Azure Kubernetes Service Deployment Details

The following diagrams and component descriptions describe a typical Advanced event mesh for SAP Integration Suite deployment in Azure Kubernetes Service (AKS).

AKS Deployment

Azure Network Connectivity

This diagram shows the network connections for the various components.

Component Description

Managed Identity

  • Name: <datacenter-name>-aks-managed-id
  • Details: Managed identity provides the AKS Cluster with access to the subnet’s route tables to update them with kubenet routes.
  • Role Assignment:
    • Scope: The <datacenter-name>-infra-rg resource group.
    • Role: Contributor

Resource Group

Name: <datacenter-name>-infra-rg

Route Table

  • Name: <datacenter-name>-rt-private
  • Details: Used by the private subnet. Instances use the AKS public load balancer for public access. Theroute table is also under the control of kubenet AKS plugin.
  • Route: <VNET-CIDR> to vnetlocal

VNET

  • Name: <datacenter-name>-vnet
  • Default CIDR: 10.0.0.0/16
  • Details: The VNET is the virtual network that encapsulates the entire AKS Datacenter deployment.
  • Contains Private Subnet:
    • Name: <datacenter-name>-sn-private-0
    • Details: The subnet used by the AKS Cluster.
    • Default CIDR: 10.0.0.0/16

Bastion Host

  • Name: <datacenter-name>-bastion
  • OS Image: Ubuntu 18.04-LTS
  • VM Size: Standard_DS1_v2
  • Storage_os_disk
    • name: <datacenter-name>-bastion
    • Caching: ReadWrite
    • create_option: FromImage
    • managed_disk_type: Standard_LRS
  • Authentication: SSH keypair generated by Terraform and stored in Terraform state.
  • Network Security Rule:
    • Only allow SSH port inbound.
    • Associated with Bastion Host NIC
  • Static Public IP Name: <datacenter-name>-bastion-ip
  • NIC
    • Name: <datacenter-name>-bastion-nic
    • Subnet association: <datacenter-name>-sn-private-0
    • Configuration Name: <datacenter-name>-bastion-nic-cfg
      • Dynamic Private IP
      • Public IP Assigned: <datacenter-name>-bastion-ip

AKS Cluster

  • Name: <datacenter-name>-aks
  • K8S API Endpoint: Private
  • Network Profile
    • Plugin: Either kubenet or azure
    • Docker Bridge CIDR: 172.17.0.1/16
    • DNS Service IP: 10.2.0.10
    • Service CIDR: 10.2.0.0/16
    • Load Balancer SKU: Standard
      • 1 Outgoing Public IP
      • Outbound ports allocated: 1032 (Allows up to 62 worker nodes in the cluster).

Default Node Pool

  • Name: default
  • Node count: 2
  • VM Size: Standard_D2s_v3
  • OS Disk Size: 48 GB
  • OS Disk Type: Ephemeral
  • Subnet: <datacenter-name>-sn-private-0
  • Availability Zones: AZ 3

Prod1k Node Pool

  • Name: prod1k
  • Node count: 0
  • Max count: 50
  • VM Size: Standard_E2s_v3
  • OS Disk Size: 48 GB
  • OS Disk Type: Ephemeral
  • Subnet: <datacenter-name>-sn-private-0
  • Availability Zones: AZ 1 or AZ 2 or AZ 3 (see note)
  • Node Labels:
    • serviceClass = prod1k
    • nodeType = messaging
  • Node Taints:
    • serviceClass = prod1k:NoExecute
    • nodeType = messaging:NoExecute

Prod10k Node Pool

  • Name: prod10k
  • Node count: 0
  • Max count: 50
  • VM Size: Standard_E4s_v3
  • OS Disk Size: 48 GB
  • OS Disk Type: Ephemeral
  • Subnet: <datacenter-name>-sn-private-0
  • Availability Zones: AZ 1 or AZ 2 or AZ 3 (see note)
  • Node Labels:
    • serviceClass = prod10k
    • nodeType = messaging
  • Node Taints:
    • serviceClass = prod10k:NoExecute
    • nodeType = messaging:NoExecute

Prod100k Node Pool

  • Name: prod100k
  • Node count: 0
  • Max count: 50
  • VM Size: Standard_E8s_v3
  • OS Disk Size: 48 GB
  • OS Disk Type: Ephemeral
  • Subnet: <datacenter-name>-sn-private-0
  • Availability Zones: AZ 1 or AZ 2 or AZ 3 (see note)
  • Node Labels:
    • serviceClass = prod100k
    • nodeType = messaging
  • Node Taints:
    • serviceClass = prod100k:NoExecute
    • nodeType = messaging:NoExecute

Monitoring Node Pool

  • Name: monitoring
  • Node count: 0
  • Max count: 50
  • VM Size: Standard_E2s_v3
  • OS Disk Size: 48 GB
  • OS Disk Type: Ephemeral
  • Subnet: <datacenter-name>-sn-private-0
  • Availability Zones: AZ 1 or AZ 2 or AZ 3 (see note)
  • Node Labels:
    • nodeType = monitoring
  • Node Taints:
    • nodeType = monitoring:NoExecute

Resource Group (Managed by AKS)

  • Name: MC_<datacenter-name>-infra-rg_<datacenter-name>-aks_eastus2
    The name is derived from both the resource group name and the AKS cluster name.
  • Details: The resource group is generated by AKS automatically and contains all the resources created by AKS to host the AKS Cluster.

Public Load Balancer

  • Name: kubernetes
  • Details: Provides NAT to the kubernetes worker nodes over a public IP and provides public endpoint over public IPs to public access brokers running in AKS. There is only one public load balancer for the cluster. Rules are added to this load balancer as public access brokers are created.

Public IP Address for load balancer outgoing rules

  • Name: <GUID>
  • Details: Used by the public load balancer to provide NAT to its backend and internet access to brokers running in AKS. There is at least one public IP. Additional public IPs could be added to the outgoing rule pool to increase the possible number of instances.

Public IP Address for broker public access and load balancer ingress rules

  • Name: kubernetes-<GUID>
  • Details: Used by the public load balancer to provide a public IP to ingress rules that get traffic to a public access broker. There is is one public IP for each public access broker deployed in the AKS cluster.

Internal Load Balancer

  • Name: kubernetes-internal
  • Details: An internal load balancer is used only when private access broker are deployed. It provides a private endpoint in the AKS private subnet for each private access broker. Private endpoints are dynamically assigned a private IP from the subnet to the load balancer’s front end. There is only one internal load balancer for the cluster. This load balancer is present only if there is at least one private access broker deployed in AKS.

Network Security Group

  • Name: aks-agentpool-<id>-nsg
  • Details: Secures the Virtual Machine Scale Sets managed by AKS. It covers all worker nodes VMs. Inbound access is allowed only to the load balancers and to the VNET. Outbound access is allowed only to the VNET and Internet.

Network Interface

  • Name: kube-apiserver.nic.7549c48b-e241-4e2f-8c21-426e534b2ba0
  • Details: This network interface gives the AKS API private endpoint its private IP on the subnet.

Private Endpoint

  • Name: kube-apiserver
  • Details: This private endpoint gives access to AKS’s API REST endpoint. It is attached to a network interface connected to the private subnet. kubectl and other kubernetes management tools use this endpoint to manage the cluster.

Private DNS Zone

  • Name: c5acc6ae-98f2-4a0d-ae75-80ae51f161ff.privatelink.eastus2.azmk8s.io
  • Details: The private DNS zone gives a privately resolvable hostname to the private endpoint’s NIC.

Virtual Machine Scale Set (Default Node Pool)

  • Name: aks-default-18672195-vmss
  • Details: Node pool for the cloud-agent and other system pods
  • Instance Size: Standard_D2s_v3

Virtual Machine Scale Set (Prod1k Node Pool)

  • Details: Node pool for the messaging pods of service plans using the Prod1k tier:
    • Developer 100, Broker 250 and Broker 1K (Kilo)
  • Instance Size: Standard_E2s_v3

Virtual Machine Scale Set (Prod10k NodePool)

  • Name: aks-prod10k-18672195-vmss
  • Details: Node pool for the messaging pods of service plans using the Prod10k tier:
    • Broker 5K (Mega) and Broker 10K (Giga)
  • Instance Size: Standard_E4s_v3

Virtual Machine Scale Set (Prod100k Node Pool)

  • Name: aks-prod100k-18672195-vmss
  • Details: Node pool for the messaging pods of service plans using the Prod100k tier:
    • Broker 50K (Tera 50k) and Broker 100K (Tera)
  • Instance Size: Standard_E8s_v3

Virtual Machine Scale Set (Monitoring Node Pool)

  • Name: aks-monitoring-18672195-vmss
  • Details: Node pool for the monitoring pod of HA service plans:
    • Broker 250 and Broker 1K (Kilo), Broker 5K (Mega), Broker 10K (Giga), Broker 50K (Tera 50k) and Broker 100K (Tera)
  • Instance Size: Standard_E2s_v3

For high-availability event broker services, each node pool hosting an event broker service must be locked to a single availability zone. This allows the cluster autoscaler to function properly. SAP uses pod anti-affinity against the node pools' zone label to ensure that each pod in a high-availability event broker service is in a separate availability zone. See Node Pool Requirements for more information.