Scenario
You have been asked to deploy a proof of concept with Azure Container Registry and Azure Kubernetes Service. Specifically, the proof of concept should demonstrate:
– Using Dockerfile to build an image.
– Using Azure Container Registry to store images.
– Configuring an Azure Kubernetes Service.
– Securing and accessing container applications both internally and externally.
NOTE: For all the resources in this lab, we are using East US region.
Exercise 1: Configuring and Securing ACR and AKS
Task 1: Create an Azure Container Registry
1. Sign-in to the Azure portal https://portal.azure.com/.
2. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, click Bash and Create storage.
3. Ensure Bash is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.
4. In the Bash session within the Cloud Shell pane, run the following to create a new resource group for this lab:
az group create --name AZ500LAB09 --location eastus5. In the Bash session within the Cloud Shell pane, run the following to verify the resource group was created:
az group list --query "[?name=='AZ500LAB09']" -o table
6. In the Bash session within the Cloud Shell pane, run the following to create a new Azure Container Registry (ACR) instance (The name of the ACR must be globally unique):
az acr create --resource-group AZ500LAB09 --name az500$RANDOM$RANDOM --sku Basic
7. In the Bash session within the Cloud Shell pane, run the following to confirm that the new ACR was created:
az acr list --resource-group AZ500LAB09
Task 2: Create a Dockerfile, build a container and push it to Azure Container Registry
1. In the Bash session within the Cloud Shell pane, run the following to create a Dockerfile to create an Nginx-based image:
echo FROM nginx > Dockerfile2. In the Bash session within the Cloud Shell pane, run the following to build an image from the Dockerfile and push the image to the new ACR.
NOTE: The trailing period at the end of the command line is required. It designates the current directory as the location of Dockerfile.
ACRNAME=$(az acr list --resource-group AZ500LAB09 --query '[].{Name:name}' --output tsv)
az acr build --image sample/nginx:v1 --registry $ACRNAME --file Dockerfile .NOTE: Wait for the command to successfully complete. This might take about 2 minutes.
3. Close the Cloud Shell pane.
4. In the Azure portal, navigate to the AZ500Lab09 resource group and, in the list of resources, click the entry representing the Azure Container Registry instance you provisioned in the previous task.
5. On the Container registry blade, in the Services section, click Repositories.
6. Verify that the list of repositories includes the new container image named sample/nginx.
7. Click the sample/nginx entry and verify presence of the v1 tag that identifies the image version.
8. Click the v1 entry to view the image manifest.
NOTE: The manifest includes the sha256 digest, manifest creation date, and platform entries.
Task 3: Create an Azure Kubernetes Service cluster
1. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Kubernetes services and press the Enter key.
2. On the Kubernetes services blade, click + Add and, in the drop-down menu, click + Add Kubernetes cluster
3. On the Basics tab of the Create Kubernetes cluster blade, specify the following settings (leave others with their default values):
| Setting | Value |
| Subscription | the name of the Azure subscription you are using in this lab |
| Resource group | AZ500LAB09 |
| Kubernetes cluster name | MyKubernetesCluster |
| Region | (US) East US |
| Availability zones | None |
| Node count | 1 |
4. Click Next: Node Pools > and, on the Node Pools tab of the Create Kubernetes cluster blade, specify the following settings (leave others with their default values):
| Setting | Value |
| Enable virtual nodes | cleared checkbox |
| VM scale sets | cleared checkbox |
5. Click Next: Authentication >, on the Authentication tab of the Create Kubernetes cluster blade, accept the defaults, and click Next: Networking >.
6. On the Networking tab of the Create Kubernetes cluster blade, specify the following settings (leave others with their default values):
| Setting | Value |
| Network configuration | Azure CNI |
| DNS name prefix | any valid, globally unique DNS host name |
NOTE: AKS can be configured as a private cluster. This assigns a private IP to the API server to ensure network traffic between your API server and your node pools remains on the private network only. For more information, visit Create a private Azure Kubernetes Service cluster page.
7. Click Next: Integrations > and, on the Integrations tab of the Create Kubernetes cluster blade, set Container monitoring to Disabled.
NOTE: In production scenarios, you would want to enable monitoring. Monitoring is disabled in this case since it is not covered in the lab.
8. Click Review + Create and then click Create.
NOTE: Wait for the deployment to complete. This might take about 10 minutes.
9. Once the deployment completes, in the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Resource groups and press the Enter key.
10. On the Resource groups blade, in the listing of resource groups, note a new resource group named MC_AZ500LAB09_MyKubernetesCluster_eastus that holds components of the AKS Nodes. Review resources in this resource group.
11. Navigate back to the Resource groups blade and click the AZ500LAB09 entry.
NOTE: In the list of resources, note the AKS Cluster and the corresponding virtual network.
12. In the Azure portal, open a Bash session in the Cloud Shell.
NOTE: Ensure Bash is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.
13. In the Bash session within the Cloud Shell pane, run the following to connect to the Kubernetes cluster:
az aks get-credentials --resource-group AZ500LAB09 --name MyKubernetesCluster
14. In the Bash session within the Cloud Shell pane, run the following to list nodes of the Kubenetes cluster:
kubectl get nodes
NOTE: Verify that the Status of the cluster node is listed as Ready.
Task 4: Grant the AKS cluster permissions to access the ACR and manage its virtual network
1. In the Bash session within the Cloud Shell pane, run the following to configure the AKS cluster to use the Azure Container Registry instance you created earlier in this lab.
ACRNAME=$(az acr list --resource-group AZ500LAB09 --query '[].{Name:name}' --output tsv)
az aks update -n MyKubernetesCluster -g AZ500LAB09 --attach-acr $ACRNAMENOTE:
– This command grants the ‘acrpull’ role assignment to the ACR.
– It may take a few minutes for this command to complete.
2. In the Bash session within the Cloud Shell pane, run the following to grant the AKS cluster the Contributor role to its virtual network.
RG_AKS=AZ500LAB09
AKS_VNET_NAME=AZ500LAB09-vnet
AKS_CLUSTER_NAME=MyKubernetesCluster
AKS_VNET_ID=$(az network vnet show --name $AKS_VNET_NAME --resource-group $RG_AKS --query id -o tsv)
AKS_MANAGED_ID=$(az aks show --name $AKS_CLUSTER_NAME --resource-group $RG_AKS --query identity.principalId -o tsv)
az role assignment create --assignee $AKS_MANAGED_ID --role "Contributor" --scope $AKS_VNET_IDTask 5: Deploy an external service to AKS
1. In the Bash session within the Cloud Shell pane, click the Upload/Download files icon, in the drop-down menu, click Upload, in the Open dialog box, naviate to the location where you downloaded the lab files, select \Allfiles\Labs\09\nginxexternal.yaml click Open. Next, select \Allfiles\Labs\09\nginxinternal.yaml, and click Open.
2. In the Bash session within the Cloud Shell pane, run the following to identify the name of the Azure Container Registry instance:
echo $ACRNAME
NOTE: Record the Azure Container Registry instance name. You will need it later in this task.
3. In the Bash session within the Cloud Shell pane, run the following to open the nginxexternal.yaml file, so you can edit its content.
code ./nginxexternal.yaml
NOTE: This is the external yaml file.
4. In the editor pane, scroll down to line 24 and replace the <ACRUniquename> placeholder with the ACR name.
5. In the editor pane, in the upper right corner, click the ellipses icon, click Save and then click Close editor.
6. In the Bash session within the Cloud Shell pane, run the following to apply the change to the cluster:
kubectl apply -f nginxexternal.yaml
7. In the Bash session within the Cloud Shell pane, review the output of the command you run in the previous task to verify that the deployment and the corresponding service have been created.
deployment.apps/nginxexternal created
service/nginxexternal createdTask 6: Verify the you can access an external AKS-hosted service
1. In the Bash session within the Cloud Shell pane, run the following to retrieve information about the nginxexternal service including name, type, IP addresses, and ports.
kubectl get service nginxexternal
2. In the Bash session within the Cloud Shell pane, review the output and record the value in the External-IP column. You will need it in the next step.
3. Open Internet Explorer and browse to the IP address you identified in the previous step.
4. Ensure the Welcome to nginx! page displays.
Task 7: Deploy an internal service to AKS
1. In the Bash session within the Cloud Shell pane, run the following to open the nginxintenal.yaml file, so you can edit its content.
code ./nginxinternal.yaml
NOTE: This is the internal yaml file.
2. In the editor pane, scroll down to the line containing the reference to the container image and replace the <ACRUniquename> placeholder with the ACR name.
3. In the editor pane, in the upper right corner, click the ellipses icon, click Save and then click Close editor.
4. In the Bash session within the Cloud Shell pane, run the following to apply the change to the cluster:
kubectl apply -f nginxinternal.yaml
5. In the Bash session within the Cloud Shell pane, review the output to verify your deployment and the service have been created:
deployment.apps/nginxinternal created
service/nginxinternal created6. In the Bash session within the Cloud Shell pane, run the following to retrieve information about the nginxinternal service including name, type, IP addresses, and ports.
kubectl get service nginxinternal
7. In the Bash session within the Cloud Shell pane, review the output. The External-IP is, in this case, a private IP address.
NOTE:
– Record this IP address. You will need it in the next task.
– To access the internal service endpoint, you will connect interactively to one of the pods running in the cluster.
– Alternatively you could use the CLUSTER-IP address.
Task 8: Verify the you can access an internal AKS-hosted service
1. In the Bash session within the Cloud Shell pane, run the following to list the pods in the default namespace on the AKS cluster:
kubectl get pods
2. In the listing of the pods, copy the first entry in the NAME column.
NOTE: This is the pod you will use in the subsequent steps.
3. In the Bash session within the Cloud Shell pane, run the following to connect interactively to the first pod (replace the <pod_name> placeholder with the name you copied in the previous step):
kubectl exec -it <pod_name> -- /bin/bash
4. In the Bash session within the Cloud Shell pane, run the following to verify that the nginx web site is available via the private IP address of the service (replace the <internal_IP> placeholder with the IP address you recorded in the previous task):
curl http://<internal_IP>
5.Close the Cloud Shell pane.
RESULT: You have configured and secured ACR and AKS.
Clean up resources
1. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal.
2. In the upper-left drop-down menu of the Cloud Shell pane, select PowerShell and, when prompted, click Confirm.
3. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource groups you created in this lab:
Remove-AzResourceGroup -Name "AZ500LAB09" -Force -AsJob
4. Close the Cloud Shell pane.
I'm Not the PRO 