What AKS node types support AVX2?
Title. I have an AKS cluster deployed, and one of the scripts within a running pod fails because of what seems like an unsupported instruction set (AVX2). I looked into documentation and used the az cli, but couldn't find detail of what each image or series support. I could run multiple nodes and check manually, though there must be a better way. Right?
How pricing will be calculated for data which is stored from dataverse table using azure synapselink
Hi folks, I am storing stale data from dataverse table to azure data lake storage using Azure synapse Link. which actually stores data day by day for the whole year. ex, each day it transforms 10-50 records to azure data lake. So my file size in azure data lake storage will increments day by day. so here i want to know how will be the pricing calculated for storing and updating file in azure data lake? it will also costs for write operations which executes for each day?
Azure AKS Security Hardening
Hello Folks !! I am back with a new blog . This time I will try give a brief overview about Azure AKS Security and Baseline. Lets gooo !!!! What is Azure AKS - Azure Kubernetes Service (AKS) offers the quickest way to start developing and deploying cloud-native apps in Azure, datacenters, or at the edge with built-in code-to-cloud pipelines and guardrails. It is mostly used as a scalable platforms nowadays. Current Application requirement includes the scaling , performing and most importantly zero downtime , which is covered by AKS service of Azure. Containerization of any application in AKS is the best way to reduce downtime and cost optimization of your infrastructure. AKS features and benefits The primary benefits of AKS are flexibility, automation and reduced management overhead for administrators and developers. For example, AKS automatically configures all of the Kubernetes nodes that control and manage the worker nodes during the deployment process and handles a range of other tasks, including Azure Active Directory (AD ) integration, connections to monitoring services and configuration of advanced networking features such as HTTP application routing. Users can monitor a cluster directly or view all clusters with Azure Monitor. Now having a brief overview of Azure AKS , lets move on Azure security features or we can call it as Azure Baseline for security of AKS , that it offer's - Security related to AKS Related to Networking - By default, a network security group and route table are automatically created with the creation of a Microsoft Azure Kubernetes Service (AKS) cluster. AKS automatically modifies network security groups for appropriate traffic flow as services are created with load balancers, port mappings, or ingress routes. Use AKS network policies to limit network traffic by defining rules for ingress and egress traffic between Linux pods in a cluster based on choice of namespaces and label selectors. Networking allows the filtering of traffic to not only to AKS but also entering it to current infrastructure. Since mentioned about the namespaces in AKS , it is a whole virtual environment that is separated within Kubernetes cluster , we can configure alert based networking rules for particular namespace also. 2) Using the traditional method ( i.e. auth from AD or role creation) for AKS - Kubernetes includes security components, such as pods , and nodes security . Meanwhile, Azure includes components like Active Directory, Azure Policy, Azure Key Vault, and orchestrated cluster upgrades. AKS combines these security components to: Provide a complete Authentication and Authorization story. Leverage AKS Built-in Azure Policy to secure your applications. Authenticating with the password and keys for developers using Azure key vault .Setting up Azure policy like conditional access policy for better security for Azure updates. 3) Using Azure Application Gateway and WAF - Use an Azure Application Gateway enabled Web Application Firewall (WAF) in front of an AKS cluster to provide an additional layer of security by filtering the incoming traffic to your web applications. Web Application firewall uses a set of rules for filtering out the traffic , which we will get injected into your cluster or nodes. Also Application gateway act as proxy for all the traffic , you can also configure route table for routing of the traffic , when the traffic injects inside the application gateway. Application gateway also provides an external IP , which helps to not expose our main ip in which our application or pods are running. Also using an API gateway for authentication, authorization, and monitoring for APIs used in your AKS environment. It acts as a front door to the microservices, , and decreases the complexity of your microservices by removing the burden of handling cross cutting concerns. 4) Configure central security log management - Enable audit logs from Azure Kubernetes Services (AKS) master components, kube-apiserver and kube-controller-manager, which are provided as a managed service. kube-auditaksService: The display name in audit log for the control plane operation masterclient: This is the display name in audit log for MasterClientCertificate, the certificate that you get from aks get-credentials node client: The display name for Client Certificate, which is used by agent nodes. You can also export these logs to Log Analytics . Use Log Analytics workspaces to query and perform analytics. Use Azure blob storage for storing of the logs and archiving them with various tiers options in Azure. 5) Locations approving in Azure - Use Conditional Access Named Locations to allow access to Azure Kubernetes Service (AKS) clusters from only specific logical groupings of IP address ranges or countries/regions. This requires integrated authentication for AKS with Azure Active Directory (Azure AD). Limit the access to the AKS API server from a limited set of IP address ranges, as it receives requests to perform actions in the cluster to create resources or scale the number of nodes. If you want to know how you can configure this named locations , you can go to this Azure link - https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-named-locations 6) Isolate the system which are storing data - Logically isolate teams and workloads in the same cluster with Azure Kubernetes Service (AKS) to provide the least number of privileges, scoped to the resources required by each team. Use the namespace in Kubernetes to create a logical isolation boundary. You can also implement separate subscriptions or working directory of the AKS cluster , which are containing the pods with sensitive information or any type of Database, which are prone to attacks. 7) Encryption of all the sensitive information - It is always good to encrypt our data that is exposable to internet in HTTPS. You can create an HTTPS ingress and use your own TLS certificates for your Azure Kubernetes Service (AKS) deployments. Kubernetes egress traffic is encrypted over HTTPS/TLS by default. You can review any potentially un-encrypted egress traffic from your AKS instances. This may include NTP traffic, DNS traffic, HTTP traffic for retrieving updates in some cases. Here are some of the methods , for hardening and maintaining your AKS cluster security. There are also many third party applications which you can integrate with your AKS cluster , but I will recommend to you use them wisely . Go through there files and changes that they will make to your cluster. Thanks !!!!!Does Azure auto-monitor ports in ACI
I have just started working with ACI. I have a container running DNS/TLS on port 853. I'm seeing connections from private/internal IP and wondering if ACI auto monitors as they aren't any IP addresses in subscription. I can't see anything in the docs that would suggest it is auto-monitored, but wondering how/why those IP are able to route to the container. notice: ssl handshake failed 10.92.0.10 port 64047
AKS and NVIDIA A100 GPU support with Azure NDasrv4 Series
Hi there, We are using Azure's Standard_ND96asr_v4 instance types for our ML workloads and would love to use AKS images, instead of custom VM images to make it work. We ran into issues migrating from V100 to A100 GPUs, which could be addressed by installing the drivers and fabric managers mentioned in this help page: https://docs.microsoft.com/en-us/azure/machine-learning/data-science-virtual-machine/reference-known-issues#fix-gpu-on-nvidia-a100-gpu-chip---azure-ndasrv4-series Is there any plan to fix the AKS VM images with those packages so we don't have to maintain a separate image?
Windows Server 2004 with Containers not having the windows:2004 image
Our software still needs the full windows server image to provide all of our functions. We could work with mcr.microsoft.com/windows:1809 very well. But since 10th of October 2020 this will not be updated anymore. https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/base-image-lifecycle So we try to use a newer full windows server image. We tried with 1909 or 2004. The main problem is, that there is no host machine provided in Azure, which works without issues with this image. (https://github.com/microsoft/Windows-Containers/issues/73) Furthermore we would need a host machine, which has this image (mcr.microsoft.com/windows:2004) on its disk already. Otherwise we have to download and extract the 13 GB image each time our virtual machine scaleset adds more machines.
Azure Container Instance multi-client capable
We want to develop the service Azure Container Instance. The question: Do we need an Azure Container instance for each individual customer, where a container runs in it or can to implement several container clients in one ACI. Meaning: Is it possible to limit permissions in such a way that permissions can be assigned in the ACI? That kind of multi-client ACI.Serverless Compute Survey
We're looking for participants to fill out a short survey (5 minutes) about serverless compute. You do not have to use serverless compute to participate. If you're interested, here is the https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4yAt620nHpGvlqiqwfbCptUNDhWWUJaRTJOVFZOTExBUlZDMktLOVFIRy4u. Thanks!
Need to update the restart policy for existing Container Instance
Is there a way to update the restart policy for running container instances ?? we have container instance in our environment and the status got changed to failed state today. is there a way to monitor the status change of the ACI and start the instance automatically ? Thanks in Advance
