Category Archives: Container Management

How to accelerate the application modernization process with Azure

There are several companies that undertake a digital transformation process centered on the public cloud with the aim of increasing innovation, agility and operational efficiency. As part of this path, application modernization is fast becoming a milestone that allows important benefits to be achieved. This article explores how it is possible to undertake and accelerate the modernization process of applications with the solutions available in Microsoft Azure and which opportunities can be seized.

Microsoft Azure offers the flexibility to choose from a wide range of options to host your applications, covering the spectrum of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Container-as-a-Service (CaaS) and serverless.

The tendency to develop modern applications, that need microservices-based architectures, make containers the ideal solution for efficiently deploying software and operating on a large scale. In addition to the ability to make consistent deployments, reliable and repeatable in all environments, it is possible to obtain a better use of the infrastructure and a standardization of management practices.

Furthermore, customers can increasingly use containers even for applications that are not specifically designed to use microservices-based architectures. In these cases, it is possible to implement a migration strategy for existing applications that only involves minimal changes to the application code or changes to configurations. These are strictly necessary changes to optimize the application in order to be hosted on PaaS and CaaS solutions.

This migration technique is usually used when:

  • You want to leverage an existing code base
  • Code portability is important
  • The application can be easily packaged to run in an Azure environment
  • The application must be more scalable and there must be the ability to be deployed faster
  • We want to promote business agility through continuous innovation by adopting DevOps techniques

Repackage application with Azure Migrate: App Containerization

To facilitate this migration process you can use the Azure Migrate solution which includes many tools and features, including the tool App Containerization. This tool offers a "point-and-containerize" approach to "repackage" applications using containers and making, only if necessary, minimal changes to the code. The tool currently supports containerization of ASP.NET applications and Java web applications running on Apache Tomcat.

Figure 1 – Application modernization capabilities by adopting Azure Migrate: App Containerization

The tool App Containerization allows you to perform the following activities:

  • Remotely connect to application servers to discover applications and their configurations.
  • Parameterize configurations and application dependencies, such as database connection strings, to enable consistent and repeatable deployments.
  • Outsource any static content and states stored on the file system, moving them to persistent storage.
  • Create and publish container images using Azure Container Registry.
  • Customize and reuse artifacts generated by tools like Dockerfile, container images and Kubernetes resource definition files. This allows you to integrate them directly into the continuous integration and continuous delivery pipeline (CI / CD).

Furthermore, in Azure Migrate: App Containerization is expected to use Azure Key Vault to manage secrets and automatic integration to monitor Java applications with Azure Application Insights.

Azure App Service vs Azure Kubernetes Service (AKS): which one to choose?

App Containerization allows you to migrate containerized applications using Azure App Service or Azure Kubernetes Service (AKS). The following paragraphs contain some considerations for evaluating which service is best suited to host your applications.

Azure App Service: Azure Web App for Containers

For web-based workloads, there is the ability to run containers from Azure App Service, the Azure web hosting platform, using the serviceAzure Web App for Containers, with the advantage of being able to exploit the distribution methodologies, scalability and monitors inherent in the solution.

The automation and management tasks of a large number of containers and the ways in which they interact with each other is known as orchestration. In case therefore there is a need to orchestrate more containers it is necessary to adopt more sophisticated solutions such asAzure Kubernetes Service (AKS).

Azure Kubernetes Service (AKS)

Azure Kubernetes Service (AKS) is the fully managed Azure service that allows the activation of a Kubernetes cluster.

Kubernetes, also known as "k8s", provides automated orchestration of containers, improving its reliability and reducing the time and resources required in the DevOps field. Kubernetes tends to simplify deployments, allowing you to automatically perform implementations and rollbacks. Furthermore, it allows to improve the management of applications and to monitor the status of services to avoid errors in the implementation phase. Among the various functions there are services integrity checks, with the ability to restart containers that are not running or that are blocked, allowing to advertise to clients only the services that have started correctly. Kubernetes also allows you to automatically scale based on usage and exactly like containers, allows you to manage the cluster environment in a declarative way, allowing version-controlled and easily replicable configuration.

Figure 2 - Example of microservices architecture based on Azure Kubernetes Service (AKS)

Next step: innovate using modern application solutions

The migration technique described in the previous paragraphs is often also the first step to undertake further modernization of the application which involves a redesign. Indeed, the next step is to modify or extend the architecture and code base of the existing application, optimizing it for the cloud platform. When integrating modern application platforms into your cloud adoption strategy, innovation is not limited to containers. This integration offers an important innovation that also involves the adoption of hybrid and multicloud strategies.

Figure 3 – Innovation given by modern application platforms

Conclusions

There is a clear and growing trend that sees a modernization of applications aimed at ensuring greater flexibility, a reduction in the footprint of the infrastructure and the possibility of benefiting from the innovation given by the cloud. This modernization does not necessarily have to pass immediately from a strategy of rebuilding the application from scratch by providing for the use of cloud-native technologies, but it can happen gradually. Thanks to the tool App Containerization of Azure Migrate it is possible to undertake the path of modernization with a simple approach that allows you to quickly benefit from the potential offered by cloud solutions. Furthermore, the awareness that Azure provides different infrastructure solutions to host modern applications facilitates the journey of application modernization.

How to increase the security of container-based application architectures

Modern applications based on microservices are increasingly widespread and containers are an interesting building block for the creation of agile application architectures, scalable and efficient. Microservices offer great benefits, thanks to the presence of well-known and proven software design models that can be applied, but they also generate new challenges. One of these is certainly linked to the security of these architectures, which require the adoption of cutting-edge solutions to achieve a high level of protection. In this article is reported as the cloud-native solution for container security, called Microsoft Defender for Containers, is able to guarantee the protection of container-based application architectures, offering advanced capabilities for detecting and responding to security threats.

Functionality offered by the solution

Thanks to Microsoft Defender for Containers it is possible to improve, monitor and maintain the security of clusters, of containers and related applications. Indeed, this plan allows you to obtain the following benefits:

  • Hardening of the environment
  • Vulnerability Scanning
  • Run-time threat protection for the cluster environment and for the nodes

The benefits listed above are detailed in the following paragraphs.

Hardening of the environment

Through a continuous assessment of cluster environments, Defender for Containers provides complete visibility into any misconfigurations and compliance with guidelines. By generating recommendations it helps mitigate potential security threats.

Furthermore, thanks to the use of Kubernetes admission control it is possible ensure that all configurations are done in accordance with security best practices. Indeed, adopting the Azure Policy for Kubernetes you have a bundle of useful recommendations to protect the Kubernetes container workloads. By default, enabling Defender for Containers, these policies are automatically provisioned. In this way, every request to the Kubernetes API server will be monitored against the predefined set of best practices, before being made effective on the cluster environment. You can therefore use this method to apply best practices and enforce them for new workloads that will be activated.

Vulnerability Scanning

Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in Azure Container Registry (ACR). Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in:

  • In case of push: each time an image is sent to the ACR, scan is automatically performed.
  • In case of recent extraction: because new vulnerabilities are discovered every day, comes analyzes, on a weekly basis, Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in 30 days.
  • When importing: Azure Container Registry has import tools to merge images from Docker Hub into it, Microsoft Container Registry or other ACR. All imported images are readily analyzed by the solution.

If vulnerabilities are detected, a notification will be generated in the Microsoft Defender for Cloud dashboard. This alert will be accompanied by a severity classification and practical guidance on how to correct the specific vulnerabilities found in each image.

Furthermore, Defender for Containers expands these scanning capabilities by introducing the ability to get visibility into running images. Through the new recommendation, called “Vulnerabilities in running images should be remediated (powered by Qualys)", groups running images that have vulnerabilities, providing details on the problems found and how to fix them.

Run-time threat protection for the cluster environment and for the nodes

Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts if threats or malicious activity are detected, both at the host level and at the AKS cluster level.

Protection from security threats occurs at several levels:

  • Cluster level: at the cluster level, threat protection is based on the analysis of Kubernetes audit logs. It is a monitor that allows you to generate alerts, monitoring AKS managed services, such as the presence of exposed Kubernetes dashboards and the creation of roles with elevated privileges. To see the complete list of alerts generated by this protection, you can access this link.
  • Host level: with over sixty types of analyzes, through artificial intelligence algorithms and with the detection of anomalies on running workloads, the solution is able to detect suspicious activities. A team of Microsoft security researchers constantly monitors the threat landscape and container-specific alerts and vulnerabilities are added as they are discovered. Furthermore, this solution monitors the growing attack surface of multi-cloud Kubernetes deployments and tracks the matrix MITRE ATT&CK for container, a framework developed by the Center for Threat-Informed Defense in close collaboration with Microsoft and others.

The complete list of alerts that can be obtained by enabling this protection can be consulted in this document.

Architectures for the different Kubernetes environments

Defender for Containers can protect Kubernetes clusters regardless of whether they are running on Azure Kubernetes Service, Kubernetes on-premise / IaaS oppure Amazon EKS.

Azure Kubernetes Service (AKS) Cluster

When enabling Defender for Cloud for clusters activated through Azure Kubernetes Service (AKS), audit log collection takes place without having to install agents. The Defender profile, distributed on each node, provides runtime protection and collects signals from nodes using the eBPF technology. The Azure Policy add-on for Kubernetes component collects cluster and workload configurations, as explained in the previous paragraphs.

Figure 1 - Defender for Cloud architecture for AKS clusters

Azure Arc-enabled Kubernetes

For all clusters hosted outside Azure it is necessary to adopt the Azure Arc-enabled Kubernetes solution to connect the clusters to Azure and provide the related services, come Defender for Containers. By connecting Kubernetes clusters to Azure, an Arc extension collects Kubernetes audit logs from all cluster control plane nodes and sends them in the cloud to the back-end of Microsoft Defender for Cloud for further analysis. The extension is registered with a Log Analytics workspace used as a data pipeline, but the audit data is not stored in Log Analytics. Information about workload configurations is managed by the Azure Policy Add-on.

Figure 2 – Defender for Cloud architecture for Arc-enabled Kubernetes clusters

Amazon Elastic Kubernetes Service (Amazon EKS)

Also for this type of cluster, activated in the AWS environment, it is necessary to adopt Azure Arc-enabled Kubernetes to be able to project them in the Azure environment. Furthermore, you must connect the AWS account to Microsoft Defender for Cloud. Plans needed are Defender for Containers and CSPM (for the configuration monitor and for recommendations).

A cluster based on EKS, Arc and the Defender extension are the components needed for:

  • collect policy and configuration data from cluster nodes;
  • get runtime protection.

Azure Policy add-on for Kubernetes collects the configurations of the cluster environment and workloads to ensure that all configurations are respected. Furthermore, the AWS CloudWatch solution is used to collect log data from the Control plane.

Figure 3 – Defender for Cloud architecture for AWS EKS clusters

Solution upgrade and costs

This Microsoft Defender plan merges and replaces two existing plans, “Defend for Kubernetes” and “Defender for Container Registries“, providing new and improved features, without deprecating any of the features of those plans. Subscriptions on which previous plans have been activated do not need to be upgraded to the new plan Microsoft Defender for Containers. However, to take advantage of new and improved features, must be updated and to do so you can use the update icon displayed next to them in the Azure portal.

The activation of these protection plans are subject to specific costs that can be calculated using the tool Azure Pricing calculator. In particular, the cost of Microsoft Defender for Containers is calculated on the number of cores of the VMs that make up the AKS cluster. This price also includes 20 free scans for vCore, and the calculation will be based on the consumption of the previous month. Each additional scan has a charge, but most customers should not incur any additional cost for scanning images.

Conclusions

Microservices-based architectures allow you to easily scale and develop applications faster and easier, allowing to promote innovation and accelerate the time-to-market of new features. The presence of a solution such as Microsoft Defender for Containers is essential to enable an adequate level of protection with regards to security threats, more and more advanced to attack these types of application architectures.

Azure Kubernetes Service in an Azure Stack HCI environment

The hyper-converged Azure Stack HCI solution allows you to activate the Azure Kubernetes Service orchestrator in an on-premises environment (AKS) for running containerized applications at scale. This article explores how Azure Kubernetes in Azure Stack HCI environment offers the possibility of hosting Linux and Windows containers in your datacenter, going to explore the main benefits of this solution.

Before going into the specifics of AKS in the Azure Stack environment, a summary of the solutions involved is reported.

What is Kubernetes?

Kubernetes, also known as "k8s", provides automated orchestration of containers, improving its reliability and reducing the time and resources required in the DevOps field, through:

  • Generally simpler deployments that allow automatic implementations and rollbacks.
  • Better application management with the ability to monitor the status of services to avoid implementation errors. Indeed, the various features include service integrity checks, with the ability to restart containers that are not running or that are blocked, allowing to advertise to clients only the services that have started correctly.
  • Ability to scale automatically based on usage and, exactly the same as for containers, manage the cluster environment in a declarative manner, allowing version-controlled and easily replicable configuration.

Figure 1 – Kubernetes cluster with related architecture components

What is Azure Kubernetes Service (AKS)?

Azure Kubernetes Service (AKS) is the fully managed Azure service that allows the activation of a Kubernetes cluster, ideal for simplifying the deployment and management of microservices-based architectures. Thanks to the features offered by AKS it is possible to scale automatically according to the use, use controls to ensure the integrity of the services, implement load balancing policies and manage secrets. The use of this managed service is integrated with the container development and deployment pipelines.

Figure 2 - Azure Kubernetes Service architecture example (AKS)

What is Azure Stack HCI?

Azure Stack HCI is the solution that allows you to create a hyper-converged infrastructure (HCI) for the execution of workloads in an on-premises environment and which provides for a strategic connection to Azure services. This is a hyper-converged infrastructure (HCI), where different hardware components are removed, substitutes from the software, able to combine the layer of compute, storage and network in one solution. In this way there is a transition from a traditional "three tier" infrastructure, composed of network switches, appliance, physical systems with onboard hypervisors, storage fabric and SAN, toward hyper-converged infrastructure (HCI).

Figure 3 – "Three Tier" Infrastructure vs Hyper-Converged Infrastructure (HCI)

What is AKS in Azure Stack HCI?

AKS in the Azure Stack HCI environment is a Microsoft implementation of AKS, which automates the deployment and management of containerized applications.

Microsoft, after introducing AKS as a service in Azure, has extended its availability also to on-premises environments. However, there are some important differences:

  • In Azure, Microsoft manages the control plane of each AKS cluster. Furthermore, the cluster nodes (management node and worker node) run on Azure virtual machines or on Azure virtual machine scale sets.
  • In an on-premises environment , the customer manages the entire environment, where the AKS cluster nodes are running on virtual machines hosted on the hyper-converged infrastructure.

AKS architecture on Azure Stack HCI

The implementation of AKS in Azure Stack HCI consists of two types of clusters:

  • A management cluster of AKS. This cluster acts as a dedicated control plane for managing Kubernetes clusters running on the hyper-converged platform. This cluster consists of Linux virtual machines, that host Kubernetes system components such as API servers and load balancers.
  • One or more Kubernetes clusters. These clusters consist of control nodes and worker nodes. Control nodes are implemented as Linux virtual machines, with API server and load balancers that satisfy the requests of Azure Stack HCI users. Workloads are distributed on Linux or Windows OS-based worker nodes.

Figure 4 - AKS architecture on Azure Stack HCI

Each Kubernetes cluster runs on its own dedicated set of virtual machines, protected by hypervisor-based isolation, allowing you to securely share the same physical infrastructure even in scenarios that require workload isolation.

AKS on Azure Stack HCI supports both Linux-based and Windows-based containers. When you create a Kubernetes cluster you simply need to specify the type of container you intend to run and on the hyper-converged platform the installation procedure of the required operating system is automatically started on the nodes of the Kubernetes cluster .

Benefits of AKS on Azure Stack HCI

AKS simplifies the deployment of Kubernetes clusters by providing a layer of abstraction that can mask some of the more challenging implementation details.

Among the main benefits of AKS in the Azure Stack HCI environment we find:

  • Simplified deployments of containerized apps in a cluster environment. Using the Windows Admin Center you have a guided installation process of the AKS management cluster. Windows Admin Center also facilitates the installation of individual Kubernetes clusters that contain worker nodes, through an automatic installation process of all relevant software components, including management tools such as kubectl.
  • Ability to scale horizontally to manage computational resources, adding or removing Kubernetes cluster nodes.
  • Simplified management of cluster resource storage and network configurations.
  • Automatic updates of cluster nodes to the latest version of Kubernetes available. Microsoft manages the Windows Server and Linux images for the cluster nodes and updates them monthly.
  • Strategic connection, using Azure Arc, to Azure services such as: Microsoft Azure Monitor, Azure Policy, and Azure Role-Based Access Control (RBAC).
  • Centralized management of Kubernetes clusters and related workloads through the Azure portal, thanks to the adoption of Azure Arc for Kubernetes. Azure portal-based management also integrates traditional Kubernetes administration tools and interfaces, like the command line utility kubectl and the Kubernetes dashboard.
  • Managing the automatic failover of virtual machines acting as Kubernetes cluster nodes if there is a localized failure of the underlying physical components. This complements the high availability inherent in Kubernetes, able to automatically restart containers in failed state.

Conclusions

Thanks to Azure Stack HCI, the adoption of container-based application architectures can be hosted directly in your own datacenter, adopting the same Kubernetes management experience that you have with the managed service present in the Azure public cloud. The deployment process is also very simplified and intuitive. Furthermore, Azure Stack HCI allows you to further improve the agility and resilience of Kubernetes deployments in an on-premises environment.