A flexible, Infrastructure-as-Code foundation that assists customers with the development and deployment of opinionated infrastructure models that are secure, well-governed, and simple to maintain.
MIT License
63
stars
32
forks
source link
Updates to Mission Enclave Starter, Migration of modules to overlays, bug fixes #248
Updates to Mission Enclave Starter. Moved/deleted files not needed.
Updates
It still needs the following:
Dev AKS Cluster
route to the internet on AKS vnet routetable
Add cosmos DB
Shared KV for Bastion keys
Prod Cluster
The example code is composed of the following elements:
A virtual hub network with three subnets:
AzureBastionSubnet used by Azure Bastion
AzureFirewallSubnet used by Azure Firewall
AzureFirewallManagementSubnet used by Azure Firewall
Spoke virtual network with one subnet, routable and nsg
Two new virtual networks with three subnets:
ClusterNodeSubnet used by the AKS system node pool
PrivateLinksSubnet is used by the AKS user node pool
DefaultSubnet used by the jump box virtual machine and private endpoints
The private AKS cluster uses a user-defined managed identity to create additional resources like load balancers and managed disks in Azure.
The private AKS cluster is composed of a:
The system node pool hosts only critical system pods and services.
An Azure Firewall was used to control the private AKS cluster's egress traffic. For more information on how to lock down your private AKS cluster and filter outbound traffic
An AKS cluster with a private endpoint to the API server hosted by an AKS-managed Azure subscription. The cluster can communicate with the API server exposed via a Private Link Service using a private endpoint.
An Azure Bastion resource that provides secure and seamless SSH connectivity to the VM virtual machine directly in the Azure portal over SSL
An Azure Container Registry (ACR) to build, store, and manage container images and artifacts in a private registry for all container deployments.
When the ACR SKU is equal to Premium, a Private Endpoint is created to allow the private AKS cluster to access ACR via a private IP address.
A Private DNS Zone for the name resolution of each private endpoint.
A Virtual Network Link between each Private DNS Zone and the hub and spoke virtual networks.
A Log Analytics workspace to collect the diagnostics logs and metrics of the AKS cluster and VM virtual machine.
Breaking Changes
Currently, VM creation is getting an error when creating the AKS cluster. We need to add rules.
GH Server is erroring on VM agent provisioning
Testing Evidence
Currently, the mission enclave starter deploys without error if specific modules are commented out.
Overview/Summary
Updates to Mission Enclave Starter. Moved/deleted files not needed.
Updates
It still needs the following:
Dev AKS Cluster route to the internet on AKS vnet routetable Add cosmos DB Shared KV for Bastion keys Prod Cluster
The example code is composed of the following elements:
A virtual hub network with three subnets:
AzureBastionSubnet used by Azure Bastion AzureFirewallSubnet used by Azure Firewall AzureFirewallManagementSubnet used by Azure Firewall Spoke virtual network with one subnet, routable and nsg
Two new virtual networks with three subnets:
ClusterNodeSubnet used by the AKS system node pool
PrivateLinksSubnet is used by the AKS user node pool
DefaultSubnet used by the jump box virtual machine and private endpoints
The private AKS cluster uses a user-defined managed identity to create additional resources like load balancers and managed disks in Azure.
The private AKS cluster is composed of a:
The system node pool hosts only critical system pods and services.
An Azure Firewall was used to control the private AKS cluster's egress traffic. For more information on how to lock down your private AKS cluster and filter outbound traffic
An AKS cluster with a private endpoint to the API server hosted by an AKS-managed Azure subscription. The cluster can communicate with the API server exposed via a Private Link Service using a private endpoint.
An Azure Bastion resource that provides secure and seamless SSH connectivity to the VM virtual machine directly in the Azure portal over SSL
An Azure Container Registry (ACR) to build, store, and manage container images and artifacts in a private registry for all container deployments.
When the ACR SKU is equal to Premium, a Private Endpoint is created to allow the private AKS cluster to access ACR via a private IP address.
A Private DNS Zone for the name resolution of each private endpoint.
A Virtual Network Link between each Private DNS Zone and the hub and spoke virtual networks.
A Log Analytics workspace to collect the diagnostics logs and metrics of the AKS cluster and VM virtual machine.
Breaking Changes
Currently, VM creation is getting an error when creating the AKS cluster. We need to add rules. GH Server is erroring on VM agent provisioning
Testing Evidence
Currently, the mission enclave starter deploys without error if specific modules are commented out.