Service (AKS)

Azure Kubernetes Service (AKS) is the fully managed Azure service that allows the activation of a Kubernetes cluster.

Kubernetes, also known as "k8s", provides automated orchestration of containers, improving its reliability and reducing the time and resources required in the DevOps field. Kubernetes tends to simplify deployments, allowing you to automatically perform implementations and rollbacks. Furthermore, it allows to improve the management of applications and to monitor the status of services to avoid errors in the implementation phase. Among the various functions there are services integrity checks, with the ability to restart containers that are not running or that are blocked, allowing to advertise to clients only the services that have started correctly. Kubernetes also allows you to automatically scale based on usage and exactly like containers, allows you to manage the cluster environment in a declarative way, allowing version-controlled and easily replicable configuration.

Figure 2 - Example of microservices architecture based on Azure Kubernetes Service (AKS)

Next step: innovate using modern application solutions

The migration technique described in the previous paragraphs is often also the first step to undertake further modernization of the application which involves a redesign. In fact,, the next step is to modify or extend the architecture and code base of the existing application, optimizing it for the cloud platform. When integrating modern application platforms into your cloud adoption strategy, innovation is not limited to containers. This integration offers an important innovation that also involves the adoption of hybrid and multicloud strategies.

Figure 3 – Innovation given by modern application platforms


There is a clear and growing trend that sees a modernization of applications aimed at ensuring greater flexibility, a reduction in the footprint of the infrastructure and the possibility of benefiting from the innovation given by the cloud. This modernization does not necessarily have to pass immediately from a strategy of rebuilding the application from scratch by providing for the use of cloud-native technologies, but it can happen gradually. Thanks to the tool App Containerization of Azure Migrate it is possible to undertake the path of modernization with a simple approach that allows you to quickly benefit from the potential offered by cloud solutions. Furthermore, the awareness that Azure provides different infrastructure solutions to host modern applications facilitates the journey of application modernization.

Azure Kubernetes Service in an Azure Stack HCI environment

The hyper-converged Azure Stack HCI solution allows you to activate the Azure Kubernetes Service orchestrator in an on-premises environment (AKS) for running containerized applications at scale. This article explores how Azure Kubernetes in Azure Stack HCI environment offers the possibility of hosting Linux and Windows containers in your datacenter, going to explore the main benefits of this solution.

Before going into the specifics of AKS in the Azure Stack environment, a summary of the solutions involved is reported.

What is Kubernetes?

Kubernetes, also known as "k8s", provides automated orchestration of containers, improving its reliability and reducing the time and resources required in the DevOps field, through:

  • Generally simpler deployments that allow automatic implementations and rollbacks.
  • Better application management with the ability to monitor the status of services to avoid implementation errors. In fact,, the various features include service integrity checks, with the ability to restart containers that are not running or that are blocked, allowing to advertise to clients only the services that have started correctly.
  • Ability to scale automatically based on usage and, exactly the same as for containers, manage the cluster environment in a declarative manner, allowing version-controlled and easily replicable configuration.

Figure 1 – Kubernetes cluster with related architecture components

What is Azure Kubernetes Service (AKS)?

Azure Kubernetes Service (AKS) is the fully managed Azure service that allows the activation of a Kubernetes cluster, ideal for simplifying the deployment and management of microservices-based architectures. Thanks to the features offered by AKS it is possible to scale automatically according to the use, use controls to ensure the integrity of the services, implement load balancing policies and manage secrets. The use of this managed service is integrated with the container development and deployment pipelines.

Figure 2 - Azure Kubernetes Service architecture example (AKS)

What is Azure Stack HCI?

Azure Stack HCI is the solution that allows you to create a hyper-converged infrastructure (HCI) for the execution of workloads in an on-premises environment and which provides for a strategic connection to Azure services. This is a hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes from the software, able to combine the layer of compute, storage and network in one solution. In this way there is a transition from a traditional "three tier" infrastructure, composed of network switches, appliance, physical systems with onboard hypervisors, storage fabric and SAN, toward hyper-converged infrastructure (HCI).

Figure 3 – "Three Tier" Infrastructure vs Hyper-Converged Infrastructure (HCI)

What is AKS in Azure Stack HCI?

AKS in the Azure Stack HCI environment is a Microsoft implementation of AKS, which automates the deployment and management of containerized applications.

Microsoft, after introducing AKS as a service in Azure, has extended its availability also to on-premises environments. However, there are some important differences:

  • In Azure, Microsoft manages the control plane of each AKS cluster. Furthermore, the cluster nodes (management node and worker node) run on Azure virtual machines or on Azure virtual machine scale sets.
  • In an on-premises environment , the customer manages the entire environment, where the AKS cluster nodes are running on virtual machines hosted on the hyper-converged infrastructure.

AKS architecture on Azure Stack HCI

The implementation of AKS in Azure Stack HCI consists of two types of clusters:

  • A management cluster of AKS. This cluster acts as a dedicated control plane for managing Kubernetes clusters running on the hyper-converged platform. This cluster consists of Linux virtual machines, that host Kubernetes system components such as API servers and load balancers.
  • One or more Kubernetes clusters. These clusters consist of control nodes and worker nodes. Control nodes are implemented as Linux virtual machines, with API server and load balancers that satisfy the requests of Azure Stack HCI users. Workloads are distributed on Linux or Windows OS-based worker nodes.

Figure 4 - AKS architecture on Azure Stack HCI

Each Kubernetes cluster runs on its own dedicated set of virtual machines, protected by hypervisor-based isolation, allowing you to securely share the same physical infrastructure even in scenarios that require workload isolation.

AKS on Azure Stack HCI supports both Linux-based and Windows-based containers. When you create a Kubernetes cluster you simply need to specify the type of container you intend to run and on the hyper-converged platform the installation procedure of the required operating system is automatically started on the nodes of the Kubernetes cluster .

Benefits of AKS on Azure Stack HCI

AKS simplifies the deployment of Kubernetes clusters by providing a layer of abstraction that can mask some of the more challenging implementation details.

Among the main benefits of AKS in the Azure Stack HCI environment we find:

  • Simplified deployments of containerized apps in a cluster environment. Using the Windows Admin Center you have a guided installation process of the AKS management cluster. Windows Admin Center also facilitates the installation of individual Kubernetes clusters that contain worker nodes, through an automatic installation process of all relevant software components, including management tools such as kubectl.
  • Ability to scale horizontally to manage computational resources, adding or removing Kubernetes cluster nodes.
  • Simplified management of cluster resource storage and network configurations.
  • Automatic updates of cluster nodes to the latest version of Kubernetes available. Microsoft manages the Windows Server and Linux images for the cluster nodes and updates them monthly.
  • Strategic connection, using Azure Arc, to Azure services such as: Microsoft Azure Monitor, Azure Policy, and Azure Role-Based Access Control (RBAC).
  • Centralized management of Kubernetes clusters and related workloads through the Azure portal, thanks to the adoption of Azure Arc for Kubernetes. Azure portal-based management also integrates traditional Kubernetes administration tools and interfaces, like the command line utility kubectl and the Kubernetes dashboard.
  • Managing the automatic failover of virtual machines acting as Kubernetes cluster nodes if there is a localized failure of the underlying physical components. This complements the high availability inherent in Kubernetes, able to automatically restart containers in failed state.


Thanks to Azure Stack HCI, the adoption of container-based application architectures can be hosted directly in your own datacenter, adopting the same Kubernetes management experience that you have with the managed service present in the Azure public cloud. The deployment process is also very simplified and intuitive. Furthermore, Azure Stack HCI allows you to further improve the agility and resilience of Kubernetes deployments in an on-premises environment.

Secure network architecture design for Azure Kubernetes Service (AKS)

The trend in adopting applications based on microservices requires the use of state-of-the-art solutions capable of managing a large number of containers and the ways in which these interact in application with each other, as Azure Kubernetes Service (AKS). As part of the design of Azure Kubernetes Service architectures (AKS) there are several elements that need to be evaluated to obtain an appropriate network topology that can ensure maximum efficiency and security. This article outlines the main points to consider, accompanied by some proposals, to make informed choices when designing network architectures for AKS.

What is Azure Kubernetes Service (AKS)?

Azure Kubernetes Service (AKS) is the fully managed Azure service that allows the activation of a Kubernetes cluster, ideal for simplifying the deployment and management of microservices-based architectures. Thanks to the features offered by AKS it is possible to scale automatically according to the use, use controls to ensure the integrity of the services, implement load balancing policies and manage secrets. In microservices-based architectures, it is also common to adopt the Azure Container Registry that allows you to create, store and manage container images and artifacts in a private registry. The use of this managed service is integrated with the container development and deployment pipelines.

Figure 1 - Azure Kubernetes Service architecture example (AKS)

The network topology

In the network architecture of type Hub and Spoke, theHub is a virtual network on Azure that serves as the point of connectivity to the on-premises network. This connectivity can be done through VPN Site to site or through ExpressRoute. TheSpoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

Figure 2 - Hub and Spoke network topology

This network topology is also recommended for AKS architectures as it can offer several advantages, including:

  • Environmental segregation to more easily enforce governance policies and gain greater control. This topology also supports the concept of "landing zones" by contemplating the separation of duties.
  • Minimizing the direct exposure of Azure resources to the public network (Internet).
  • Possibility of contemplating workloads attested on different Azure subscriptions, becoming a natural choice in these scenarios.
  • Ability to easily extend the architecture to accommodate new features or new workloads, simply by adding additional spoke virtual networks.
  • Ability to centralize Azure services shared by multiple workloads in a single location (attested on different VNet), such as DNS servers and any virtual network appliances. It also reduces the VPN Gateways to provide connectivity to the on-premises environment, resulting in savings on Azure costs and simplification of the architecture.

Figure 3 - Hub and Spoke network topology for AKS

Hub Virtual Network

In the Hub network it is possible to evaluate the adoption of the following services:

  • VPN or ExpressRoute Gateway: necessary to provide connectivity to the on-premises environment.
  • Firewall Solutions, necessary in case you want to control the traffic from your AKS environment, as pods or cluster nodes, outgoing to external services. In this context, the choice can fall between:
    • Azure Firewall, the firewall-as-a-service solution (FWaaS) which allows to secure the resources present in the Virtual Networks and to govern the related network flows.
    • Network Virtual Appliances (NVA's) provided by third party vendors. Such solutions are numerous and can offer advanced functionality, but typically the configuration of these solutions is more complex and the cost tends to be higher than the solution provided by the Azure platform. A comparison between the new Azure Firewall and third-party virtual appliances can be found in this article.
  • Azure Bastion, the PaaS service that offers secure and reliable RDP and SSH access to virtual machines, directly through the Azure portal.

Spoke Virtual Network

The AKS cluster is placed in the Spoke network together with other resources closely related to its operation. Spoke VNet is split into different subnets to accommodate the following components:

  • The two groups of nodes (node pools) in AKS:
    • AKS System Node pool: the pool of system nodes that host the pods needed to run the core services of the cluster.
    • AKS User Node pool: the pool of user nodes that run the application workloads and the ingress controller.

For multi-tenant application environments or for workloads with advanced needs, it may be necessary to implement isolation mechanisms of node pools that require the presence of different subnets.

  • AKS Internal Load Balancer: the balancer to route and distribute inbound traffic for Kubernetes resources. In this case the component is used Azure Load Balancer, which enables Layer-4 load balancing for all TCP and UDP protocols, ensuring high performance and very low latencies.
  • Azure Application Gateway: it is a service managed by the azure platform, with inherent features of high availability and scalability. The Application Gateway is a application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic (URL path, host based, round robin, session affinity, redirection). The Application Gateway is able to centrally manage certificates for application publishing, using SSL and SSL offload policy when necessary. The Application Gateway may have assigned a private IP address or a public IP address, if the application must be republished in Internet. In particular in the latter case, it is recommended to turn onWeb Application Firewall (WAF), that provides application protection, based on rulesOWASP core rule sets. The WAF protects the application from vulnerabilities and against common attacks, such as X-Site Scripting and SQL Injection attacks.

Thanks to the adoption of Azure Private Link you can bring Azure services to a virtual network and map them with a private endpoint. In this way, all traffic is routed through the private endpoint, keeping it on the Microsoft global network. The data does not pass ever on the Internet, this reduces exposure to threats and helps to meet the compliance standards.

Figure 4 - Overview of Azure Private Link

In AKS environments theAzure Private Link they are usually created in the Spoke virtual network subnets for Azure Container Registry and Azure KeyVault.

Below is a diagram with the incoming and outgoing network flows for an AKS environment, which also includes the presence of Azure Firewall to control outgoing traffic.

Figure 5 - Example of network flows in a typical AKS architecture

Management traffic

In order to allow the management of the environment, such as creating new resources or carrying out activities to scale the cluster environment, it is advisable to provide access to the Kubernetes API. Good practice is apply network filters to authorize this access in a timely manner.

Private AKS cluster

In case you want to implement a totally private AKS environment, where no Internet service is exposed, it is possible to adopt a AKS cluster in "private" mode.


The increasing demand for microservices-based application architectures that useAzure Kubernetes Service (AKS) requires you to locate and build network architectures designed to be secure, flexible and with a high level of integration. All this must take place through a modern approach able to fully exploit the potential offered in the field of networking by Azure.