Explore LoadBalancer options on AKS

[orfeas-k]

Why it needs to get done

We need this in order to be able to deploy CKF on AKS and access its UIs.

What needs to get done

Explore and evaluate options to have a load balancer on AKS.

When is the task considered done

Options have been evaluated and there is a way for us to have a Load Balancer

[syncronize-issues-to-jira[bot]]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-5076.

This message was autogenerated

[orfeas-k]

LoadBalancer options

Public vs Private

There are public and private LoadBalancers (LB) in Azure. What we are interested in are the public ones, which can be used in order to make CKF's dashboard available through a public IP.

Basic vs Standard

Azure offers two type of public LBs: Basic and Standard. Some facts for those:

• the Standard will be used by default if nothing is defined in the az create aks command.
• the Standard comes with added functionality, such as a larger backend pool, multiple node pools, Availability Zones, and is secure by default.
• the Basic is free while Standard costs (see pricing).

Since what we need is something simple in terms of LoadBalancing, both will do the job for us. However, we will go with Standard since:

• this is the recommended one for AKS by Azure
• it is secure by default
• the Basic will be retired in 2025.

For a more detailed comparison, see here.

Create a LoadBalancer

When creating an AKS cluster using the az aks create command, this will create by default a LoadBalancer (outbound-type argument defaults to loadBalancer). The type can be specified using the argument --load-balancer-sku but since this defaults to Standard, we do not need to modify this.

Making CKF accessible to public

Using the LoadBalancer to make CKF accessible is pretty intuitive and basically hands-free since it integrates with CKF's default behavior. istio-ingressgateway charm will create a service of type LoadBalancer called istio-ingressgateway-workload. AKS will then create a new public IP and configure the LB to use it, while assigning its value also to the service's .status.loadBalancer.ingress[0].ip. All that is left to do thus is to configure dex and oidc-gatekeeper charms to use that IP, as shown in our get started guide.

You can read more about LBs and AKS here.

[orfeas-k]

Regarding load balancing options, Azure offers other services, apart from LBs, that can act as Load Balancing solutions. We can read about those in this article https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview#reference-architecture-examples. However, we will go with a Load Balancer since this is the simplest approach and a sufficient one. Available Load balancers SKUs can be viewed here.