Skip to main content

Deploying Microservices API using Azure Kubernetes Service (AKS)

 

Deploying Microservices API using Azure Kubernetes Service (AKS)

Azure Kubernetes Service (AKS) is a managed Kubernetes service that simplifies deploying, managing, and scaling microservices.

🚀 Step-by-Step Guide to Deploy Microservices on AKS

We will deploy a .NET 8 microservices-based API on AKS using Azure Container Registry (ACR) and Kubernetes manifests.

1️⃣ Prerequisites

Azure Subscription
Azure CLI installed (az)
Docker installed
kubectl installed (az aks install-cli)
.NET 8 installed

2️⃣ Build and Containerize Your .NET API

Create a Dockerfile for your microservice (e.g., OrderService).

📌 Dockerfile

# Use the official .NET runtime as the base image
FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base
WORKDIR /app
EXPOSE 80

# Build the application
FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY ["OrderService/OrderService.csproj", "OrderService/"]
RUN dotnet restore "OrderService/OrderService.csproj"
COPY . .
WORKDIR "/src/OrderService"
RUN dotnet publish -c Release -o /app/publish

# Create final runtime image
FROM base AS final
WORKDIR /app
COPY --from=build /app/publish .
ENTRYPOINT ["dotnet", "OrderService.dll"]

📌 Build and Push Docker Image

# Log in to Azure
az login 

# Create a resource group
az group create --name MyResourceGroup --location eastus

# Create Azure Container Registry (ACR)
az acr create --resource-group MyResourceGroup --name MyACR --sku Basic

# Login to ACR
az acr login --name MyACR

# Tag and push the image
docker build -t myacr.azurecr.io/orderservice:v1 .
docker push myacr.azurecr.io/orderservice:v1

3️⃣ Deploy to Azure Kubernetes Service (AKS)

📌 Create an AKS Cluster

# Create an AKS cluster
az aks create --resource-group MyResourceGroup --name MyAKSCluster --node-count 2 --enable-addons monitoring --generate-ssh-keys

# Get AKS credentials
az aks get-credentials --resource-group MyResourceGroup --name MyAKSCluster

📌 Create Kubernetes Deployment & Service

Deployment YAML (orderservice-deployment.yaml)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: orderservice
spec:
  replicas: 2
  selector:
    matchLabels:
      app: orderservice
  template:
    metadata:
      labels:
        app: orderservice
    spec:
      containers:
        - name: orderservice
          image: myacr.azurecr.io/orderservice:v1
          ports:
            - containerPort: 80
          env:
            - name: ASPNETCORE_ENVIRONMENT
              value: "Production"
---
apiVersion: v1
kind: Service
metadata:
  name: orderservice-service
spec:
  selector:
    app: orderservice
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  type: LoadBalancer

📌 Apply the Kubernetes Manifest

kubectl apply -f orderservice-deployment.yaml

4️⃣ Verify and Test the Deployment

📌 Check Pod Status

kubectl get pods

📌 Get Service IP

kubectl get service orderservice-service
  • Note the EXTERNAL-IP.
  • Open a browser and visit http://EXTERNAL-IP/api/orders.

5️⃣ Auto-Scaling and Monitoring

📌 Enable Auto-Scaling

kubectl autoscale deployment orderservice --cpu-percent=50 --min=1 --max=5

📌 Enable Monitoring

az aks enable-addons --resource-group MyResourceGroup --name MyAKSCluster --addons monitoring

✅ Summary

1️⃣ Containerized the .NET API
2️⃣ Pushed the image to Azure Container Registry
3️⃣ Created an AKS cluster
4️⃣ Deployed microservices using Kubernetes YAML
5️⃣ Exposed the service using LoadBalancer
6️⃣ Enabled Auto-Scaling & Monitoring

Would you like a Helm-based deployment for better scalability? 🚀


What is FGA (Fine-Grained Authorization)?

Fine-Grained Authorization (FGA) is an access control model that provides highly detailed permission management, allowing specific access rules based on users, roles, resources, and conditions. It is commonly used for multi-tenant applications and zero-trust security models.

How FGA Works with Azure Kubernetes Service (AKS)?

When using AKS, Fine-Grained Authorization ensures that only authorized users, services, and workloads can access Kubernetes resources. This is achieved through RBAC (Role-Based Access Control), OPA (Open Policy Agent), and Azure AD integration.

🚀 Implementing FGA in AKS

1️⃣ Enforce Access Control with Kubernetes RBAC

Kubernetes RBAC (Role-Based Access Control) is the built-in method to restrict access to AKS resources.

📌 Define a Role for a Microservice

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: mynamespace
  name: orderservice-role
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]

📌 Assign Role to a Service Account

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: orderservice-binding
  namespace: mynamespace
subjects:
  - kind: ServiceAccount
    name: orderservice-sa
    namespace: mynamespace
roleRef:
  kind: Role
  name: orderservice-role
  apiGroup: rbac.authorization.k8s.io

✅ This ensures that only the orderservice microservice can access specific pods.

2️⃣ Use Open Policy Agent (OPA) for Advanced FGA

OPA is a policy engine that enforces custom rules for AKS.

📌 Deploy OPA as an Admission Controller

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml

📌 Example Policy: Allow Only Specific Users to Deploy Pods

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedUsers
metadata:
  name: restrict-users
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    allowedUsers:
      - "alice@example.com"
      - "bob@example.com"

✅ Only Alice and Bob can deploy new pods in AKS.

3️⃣ Enforce FGA with Azure AD (AAD) and AKS

🔹 Azure AD RBAC allows users to access AKS resources based on their roles.

📌 Assign Fine-Grained Permissions to Users

az aks update --resource-group MyResourceGroup --name MyAKSCluster --enable-aad
az role assignment create --assignee alice@example.com --role "Azure Kubernetes Service RBAC Reader" --scope /subscriptions/{subscriptionId}/resourceGroups/MyResourceGroup/providers/Microsoft.ContainerService/managedClusters/MyAKSCluster

Alice now has read-only access to AKS.

🔑 Summary

RBAC: Restrict microservice access
OPA: Enforce custom access policies
Azure AD: Role-based user authentication

Would you like a real-world example of integrating OPA with a .NET API on AKS? 🚀

Labels:

Comments

Post a Comment

Popular posts from this blog

Azure key vault with .net framework 4.8

Azure Key Vault  With .Net Framework 4.8 I was asked to migrate asp.net MVC 5 web application to Azure and I were looking for the key vault integrations and access all the secrete out from there. Azure Key Vault Config Builder Configuration builders for ASP.NET  are new in .NET Framework >=4.7.1 and .NET Core >=2.0 and allow for pulling settings from one or many sources. Config builders support a number of different sources like user secrets, environment variables and Azure Key Vault and also you can create your own config builder, to pull in configuration from your own configuration management system. Here I am going to demo Key Vault integrations with Asp.net MVC(download .net framework 4.8). You will find that it's magical, without code, changes how your app can read secretes from the key vault. Just you have to do the few configurations in your web config file. Prerequisite: Following resource are required to run/complete this demo · ...
Post a Comment
Read more

How to Make a Custom URL Shortener Using C# and .Net Core 3.1

C# and .Net Core 3.1:  Make a Custom URL Shortener Since a Random URL needs to be random and the intent is to generate short URLs that do not span more than 7 - 15 characters, the real thing is to make these short URLs random in real life too and not just a string that is used in the URLs Here is a simple clean approach to develop custom solutions Prerequisite:  Following are used in the demo.  VS CODE/VISUAL STUDIO 2019 or any Create one .Net Core Console Applications Install-Package Microsoft.AspNetCore -Version 2.2.0 Add a class file named ShortLink.cs and put this code: here we are creating two extension methods. public   static   class   ShortLink {      public   static   string   GetUrlChunk ( this   long   key ) =>            WebEncoders . Base64UrlEncode ( BitConverter . GetBytes ( key ));      public   static   long   GetK...
Post a Comment
Read more

Azure Logic Apps Send Email Using Send Grid Step by Step Example

Azure Logic Apps Send Email Using Send Grid Step by Step     Step 1- Create Send Grid Account Create a SendGrid Account  https://sendgrid.com/ Login and Generate Sendgrid Key and keep it safe that will be used further to send emails You can use Free service. it's enough for the demo purpose Step 2- Logic App Design Login to  https://portal.azure.com Go to Resources and Create Logic App Named "EmailDemo" Go To Newly Created Rosoure Named "EmailDemo" and Select a Trigger "Recurrence", You can choose according to your needs like HTTP, etc. Note* Without trigger you can not insert new steps or Actions Click on Change Connection and add Send Grid Key  Click on Create and Save Button on the Top. As we have recurrence so it will trigger according to our setup(every 3 months) so just for the test click on "RUN" button  Finally, you should get an email like below one:
Post a Comment
Read more