If you’re running containers in the cloud, you should definitely consider Azure. Microsoft’s cloud provides mature deployment options for containerized workloads, along with strong security and compliance features and Azure Active Directory (Azure AD) integration.
In this article, I’ll briefly survey the options for deploying containers on Azure and provide a few actionable tips you can use to improve performance and security when running containers on Azure.
Containers on Azure: What are the Options?
Here are the main options available for deploying containers on the Azure cloud.
Azure Kubernetes Service
Azure Kubernetes Service (AKS) manages Kubernetes deployments in Azure. AKS eliminates the need to maintain and monitor the health of Kubernetes clusters. You pay only for worker nodes, while the Kubernetes control plane is offered free of charge as part of the infrastructure management service. AKS automatically configures and deploys all Kubernetes master nodes, and provides monitoring, Azure AD integration and networking.
Azure Container Instances
The Azure Container Instances service provides a way to manage containers in Azure without using virtual machines (VMs). It lets you run containers directly on Azure infrastructure. A container instance’s launch time is only a few seconds, because it has much lower overhead than an Azure VM.
You can import Linux or Windows container images from any Docker registry, as Azure now provides extensive Linux support. Azure container instances have a common image cache of the underlying operating system, allowing you to deploy custom images faster.
Azure Service Fabric
Service Fabric is a distributed platform that enables you to package and deploy containerized applications. The solution offers a variety of features to help you build stateful services, including framework programming models.
You can use your preferred programming language when working with Azure Service Fabric, and create clusters on various locations, including Windows Server, local Linux machines and public cloud environments.
Azure Container Registry
Azure Container Registry (ACR) lets you create and manage Azure container registries for private Docker images. ACR is based on the open-source Docker Registry 2.0, but is privately hosted. ACR Tasks is a feature you can use to build on-demand containers, automate builds according to events and make updates to images.
Azure Dev Spaces
Azure Dev Spaces provides a Kubernetes development environment, designed for fast and iterative work. It is typically used by teams using AKS to troubleshoot and test AKS application components. There is no need to set up development machines or dependencies, because the service can automatically generate Docker and Kubernetes components for your project.
Containers on Azure: 4 Tips and Best Practices
Here are four ways you can more effectively and securely run containers on Azure.
Run in a Region Close to your Users
To reduce latency and promote high availability during a zone failure, you should run Kubernetes clusters as close to end users as possible.
Here are two options to set this up in Azure:
- Select two paired regions—these regions are located physically close to each other. Once you select this option, Azure can prioritize using paired regions for maintenance work and disaster recovery purposes. You should then have one paired region operating.
- Use Traffic Manager—to route traffic between your AKS clusters. You can use Traffic Manager to minimize geographic distance, improve latency or when responding to downtime events.
Use Webhooks to Stay on Top of Vulnerabilities
Webhooks enable you to trigger events in response to specific actions that occur in an Azure container registry repository. You can also set up triggers that respond to specific tags. If you are using geo-replicated registries, you can specify Webhooks that respond to events occurring in specific regional replicas.
Instead of scheduling occasional, manual vulnerability scans, you can set up Webhooks that trigger event-based vulnerability scans. You can integrate with third-party scanners and set up push-events. You should then be able to immediately remediate security issues when they occur.
Disable the Administrator Account on your Container Registry
Granting administrator access to Azure Container Registry can be very convenient, but it also raises significant concerns. That single username and password could allow someone to access everything in the container registry.
One obvious concern is security. If the account is compromised, your entire container registry is exposed. In addition, only one username is displayed in the audit log—this is the administrator user, not the user who actually retrieved the image.
Disabling the admin account and enabling RBAC and Azure AD authorization can alleviate this problem. There are several strategies, including service roles and managed identities, that can make your architecture more secure and more traceable.
Deploy Your Team’s Baseline to Each Cluster
When using Azure Dev Spaces to manage containerized workflows, the entire application is typically deployed to a parent dev space within the Kubernetes cluster. The initial deployment, also called a baseline, includes all dependent services, as well as external resources like databases and queues. After setting a baseline in the parent space, you can re-deploy the same environment to each dev space inside the parent space.
Make sure you deploy the latest version of your baseline to clusters in multiple regions. This ensures a consistent development workflow across regions, and will also mean you can continue to use Dev Spaces if an Azure region goes down. You can automate this by pushing the baseline deployment to multiple Azure regions as part of your CI/CD pipeline.
Azure Containers Best Practices
Azure provides comprehensive container capabilities, including the full-blown Azure Kubernetes Service (AKS), lightweight container instances, Service Fabric and supporting features like Azure Container Registry (ACR).
As you start moving your containers to Azure, use these best practices to get the most out of them:
- Run containers close to your customers to reduce latency
- Use Webhooks to identify security events in your container repo and automate remediation
- Disable the admin account on your container registry, to stay out of trouble
- Deploy a baseline to each cluster using Azure Dev Spaces, to ensure you have a common, consistent operating environment
I hope this will be helpful as you develop and expand your cloud container deployment.