Blog

Today we will walk through a GitHub Actions workflow that automates the Azure Quick Review (azqr) scan process. This workflow is designed to run on a schedule, on push events to the main branch, and on pull requests to the main branch. Prerequisites # Before you start, make sure you have the following prerequisites in place:

Tinyproxy is a lightweight HTTP/HTTPS proxy server designed to be fast and small. It is useful for scenarios where you need to set up a proxy server quickly and easily. Recently I used it to check what happens when a set of Azure domains are blocked (i.e. management.azure.com) and it worked like a charm.

In this post, we will go through the steps required to change the control plane IP of a Kubernetes cluster managed by kubeadm. This can be useful in scenarios where the IP address of the control plane node needs to be updated due to network changes or other reasons. To change the control plane IP of your Kubernetes cluster, follow these steps:

Let’s learn how to create an AKS cluster and enable Static Egress Gateway with Terraform. Static Egress Gateway in AKS provides a solution for configuring fixed source IP addresses for outbound traffic from your AKS workloads. This means you can use a specific range for egress traffic from specific workloads, whcih can be useful for scenarios like whitelisting IP addresses in a firewall.

The Flex Consumption plan for Azure Functions is a new hosting option that provides more flexibility and cost efficiency for running serverless applications. Unlike the traditional Consumption plan, which charges based on the number of executions and execution time, the Flex Consumption plan allows you to specify the maximum number of instances and memory allocation for your function app. This plan is ideal for scenarios where you need predictable performance and cost, as it enables you to control the scaling behavior of your functions more precisely.

Let’s learn how to create an AKS cluster and enable Node Autoprovisioning (NAP) with Terraform. Note: Since at the time of writing NAP is a preview feature, we will use the azapi provider to enable it. Creating an AKS cluster and enable Node Autoprovisioning (NAP) # Create a file called main.tf with the following contents:

Azure Kubernetes Service (AKS) Automatic is a new SKU that simplifies the management of your AKS clusters. With this SKU, Azure ensures that your cluster is production ready with built-in best practice and a great code to kubernetes experience. Creating an AKS Automatic cluster # Creating an AKS cluster with the Automatic SKU is as simple as running the following Azure CLI command:

In this post I’ll show you how to setup Workload Identity in an AKS cluster using terraform and then deploy a pod with Azure CLI that you will use to login to Azure. Long story short: once workload identity is configured and enabled, kubernetes will inject 3 environment variables needed to login with Azure CLI:

What is Azure Quick Review? # If you are looking for a way to quickly assess the status and configuration of your Azure resources, you might want to try Azure Quick Review (azqr): a command-line interface (CLI) tool that scans your Azure resources and generates an Excel report with detailed information and recommendations based on Azure’s best practices.

Back in 2017 I wrote a post about how to run a precompiled .NET Core Azure Function in a container. Fast forward to 2023 and, as some of you know, I’ve been playing with Golang for a while now so I thought it was about time to translate the .NET code and make it work with Golang.

When you deploy an Azure Kubernetes Service with a node pool composed by spot virtual machines, you are running a cluster with the risk of losing nodes based on the configuration you set. Eviction may occur based on capacity or max price. In this post I’ll show you how to deploy an AKS cluster with such configuration and simulate a node eviction. The exercise will help you understand the resiliency of your solution and how to query related events with log analytics.

When deploying an AKS cluster, even if you configure RBAC or AAD integration, local accounts will be enabled by default. This means that, given the right set of permitions, a user will be able to run the az get-credentials command with the --admin flag which will give you a non-audtibale access to the cluster.

One question I often get from by my customers is how to use Azure Active Directroy to protect their Node.js or .NET APIs. Every single time I answer by redirecting them to this amazing post (Proteger una API en Node.js con Azure Active Directory), written in spanish, by my friend and peer Gisela Torres (0gis0).

Azure Database for MySQL Flexible Server allows configuring high availability with automatic failover. With Zone-redundant HA your service has redundancy of infrastructure across multiple availability zones. Zone-redundant HA is preferred when you want to achieve the highest level of availability against any infrastructure failure in the availability zone and when latency across the availability zone is acceptable.

Azure Cache for Redis supports zone redundancy in its Premium and Enterprise tiers. A zone-redundant cache runs on VMs spread across multiple Availability Zones. It provides higher resilience and availability. Today I’ll show hot to test the failover of a zone-redundant cache. Deploy Azure Cache for Redis with availability zones # Create a main.tf file with the following content: # terraform { required_version = "> 0.14" required_providers { azurerm = { version = "= 2.57.0" } random = { version = "= 3.1.0" } } } provider "azurerm" { features {} } # Location of the services variable "location" { default = "west europe" } # Resource Group Name variable "resource_group" { default = "redis-failover" } # Name of the Redis cluster variable "redis_name" { default = "redis-failover" } resource "random_id" "random" { byte_length = 8 } resource "azurerm_resource_group" "rg" { name = var.resource_group location = var.location } resource "azurerm_redis_cache" "redis" { name = "${var.redis_name}-${lower(random_id.random.hex)}" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name capacity = 2 family = "P" sku_name = "Premium" enable_non_ssl_port = true minimum_tls_version = "1.2" redis_configuration { } zones = ["1", "2"] } resource "azurerm_log_analytics_workspace" "logs" { name = "redis-logs" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name sku = "PerGB2018" retention_in_days = 30 } resource "azurerm_monitor_diagnostic_setting" "monitor" { name = lower("extaudit-${var.redis_name}-diag") target_resource_id = azurerm_redis_cache.redis.id log_analytics_workspace_id = azurerm_log_analytics_workspace.logs.id metric { category = "AllMetrics" retention_policy { enabled = false } } log { category = "ConnectedClientList" enabled = false retention_policy { days = 0 enabled = false } } lifecycle { ignore_changes = [metric] } } output "redis_name" { value = azurerm_redis_cache.redis.name } output "redis_host_name" { value = azurerm_redis_cache.redis.hostname } output "redis_primary_access_key" { value = azurerm_redis_cache.redis.primary_access_key sensitive = true } Note: the zones are specified: zones = ["1", "2"], making the cache zone-redundant.

If you deployed a private volume claim using the managed-premium storage class, then ran out of space and now you are searching how to expand the disk to a larger disk, this is how you can do it from scratch: manage-premium storage class is a premium storage class that allows volume expansion: allowVolumeExpansion: true.

In my previous post AKS: Open Service Mesh & mTLS, I described how to deploy an AKS cluster with Open Service Mesh enabled, and how: Easy is to onboard applications onto the mesh by enabling automatic sidecar injection of Envoy proxy. OSM enables secure service to service communication. This time I’ll show you that Open Service Mesh (OSM) also provides a nice feature for controlling traffic between microservices: Traffic Access Control based on the SMI specifications.

Open Service Mesh (OSM) is a lightweight and extensible cloud native service mesh, easy to install and configure and with features as mTLS to secure your microservice environments. Now that Open Service Mesh (OSM) integration with Azure Kubernetes Service (AKS) is GA (Check the announcement) I’ll show you not only to deploy it but also how to add your microservices to the mesh so communication between them is encrypted.

Disclaimer: this is just a Proof of Concept. If you deploy Azure Kubernetes Service clusters with availability zones, you’ll probaly need a high available storage solution. In such situation you may use Azure Files as an external storage solution. But what if you need something that performs better? Or something running inside your cluster?

Today I’ll show you how to use Container Insights and Azure Monitor to check your AKS cluster for pods without requests and limits. You’ll need to use the following tables and fields: KubePodInventory: Table that stores kubernetes cluster’s Pod & container information ClusterName: ID of the kubernetes cluster from which the event was sourced Computer: Computer/node name in the cluster that has this pod/container. Namespace: Kubernetes Namespace for the pod/container ContainerName:This is in poduid/containername format. Perf: Performance counters from Windows and Linux agents that provide insight into the performance of hardware components operating systems and applications. ObjectName: Name of the performance object. CounterName: Name of the performance counter. CounterValue: The value of the counter And take a close look at the following Objects and Counters: