# Using containers and orchestration ## Azure Kubernetes Service (AKS) - Managed service to deploy Kubernetes cluster. - Much of complexity and operational overhead of managing Kubernetes is handled by Azure (e.g.. health monitoring and maintenance) - Free, pay for the agent nodes within clusters, not for the masters. - **Deployment & configuration** - Through Portal, CLI or ARM - Configures all nodes e.g. advanced networking, AAD integration and monitoring - **Identities** - AKS clusters support RBAC. - Can be integrated with AAD. - **Logging** - Collects container logs (from `stdout` and `stderr` streams) and memory/processor metrics from containers, nodes and controllers. - Stored in Log Analytics workspace - If RBAC is enabled in Kubernetes, you'll need to grant access to log reader application. - Cluster nodes - **Scaling**: Scale out/in via Azure portal or the Azure CLI. - **Upgrades**: Offers multiple Kubernetes versions and upgrading with coordination of nodes to minimize disruption to running applications. - **HTTP application routing** - Configures ingress controller in AKS cluster. - As applications are deployed, they're publicly accessible with auto-configured DNS names. - **GPU enabled nodes**: Supports GPU enabled node pools, provides single/multiple GPU enabled VMs. - **Development tooling integration**: - Tools like *heml*, *Draft*, *Visual Studio Code Kubernetes* works seamlessly. - You can run & debug containers directly in AKS. - **Virtual network integration**: Can be deployed to existing VNet. - Every pod is assigned an IP address in the VNet, and can communicate with other pods in the cluster and other nodes in the VNet. - Can connect other services in a peered VNet, and on-prem networks over ExpressRoute or site-to-site VPN connections. - **Private container registry**: Integration with [Azure Container Registry (ACR)](#azure-container-registry-acr) for Docker images. ### Virtual Kubelet - Connecting Kubernetes to other APIs - Creates a [Virtual Kubernetes node](#virtual-kubelet) backed by e.g. Azure, AWS, Alibaba etc. - Virtual node acts as a normal managed node in the cluster. - Kubernetes API on top, programmable back. ### Deploy an AKS cluster Using CLI 1. Create a resource group: `az group create --name myAKSCluster --location eastus` 2. Create AKS cluster with health monitoring addon: `az aks create --resource-group myAKSCluster --name myAKSCluster --node-count 1 --enable-addons monitoring --generate-ssh-keys` 3. Connect to the cluster 1. Download credentials & configure Kubernetes CLI: `az aks get-credentials --resource-group myAKSCluster --name myAKSCluster` 2. Get all nodes: `kubectl get nodes` - If you are using Azure Cloud Shell, `kubectl` is already installed. - If you want to install it locally, use the `az aks install-cli` command. ## Azure Container Registry (ACR) - Managed service based on open-source Docker Registry. - Gives you build automation with build triggers: With such as VSTS or Jenkins. Can be integrated with GIT. - Use-cases - *Scalable orchestration systems*: Can be orchestrated via DC/OS, Docker Swam, Kubernetes. - *Azure services*: Azure Kubernetes Service, App Service, Batch, Service Fabric. etc... can build and run applications - **Azure Container Registry Build (ACR Build)** can build docker images to automate container OS, framework patching pipeline. ### Registry - SKUs: Basic, Standard Premium. - All support, webhook integration, authentication with AAD, delete functionality. - You use Azure storages for container images. - You can use geo-replication in Premium registrations. - Control access with AAD-backed service principal or provided admin account. ### Repository - A register contains one ore more repositories. - A repository is group of container images. - ACR supports multilevel repository namespaces. - So you can group your repositories. ### Image - Read-only snapshot of a Docker container. - An Azure container registry can include both Windows and Linux images. - Control image names for all of container deployments. ### Container - Application and its dependencies wrapped in a filesystem including code, runtime, system tools and libraries. - Containers running on a single machine share the operating system kernel. - Containers are fully portable to all major Linux distros, macOS and Windows. ### Deploy an image to ACR using Azure CLI 1. Create a resource group: `az group create --name myResourceGroup --location eastus` 2. Create a container registry: `az acr create --resource-group myResourceGroup --name myContainerRegistry007 --sku Basic` - Must have unique name. - SKUs - **Basic**: Have size and usage constraints. - **Standard**: Increased storage limits and image throughput. - **Premium**: Higher limit on constraints, such as storage & concurrent operations, including enhanced storage capabilities. - Higher image throughput capacity. - Features like geo-replication for managing a single registry across multiple regions, maintaining a network-close registry to each deployment. 3. Log in to ACR: `az acr login --name <acrName>` 4. Push image to ACR ```bash docker pull microsoft/aci-helloworld az acr list --resource-group myResourceGroup --query "[].{acrLoginServer:loginServer}" --output table docker tag microsoft/aci-helloworld <acrLoginServer>/aci-helloworld:v1 docker push <acrLoginServer>/aci-helloworld:v1 ``` 5. List container images: `az acr repository list --name <acrName> --output table` - Or list tags: `az acr repository show-tags --name <acrName> --repository aci-helloworld --output table` 6. Deploy image to ACI - **Using Azure CLI** - Enable admin user in the registry: `az acr update --name <acrName> --admin-enabled true` - 💡 In production you should use service principal. - Retrieve admin password: `az acr credential show --name <acrName> --query "passwords[0].value"` - Create container image with 1 CPU and 1 GB of memory: `az container create --resource-group myResourceGroup --name acr-quickstart --image <acrLoginServer>/aci-helloworld:v1 --cpu 1 --memory 1 --registry-username <acrName> --registry-password <acrPassword> --dns-name-label aci-demo --ports 80` - Monitor status of the container: `az container show --resource-group myResourceGroup --name acr-quickstart --query instanceView.state` - Retrieve container public IP address: `az container show --resource-group myResourceGroup --name acr-quickstart --query ipAddress.fqdn` - **or using docker CLI** - Log in to registry: `az acr login --name myregistry` - Tag your image: `docker tag nginx myregistry.azurecr.io/samples/nginx` - Push your image: `docker push myregistry.azurecr.io/samples/nginx` 7. Docker-push ## Azure Container Instances - Good for simple applications, task automation and build jobs. - Depreciated, replacement: Azure Kubernetes Service (AKS) - Features: Full container orchestration including, service discovery across multiple containers, automatic scaling, coordinated application upgrades. - You deploy an image from a public / private registry