running docker containers on azure: the overview · running docker containers on azure: the...

Think ahead. Act now.

Running Docker containers on Azure: the overview

Pascal Naber


Pascal Naber@pascalnaber

Azure Web App for

Containers

Azure Service Fabric

(Mesh)

Azure Batch

Azure Red HatOpenShift

Azure KubernetesService (AKS)

Azure Container Instances

(ACI)

Azure Container Registry

(ACR)

Run containers on Azure


WHY I LIKE

Containers


They are FAST


They are PORTABLE


They are ISOLATED


How HOT are containers actually?

https://insights.stackoverflow.com/survey/20192019Developer

SurveyNearly 90.000 developers

https://insights.stackoverflow.com/survey/2019

https://insights.stackoverflow.com/survey/2019Nearly 90.000 developers

2019Developer

Survey

https://insights.stackoverflow.com/survey/2019

Azure Web App for

Containers


(Mesh)

Azure Batch




(ACI)


(ACR)


Source code Build Pipeline

Container

Registry

Docker Images

Azure Web App for

Containers


(Mesh)

Azure Batch




(ACI)


(ACR)




Private Container Image registry

Based on Open Standard

Helm Repo

Geo replicationACR Tasks

Azure Web App for

Containers


(Mesh)

Azure Batch




(ACI)


(ACR)


Backend process

No UI

Every hour, 5 minutes

Project Rome

v1:

Azure Web App for

Containers


(Mesh)

Azure Batch




(ACI)


(ACR)


Azure Web App for

Containers


(Mesh)

Azure Batch




(ACR)

Run containers on Azure Azure Container

Instances (ACI)

Azure Container Instances (ACI)

Pay for use

Serverless containers

Public or Private accessible

For short lived workloads like Bursts

Scheduled work

1 hour 1 month

From € 1.05 for 1 CPU with 1 GB for 24 hoursTo € 5.22 for 4 CPU with 14 GB for 24 hours

Project Rome

Backend process

No UI

Every hour, 5 minutes

Backend process & Front end

With public available UI

Run Continuously

Over SSL with authentication

Regularly new releases

No downtime

Auto scaling

v2: v1:

Azure Container Instances (ACI)

Pay for use

Serverless containers

Public or Private accessible

1 container instance only

No High Availability

No zero-downtime deployment

No scale out

Limited scale up

No autoscaling

No out of the box SSL support

No cache for pulled containers

Pay extra for Windows containersFor short lived workloads like Bursts

Scheduled work



(Mesh)

Azure Batch




(ACR)


(ACI)


Azure Web App for

Containers

WebApp for Container

Pay for Hostingplan as long as it exists

Scale up

Scale out

Auto scaling

Zero-downtime deployment

SSL by default

Authentication

Identity

Custom domains

Hostingplan

From € 3.59 for 1 CPU with 3.5 GB for 24 hoursTo € 14.37 for 4 CPU with 14 GB for 24 hours

WebApp for Container - Scaling

WebApp for Container – Zero-downtime deployment

Deployment slots

webapp

staging

Release Pipeline

production

1. deploy

3. swap

2. ready?

Container

Registry

https://myapp.azurewebsites.net

https://myapp-staging.azurewebsites.net

WebApp for Container != WebApp

WebAppWebApp for Container

WebApp for Container: in control vs managed

Yourcontainer

Traffic

webapp

az resource update --name web --resource-group $RESOURCEGROUP --namespace Microsoft.Web --resource-type config --parent sites/$WEBAPP_NAME --set properties.cors.allowedOrigins=null --api-version 2015-06-01

Before

After

"cors": {"allowedOrigins": null,"supportCredentials": false

},

"cors": null,

Intermediate container

• CORS• EasyAuth

.NET Core applicationKestrel

→Max 25 MB upload

Webapp for Container: in control vs managed

Proactive Auto HealRestart when:

80% requests > 200 seconds

90% memory

WEBSITE_PROACTIVE_AUTOHEAL_ENABLED=false

WebApp for Container: in control vs managed

West Europe

NorthEurope


Project Rome

Level 7 Firewall for all traffic

Lots of containers

Better density of our resources

Make use of some CNCF projects

- Mesh: Istio

- Logging: Prometheus, Jaeger

- Service discovery: CoreDNS

- Messaging: NATS

v3: v2:

Backend process & Front end

With public available UI

Run Continuously

Over SSL with authentication

Regularly new releases

No downtime

Auto scaling

Firewall

Application Gateway & Firewall

traffic


Firewall

Application Gateway & Firewall

vnet

App ServiceEnvironment

CertificateDevOps Agent

Azure ContainerInstances

traffic

AKS


WebApp for Container

Pay for Hostingplan as long as it exists

Scale up

Scale out

Auto scaling

Zero downtime deployment

SSL by default

Authentication

Identity

Custom domains

Scaling out is slow

No optimal use of resources

No firewall possibility (yet)

Limited logging possibilities

No health check functionality

Only support for port 80 & 443

Not suitable for lots of containers

Not portable

Cannot debug


(Mesh)

Azure Batch



(ACR)


(ACI)

Azure Web App for

Containers



Kubernetes

De facto standard container orchestrator

Started by Google

Since v1 Open Source by

Large, rapidly growing ecosystem

Declarative configuration

Google trends

Azure Kubernetes Service (AKS)Running containers at scale

Scaling up & scaling out

Autoscaling


High Availability

Public & Private endpoints

Health management

Enormous ecosystem

Portable

SSL Support*

Identity management*

Keyvault integration*

Azure Kubernetes Service (AKS)

master master master worker worker worker

AKS

100% managed by Microsoft IaaS managed by Microsoft

€ 0 € … (VM pricing)

Azure resources for AKS

MC_expertslive_aksdemo_westeurope

expertslive

Public & Private Endpoints - Services

Service(LoadBalancer)




IP-Address IP-Address IP-Address IP-Address

Public & Private Endpoints - Ingress

Service(ClusterIP)

Service(ClusterIP)

Service(ClusterIP)

Service(ClusterIP)

Service(Loadbalancer)

Ingress controller

IP-Address

IngressOurExternalAPI.com

IngressMyproject.com

IngressAdminSite.com

IngressMyproject.com/apis

SSL

Service(ClusterIP)

Service(ClusterIP)

Service(ClusterIP)

Service(ClusterIP)

Service(Loadbalancer)

Ingress controller

IP-Address

IngressOurExternalAPI.com

IngressMyproject.com

IngressAdminSite.com

IngressMyproject.com/apis

Works on ingress

Auto request certificate

Auto renewal

https://github.com/jetstack/cert-managerDNS Zone

https://github.com/jetstack/cert-manager

Azure Kubernetes Service (AKS) - Scaling

worker worker worker worker

replicas

replicas

4

5

Pod Autoscaler 4-20> 60% CPU

Cluster Autoscaler

Kubernetes - Health monitoring

Every n seconds check:

Restarts container

During rolling update deployment:

Stop deployment

During container startup

No traffic

Default endpoint

Health endpoint (/health)

Health endpoints returns != 200?

Kubernetes - Ecosystem

Kubernetes Ecosystem

AKS

master master master worker worker worker

AKS

100% managed by Microsoft IaaS managed by Microsoft

AKS + ACIAKS

100% managed by Microsoft 100% managed by Microsoft

workermaster master master

AKS as the Silver bullet

Kubernetes created an ecosystem of expandable standards but this still needs configuration.

For example:

• Deployments

• Network Policies

• Role Based Access Controls

• Pod Security Policies

• Pod Priority and more...

Common integration points can be different across cloud providers• Authentication • Logging• Metrics• Storage

Azure Kubernetes Service (AKS)Running containers at scale

Scaling up & scaling out

Autoscaling


High Availability

Public & Private endpoints

Health management

Enormous ecosystem

Portable

SSL Support*

Identity management*

Keyvault integration*

Authentication

A lot of management for a couple of containers

Steep learning curve

Not all Azure functionality is mature (yet)• Scale sets

• Network policies

• Multiple Node pools

No turnkey configuration


(Mesh)

Azure Batch Azure KubernetesService (AKS)


(ACR)


(ACI)

Azure Web App for

Containers



Azure Red Hat OpenShift

Based on, and extends Kubernetes

No virtual machine operation or patching

Enterprise minded

Support from RedHat

Build in:

Small cluster - 1st year: 4.502,40

OpenShift Kubernetes

Container Registry Docker, Azure Container Registry

Monitoring Prometheus

Log aggregator EFK stack

Certificate management cert-manager

CI/CD Jenkins/Azure DevOps

Authentication dex


(Mesh)



(ACR)


(ACI)

Azure Web App for

Containers



Azure Batch

Azure Batch

For large-scale parallel and high-performance computing (HPC) batch jobs

Native

imperative

Batch Shipyard

declarative

yaml

Batch Shipyard

Task Task Task

Compute node

Compute node

Compute node

Azure Batch

Job

Pool

Azure Storage

https://github.com/Azure/batch-shipyard

https://github.com/Azure/batch-shipyard

pool.yamljob.yaml

Azure Batch

config.yamlcredentials.yaml

Azure Batch Azure KubernetesService (AKS)


(ACR)


(ACI)

Azure Web App for

Containers




(Mesh)

Service Fabric

Application platform providing rich programming models

- Reliable services

- Reliable actors

- Reliable collections

Portable

Run containers

Service Fabric powers Azure

Service Fabric Mesh

Serverless

Seamless integration with Azure

Deploy & scale in seconds

High availability

Per second billing

Not Portable

Container only

(Preview v2 soon)

Responsibility

You

Azure

Application Deployment

HardwareOS PatchingRuntime upgradesMicro-billingCapacity planningNetwork & Storage

Service Fabric Mesh - Evolution

Mesh

Azure Web App for

Containers


(Mesh)

Azure Batch




(ACI)


(ACR)



Please review my session

in the Yellenge App!

Pascal Naber

Coding Azure ArchitectXpirit Netherlands@pascalnaber

http://pascalnaber.wordpress.com

https://github.com/pascalnaber/expertslivenl19

https://github.com/pascalnaber/expertslivenl19


Next session: 13:30 PM - 14:30 PM

Lets take a look at Azure Monitor!

Dieter Wijckmans

running docker containers on azure: the overview · running docker containers on azure: the...

Documents