Application Development with Azure

Karim Vaes Specialist – Azure Application Development

@kvaes Agenda

• Digital Transformation, powered by Application Innovation • Developer Toolchain • DevOps • Kubernetes • Java on Azure • Spring on Azure Digital Transformation

91% Digital of business leaders see Digital Transformation as a way of sparking Transformation innovation and finding efficiencies1

A journey with one destination but different paths 85% say they must offer digital services or become irrelevant2

1 ISACA: Information Systems Audit and Control Association, 2018 2 Couchbase: Couchbase Survey, August 2018 1 Data: Capture digital signal from across business Consumer Reports review indicate braking issue with Model 3 Vehicle telemetry shows brake performance across fleet

2 Insight: Connect and synthesize data Car telemetry for suspect cars analyzed to understand issue Tesla identifies fix to improve stopping distance Engage Transform customers products

3 Action: Improve business outcomes Car braking software updated over-the-air to fix issue Tesla closes the loop with consumer reports and review is updated

7,0%

6,0%

5,0%

4,0%

3,0%

2,0%

1,0%

0,0%

-1,0%

-2,0% software Toolchain Overview Evolution of software development

Scale innovation

Collaborate globally & securely

Build productively

World’s most comprehensive developer toolchain Azure

Azure Stack Azure Data Box Azure Sphere Azure Kinect HoloLens

Web Databases Mobile Analytics Tools Mixed Reality AI + Machine Learning Visual Studio Containers Internet of Things Azure Devops Events + Integration Media GitHub PowerApps Power BI

Compute Networking Storage Security Identity Characteristics of modern applications

Containers Managed Artificial Serverless Databases Intelligence

Azure operational database services

Closing the talent gap >86% 86% of organizations struggle to find technical talent to build applications1 Democratizing development

GitHub Azure services APIs Microsoft Flow

Visual Studio Microsoft Azure PowerApps

Professional developers Citizen developers Azure PowerApps

#1 Developers’ Choice Leader in Low-Code of PaaS Products1 Development Platforms2 DevOps

50%

Top performing DevOps companies spend more time innovating and less time “keeping the lights on”.

The result: better products, delivered 19.5% faster, to happier customers by more engaged teams 10%

5% 5% Azure Boards

Azure Repos

Azure Pipelines

Azure Artifacts

Azure Test Plans Azure Boards

Azure Repos

Azure Pipelines

Azure Artifacts

Azure Test Plans Azure Boards

Azure Repos

Azure Pipelines Connecting ideas to releases

Scrum ready to help your teams run sprints, Azure Artifacts stand-ups, and plan work Integrated with GitHub commits and pull requests

Azure Test Plans Insights into project status and health Azure Boards

Azure Repos

Azure Pipelines Private Git and TFVC repos for your teams

Code review via branch pull requests Azure Artifacts Branch policies and build validation

Easy migration path to / from GitHub Azure Test Plans Azure Boards

Azure Repos

Azure Pipelines Cloud-hosted pipelines for Linux, macOS and Windows

Azure Artifacts Any language, any platform, any cloud Native support for containers and Kubernetes

Azure Test Plans Best-in-class for open source Azure Boards

Azure Repos

Azure Pipelines Deploy to on-premises, ANY cloud or a hybrid of cloud and on-prem

Azure Artifacts Staged environment releases Pre and post deployment approvals with gates to automate approval based on conditions Azure Test Plans Azure Boards

Azure Repos

Azure Pipelines Share code efficiently

Keep your Maven, npm, NuGet and Python Azure Artifacts packages and more in the same place Aggregate from public registries and internal teams Azure Test Plans Publish and track from any pipeline Azure Boards

Azure Repos

Azure Pipelines Run tests and log defects from your browser

Track and assess quality throughout your lifecycle Azure Artifacts Capture rich data for reproducibility

Create tests directly from exploratory sessions Azure Test Plans Azure Boards GitHub brings open source workflows to your organization, breaking down silos and enabling Azure Repos InnerSource through:

Azure Pipelines • Expertise sharing • Cross-team collaboration Azure Artifacts • Improved code reuse • Increased velocity Azure Test Plans • Secure Workflows DevOps at Microsoft Azure DevOps is the toolchain of choice for Microsoft engineering with over 100,000 internal users

➔ https://aka.ms/DevOpsAtMicrosoft

442k 4.6m 28k Pull Requests per Builds per month Work items month created per day

2.4m 3.5k 12k 82,000 Private Git commits per Open Source repos Employees contributing Deployments per day month to open source

Data: Internal Microsoft engineering system activity, March 2019 Azure DevOps supports small teams and the largest enterprises

“ Instead of telling people to wait for 6 “ Speed is gained in moving to the PaaS months for a new feature, we can give it to offering of Azure DevOps. PaaS provides them in a few weeks…Our 2800 worldwide regularly released features and a future- developers can use the same backlog, user proof capability, eliminating the need for stories and tests whether they’re on Accenture to maintain infrastructure and Windows or Linux… building for iOS or go through upgrade cycles. ” Android. ”

“ Branches sync 500 percent faster. Builds “Microsoft made it really easy to break are 400 percent faster, with the typically outside the silos… and tie the DevOps six-hour process reduced to 90 minutes. process into the fulfilment of business We (now have) a highly streamlined process. Without the tools that we have process that operates with a few button today, we would not be successful. ” clicks—and one-button deployment. ” Reactive operations

DEVELOP DELIVER OPERATE Moving to proactive operations with Azure

DEVELOP DELIVER OPERATE Deliver faster and more reliably with GitHub and Microsoft Azure Integrate with your existing tools and workflow Infrastructure and Configuration as Code

©Microsoft Corporation Azure Continuous Security

Gain full visibility and control of your cloud security state

Leverage ML to Proactively identify and mitigate risks to reduce exposure to attacks

Quickly detect and respond to threats with advanced analytics

©Microsoft Corporation Azure Smarter Insights, Faster

©Microsoft Corporation Azure

Let us go through it…

©Microsoft Corporation Azure Customer Stories

DevOps Our build times are five times faster now that we use Azure DevTest Labs.... Developers get much quicker feedback, so they can test code repeatedly and identify and fix more errors.

Johan Krebbers: IT Chief Technology Officer at Royal Dutch Shell Read the story “We realized that we simply did not have the resources to build and manage the kind of datacenters and development infrastructure to meet our growth strategy, so we quickly decided on a cloud model.”

Mike Hanrahan: Chief Technology Officer at Jet.com Read the story “With DevOps and Azure, we’re able to reduce our new-feature release cycle down to one week, and we think we can even speed that up.”

Fikri Larguet: Director of Cloud Services at Geico Read the story “Speeding up our software delivery engine has had a huge impact on our business, it’s enabled us to introduce new services faster, move into new markets, and respond to the everyday needs of the business.”

Robert Rodduck: Director of Architecture and DevOps at Ambit Energy Read the story “With Xamarin, we deliver value quickly, integrating native experiences like Touch ID and push notifications, and using Xamarin Test Cloud automation to run our test suite on thousands of devices.”

Mike Lorengo: Director, IT Enterprise Architecture at Alaska Airlines Read the story “With Azure, we can worry less about capacity management, it lets us focus on automation and on delivering product faster.”

Pierre-Jean Olivon: Infrastructure Manager at Risk Management Solutions Read the story Fiona Tan, SVP, Customer Technology and AI at Walmart Read the story “Our digital transformation is a strategic priority for the bank. We firmly believe that adopting the same tools and practices as the world’s top software companies is the key to our success!”

Amir Jaballah, Global Head of Continuous Delivery Platform at Societe Generale Read the story “Almost everything we do as a company is kept inside of GitHub Enterprise, from security controls and application code to internal policies.”

Rob Witoff, Director of Infrastructure and Security at Coinbase Read the story “On GitHub, the most natural thing in the world is to contribute back, developers at SAP are productive and innovative and are able to imagine great things in that ecosystem.”

Dominik Tornow, Director of Engineering at SAP Labs Read the story Kubernetes Kubernetes momentum

“By 2020, more than 50% of enterprises Larger companies will run mission-critical, containerized are leading the cloud-native applications in production.” adoption. 77% For the organizations running Kubernetes today, 77%1 of those with more than 1,000 developers are running it in production.

1Heptio: state of Kubernetes 2018 What’s behind the growth? Kubernetes: the leading orchestrator shaping the future app development and management

It’s widely used It’s vendor-neutral It’s community-supported

Kubernetes is in production for A variety of cloud providers There’s a huge community of active global companies across industries1 offer robust Kubernetes support contributors supporting Kubernetes3

24,000 1.1 million contributors contributions since 2016 since 2016

1Kubernetes.io. “Kubernetes User Case Studies.” 2CNCF. “Kubernetes Is First…” 3CNCF. Keynote address. Azure Kubernetes Service (AKS) Ship faster, operate easily, and scale confidently with managed Kubernetes on Azure

Manage Kubernetes Accelerate Build on an Run anything, with ease containerized enterprise-grade, anywhere development secure foundation Top scenarios for Kubernetes on Azure

Lift and shift Machine Microservices IoT Secure DevOps to containers learning

Cost saving Agility Performance Portability Automation without refactoring Faster application Low latency Build once, Deliver code faster and your app development processing run anywhere securely at scale Azure Kubernetes momentum

Trusted by thousands of customers 30x

Azure Kubernetes Service usage grew 30x since it was made generally available in June 2018

Dated November 2018 How Kubernetes works

Kubernetes control Worker node Internet kubelet kube-proxy

1. Kubernetes users communicate with API server and apply Docker desired state Master node Pod Pod

API server 2. Master nodes actively enforce Containers Containers desired state on worker nodes

3. Worker nodes support -controller- manager -scheduler communication between Worker node containers Internet kubelet kube-proxy

replication, namespace, 4. Worker nodes support serviceaccounts, etc. etcd communication from the Internet Docker

Pod Pod

Containers Containers Kubernetes on its own is not enough Save time from infrastructure management and roll out updates faster without compromising security

Unlock the agility for containerized applications using: IDE container support Security Governance Identity • Infrastructure automation that simplifies provisioning, patching, and upgrading Source code <\> repository • Tools for containerized app development Registry and CI/CD workflows supporting Kubernetes Helm • Services that support security, governance, and identity and access management CI/CD Infrastructure automation

Monitoring Virtual machines Networking

Microservice debugging Storage Data Kubernetes on Azure Simplify the deployment, management, and operations of Kubernetes

Portable Extensible Self-healing

Manage and Accelerate Build on an Run any operate Kubernetes containerized app enterprise-grade, workload with ease development secure platform anywhere Microsoft among leaders in inaugural Forrester New Wave report Forrester finds Microsoft “leads the pack with the strongest developer experience and global reach”

THE FORRESTER NEW WAVETM Public Cloud Enterprise Container Platforms Reference customers share Q3 2019 Strong Challengers Contenders Performers Leaders

• “Azure has the best integration with our development Amazon Stronger Web Service tools and processes.” Current Offering Google

Alibaba Cloud • “Azure manages the k8s control plane for us—we don’t even Microsoft • IBM

have to think about it.” • HUAWEI

• “Easy cluster setup, integration with database and other Azure services, the best developer experience, and rock-solid support keep them highly satisfied with Azure containers.” • Tencent Cloud

Weaker Current Offering

Weaker Strategy Stronger Strategy Market Presence

The Forrester New Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester New Wave™ is a graphical representation of Forrester’s call on a market. Forrester does not endorse any vendor, product, or service depicted in the Forrester New Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Manage Kubernetes with ease Focus on your containers and code, not the plumbing of them

Managed Azure managed control plane DIY with Responsibilities Kubernetes Kubernetes on Azure Self-managed master node(s) App/ workload Kubernetes etcd Containerization User definition API endpoint API server Store

Application iteration, debugging Controller Cloud CI/CD Scheduler Manager Controller

Provisioning, upgrades, patches

Reliability availability Schedule pods over private tunnel Customer VMs Scaling Docker Docker Docker Docker Docker

Pods Pods Pods Pods Pods Monitoring and logging

Customer Microsoft Azure Red Hat OpenShift Fully managed Red Hat OpenShift service

Azure Red Hat OpenShift Simplify cluster operations with Azure Red Hat OpenShift

Responsibilities Azure Active Azure Key App Directory Vault User definition User management OpenShift API/ administration console App 1 App 2

Project and quota management

Azure DNS Application lifecycle

Cluster creation Public IP Public IP Public IP Microsoft Red Hat Cluster management Azure Load Azure Load Balancer (Master) Balancer (Router) Virtual network Monitoring and logging OpenShift SDN Azure VMs (Master) Azure VMs (Infrastructure) Azure VMs (Application) Network configuration Scale sets Scale sets Scale sets

Node 1 Node 2 Node 3 Node 1 Node 2 Node 3 Node 1 Node 2 Node 3 Node 4 Node N Software and security updates

api-server • controller-manager • etcd registry • router application pods Platform support

Azure Premium Azure Blob Azure Premium SSD Managed Disks SSD Managed Azure Premium SSD Managed Disks Storage Disks Customer Microsoft and Red Hat

Azure Red Hat OpenShift Manage Kubernetes with ease Highly available, reliable service with serverless scaling

Azure Monitor

Azure Container AKS production cluster Instances (ACI)

Microservices Pods

Virtual node

Availability Reliability Auto scaling Azure makes Kubernetes easier Manage and operate Kubernetes with ease

Task The Old Way With Azure

Create a cluster Provision network and VMs az aks create Install dozens of system components including etcd Create and install certificates Register agent nodes with control plane

Upgrade a cluster Upgrade your master nodes az aks upgrade Cordon/drain and upgrade worker nodes individually

Scale a cluster Provision new VMs az aks scale Install system components Register nodes with API server Accelerate containerized development

Kubernetes and DevOps better together Develop Deliver Operate

Develop • Native containers and Kubernetes support in IDE Azure AKS Inner loop • Remote debugging and iteration for multi- Container production GitHub repos Registry cluster containers Scale Azure AKS dev Azure • Effective code merge DevSpaces cluster Monitor • Automatic containerization Test

Debug Container Deliver image

• CI/CD pipeline with automated tasks in a few Boards clicks • Pre-configured canary deployment strategy • In depth build and delivery process review and integration testing CI/CD Pipelines • Private registry with Helm support Helm chart Terraform

Operate • Out-of-box control plane telemetry, log aggregation, and container health • Declarative resource management • Auto scaling Azure makes Kubernetes easier Accelerate containerized application development

Task The Old Way With Azure

Inner loop development Set up a local dev environment using Minikube Use Dev Spaces to run and debug services locally while connected to Determine the transitive closure of your dependencies existing services and dependencies without having to mock them Identify behavior of dependencies for key test cases Stub out dependent services with expected behavior Make local changes, check-in, and hope things work Validate with application logs

Set up a CI/CD pipeline and deploy Create Git repo Store source code on GitHub, then create a project on Azure Pipelines to Kubernetes Create a build pipeline with Kubernetes/AKS as a target Create a container registry Create a Kubernetes cluster Configure build pipeline to push to container registry Configure build pipeline to deploy to Kubernetes Define and set up deployment strategy

Make container images available Create a container registry in every region Create an Azure Container Registry with geo-replication for deployment worldwide Configure build pipeline with multiple endpoints Push your image to a single endpoint Loop through all regions and push following build

Track health with consolidated Choose a logging solution Checkbox enable monitoring with centralized tracking of logging and cluster and application logs Deploy log stack in your cluster or provision a service analytics Configure and deploy a logging agent onto all nodes Build on an enterprise-grade, secure platform

Control Get runtime vulnerability Put guardrails in your Secure network Gain automated threat access through scanning and auditing development process with communications with VNET protection and best practice AAD and RBAC through Azure Security Center Azure Policy and network policy recommendations for Kubernetes clusters Identity Use familiar tools like AAD for fine-grained identity and access control to Kubernetes resources from cluster to containers

Storage

AKS with RBAC

Active VNet Active Directory SQL Directory Node Node Database

Pod Pod

AAD Pod Identity Cosmos DB

Key Vault Image Security Your private registry, with built-in Helm chart support, only deploys validated images and can be automatically geo-replicated to the data center close to where your users are

Developer Azure Container Registry

Azure CI/CD Kubernetes Image scanning Pipelines Service

Fail Pass

Admin Vulnerability scanning

Actionable recommendations Networking Secure your Kubernetes workloads with virtual network and policy-driven communication paths between resources

Kubernetes cluster: Azure VNET

Internal Egress Load Balancer lockdown

External DNS

Control plane Ingress Controller App Private Gateway cluster Worker node Worker node

kubelet Pods Pods kubelet Containers Containers …

Namespace Governance Dynamically enforce guardrails defined in Azure Policy across multiple clusters—nodes, pods, and even container images can be tracked and validated at the time of deployment or as part of CI/CD workflows

Cloud Azure Architect Policy

Compliance reports Assigns a policy Cluster-1 Cluster-2 Cluster-3 across clusters

Compliance reports for the entire environment, with pod-level granularity

AKS Developer Real-time enforcement of policy and feedback Cluster-1 Cluster-2 Cluster-3 Threat protection Automated threat detection and best practices recommendation for Kubernetes clusters using advanced analytics from Azure Security Center

Azure Continuous discovery of Security managed AKS instances Center

Actionable recommendations for security best practices

Detect threats across AKS nodes and clusters using advanced analytics Azure Kubernetes Service

Cluster Cluster Cluster Run anything, anywhere

Container Region

Windows Linux 35+ regions worldwide

Environment Your choice of… Your

Public IoT Azure Azure Private data clouds Edge Government Stack centers Azure Kubernetes Service (AKS) support for Windows Server Containers Now you can get the best of managed Kubernetes for all your workloads whether they’re in Windows, Linux, or both

• Lift and shift Windows applications to run on AKS

• Seamlessly manage Windows and Linux applications through a single unified API

• Mix Windows and Linux applications in the same Kubernetes cluster—with consistent monitoring experience and deployment pipelines Microsoft Azure

Azure Arc enabled Kubernetes clusters

Identity RBAC

Central inventory and monitoring of the sprawling assets running anywhere from Policy Monitoring on-premises to edge

Consistently apply policies, role-based- access-controls (RBAC) for at-scale governance Azure Arc Deploy Kubernetes resources to all clusters using a GitOps-based workflow Azure Stack Anywhere Kubernetes

…or… Kubernetes is built and maintained by the community

Kubernetes collects wisdom, code, and efforts from hundreds of corporate contributors and 150,000 24,000 #1 thousands of individual contributors commits contributors GitHub project

Microsoft is part of this vibrant community and leads in the associated committees to help shape the future of Kubernetes and its ecosystem

CNCF CNCF CNCF Kubernetes Linux Foundation platinum member technical oversight governing board steering committee board member committee

AKS is certified Kubernetes conformant, ensuring portability and interoperability of your container workloads Microsoft contributions to the community

Porter CNAB Packaging & distribution Helm Duffle

Virtual Kubelet Open Policy Agent Scalability & control KEDA Service Mesh Interface

Kubernetes Draft VS Code Kubernetes Extensions developer tooling Brigade Microsoft contributions to the community

Top 3X 68% 50K+

code contributor to growth of employee of Kubernetes monthly active Windows support in contributors within users prefer VSCode Kubernetes Kubernetes three years Helm1 Extension user2

1CNCF. 2Microsoft.. Work how you want with opensource tools and APIs

Development DevOps Monitoring Networking Storage Security

Take advantage of services and tools in the Kubernetes ecosystem Virtual kubelet

CNAB

Visual Azure Azure Azure Studio Code Pipelines VNET Policy Leverage 100+ Azure Monitor Azure Storage turn-key Azure GitHub ARM Service AAD ASC services Mesh Interface Container Registry Key Vault Azure Cosmos DB Kubernetes Top scenarios Top scenarios for Kubernetes on Azure

Lift and shift Secure to containers Microservices DevOps

Cost saving Agility Automation without refactoring Faster application Deliver code faster and your app development securely at scale

Machine IoT Data learning streaming

Portability Performance Analytics Build once, Low latency Real-time data run anywhere processing collection and streaming Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

App modernization without code changes

• Speed application deployments by using container technology Kubernetes cluster Existing Container • Defend against infrastructure application Registry CI/CD Modernized Modernized Modernized application application application failures with container orchestration

• Increase agility with continuous

integration and continuous Managed delivery Database Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

App modernization without code changes

Capabilities

1. Use Azure Container Registry to store Virtual network container images and Helm charts for your modernized applications, replicated Active globally for low latency image serving Directory 2. Integrate AKS with Azure Pipelines or

other Kubernetes ecosystem tooling to Azure enable continuous integration/continuous Existing Container CI/CD Azure delivery (CI/CD) application Registry Pipelines Database AKS for MySQL 3. Enhance security with Azure Active Directory and RBAC to control access to AKS resources Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

Microservices: for faster app development

Monolithic Microservices Large, all-inclusive app Small, independent services • Independent deployments APP APP APP

• Improved scale and resource utilization per service

• Smaller, focused teams Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

Microservices for faster app development

Capabilities Azure AKS production cluster Inner loop Source Container Azure code control Registry Pods Monitor 1. Use Azure Dev Spaces to iteratively Dev AKS dev Spaces cluster develop, test, and debug microservices Test targeted for AKS clusters. 2. Azure Pipelines has native integration with Debug Helm and helps simplifying continuous Auto- build integration/continuous delivery (CI/CD) 3. Virtual node—a Virtual Kubelet Container instances implementation—allows fast scaling of services for unpredictable traffic. Pods 4. Azure Monitor provides a single pane of CI/CD Pipelines glass for monitoring over app telemetry, cluster-to-container level health analytics.

https://github.com/Microsoft/SmartHotel360- AKS-DevSpaces-Demo Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

Secure DevOps

Source Build Release Kubernetes • Deliver code faster with code Pipelines Pipelines cluster

Kubernetes and CI/CD Continuous Continuous Deployment < / > Integration Delivery strategies • Accelerate the feedback loop with constant monitoring Monitor & logging • Balance speed and security with continuous security and deep Iterate Monitor traceability Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

Inner loop Azure Azure AKS dev Monitor sample code { DevSpaces cluster Secure DevOps Testiterating.with.team // in one // isolated environment App Container Real-time Debug} telemetry health log analytics Capabilities

1. Developers rapidly iterate, test, and debug different parts of an application together in the same Kubernetes cluster Azure AKS 2. Code is merged into a GitHub repository, after which Source Container production automated builds and tests are run by Azure Pipelines code control Registry cluster Azure Policy 3. Container image is pushed to Azure Container Registry

4. Kubernetes clusters are provisioned using tools like Terraform; Helm charts, installed by Terraform, define the desired state of  Release 3 app resources and configurations Container image 5. Operators enforce policies to govern deployments to the  v1 AKS cluster v2 6. Release pipeline automatically executes pre-defined deployment strategy with each code change

7. Policy enforcement and auditing is added to CI/CD pipeline CI/CDAzure AcceptDeny using Azure Policy Pipelines Helm chart Terraform

8. App telemetry, container health monitoring, and real-time

log analytics are obtained using Azure Monitor Release N321 9. Insights used to address issues and fed into next sprint plans Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

Data scientist in a box

Algorithm

• Quick deployment and high availability GPU-enabled VMs

• Low latency data processing Training AKS trained AI model in data model production

Serve the • Consistent environment across model Data test, control and production Scientist

Compute

Developer

<\>

https://github.com/Azure/kubeflow-labs Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

App developer Data scientist in a box

Query the model for AI Capabilities AKS features in app

1. Package ML model into a container and ML model in containers publish to Azure Container Registry 2. Azure Blob Storage hosts training data sets and trained model Azure Data Container 3. Use Kubeflow to deploy training job to scientist Registry AKS, distributed training job to AKS Serve the model in production includes Parameter servers and Worker Kubeflow Parameter Worker GPU-enabled nodes server node nodes VMS 4. Serve production model using Kubeflow, promoting a consistent environment Azure Blob across test, control and production Storage 5. AKS supports GPU enabled VM 6. Developer can build features querying the model running in AKS cluster https://github.com/Azure/kubeflow-labs Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

IoT Edge Scalable Internet of Things solutions devices

• Portable code, runs anywhere

• Elastic scalability and manageability AKS IoT Edge • Quick deployment and high Connector IoT Hub availability

SQL Azure Database Database Cosmos DB for MySQL Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

Scalable Internet of Things solutions

Decrypt Decompress Compress Send to Storage Encrypt Capabilities Send to Cloud

1. Azure IoT Edge encrypts data and send to Azure Azure IoT Edge Azure, which then decrypts the data and send to storage Kubernetes cluster 2. Virtual node, an implementation of Virtual Kubelet, serves as the translator Node Node Virtual node between cloud and Edge Docker Docker Docker Docker Docker IoT Edge container container container container containerscontainer Provider 3. IoT Edge Provider in virtual node redirects containers to IoT Edge and extend AKS cluster to target millions of edge devices

4. Consistent update, manage, and monitoring as one unit in AKS using single pod definition Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

Data streaming Azure Cosmos DB AKS API IoT sensor Management Storage • Real-time data gathered and Apache streamed to AKS Kafka HDInsight

Analysis • Collected data analyzed and insights generated almost instantly

Database for Cache for • Data stored and available for PostgreSQL Redis deeper analysis by data scientists Lift and shift to Microservices Secure Machine IoT Data containers DevOps learning streaming

Data streaming API AKS Azure IoT sensor Management Cosmos DB

Ingest service Cold path

Capabilities Asynchronous Apache Kafka HDInsight Analysis 1. Sensor data is generated and streamed to Azure API CI/CD GitHub Pipelines ACR service

Management Service Mesh Hot path Processing 2. AKS cluster runs microservices that are deployed as Service Mesh Interface service containers behind a service mesh; containers are built using a DevOps process and stored in Azure Container Registry

3. Ingest service stores data in an Azure Cosmos DB Splunk 4. Asynchronously, the analysis service receives the data and streams it to Apache Kafka and Azure HDInsight Database for Cache for PostgreSQL Redis 5. Data scientists can analyze the big data for use in machine learning models using Splunk

6. Data is processed by the processing service, which stores the result in Azure Database for PostgreSQL and caches the data in an Azure Cache for Redis

7. A web app running in Azure App Service is used to visualize App Service the results Kubernetes Customer stories Xerox Docushare Flex—Before Internet

Virtual Machines Typical 3-tier architecture using VMs Customer A Customer B Customer C

• Each customer instance assigned to Java Java Java dedicated Java and Postgres VMs

• Set of backing services for authentication, file sharing, common data sources

Postgres Postgres Postgres

Problem: Due to overhead and management burden of VMs, Backing Services adding a new customer takes 24 hours, slowing down customer onboarding through sales and LDAP SFTP PRIZM partner network Xerox Docushare Flex—After

Internet

Typical 3-tier architecture using VMs AKS

• Convert Postgres database to a shared backing service Azure NGINX Container • Run Java application in containers with no Registry code modification Customer A Customer B Customer C

• Switch to NGINX-based web-tier with Java Java Java LetsEncrypt for free SSL/TLS

• New Helm chart created to automate customer onboarding to AKS

Outcome: Run the Java application in containers on AKS, decreasing Backing Services provisioning time from 24 hours to 10 minutes, accelerating sales and LDAP SFTP PRIZM Postgres customer onboarding with no code changes required Xerox moves to containers in Azure for faster “Thanks to Azure Kubernetes Service, we can now spin up new demo environments in 10 demo environment releases minutes instead of 24 hours. Moving Docushare Flex from virtual machines to containers in Azure allows us to provision environments faster, empowering our sales and partner network.”

— Robert Bingham, Director of DocuShare Cloud Operations, Xerox Benefits: • Onboard prospective customers faster through automation • Enable self-service demo environments for large partners • Reduce administrative overhead for small Ops team • No code modification required Power grid operator uses containerized software “We wanted a platform to speed development and testing but do it safely, without losing to promote smart utility initiatives for 1.5M people control over security and performance. That’s why Azure and AKS are the perfect fit for us.”

Challenge: Legacy systems for reading meter data needed greater — Ståle Heitmann, Chief Technology Officer Hafslund Nett capacity to process large volumes of IoT data—but implementing the necessary system enhancements was difficult and expensive

Solution: Hafslund chose to develop its own software for processing meter data. The company used Microsoft Azure as its cloud platform, AKS to manage software containers, and Azure Monitor for containers to optimize container performance.

Outcome: Halfslund now has a standard way to create, monitor, scale, and manage applications, which means it can respond to customer needs faster.

Click icon to learn more ACR

Load Halsfund Balancer API Nett Hafslund Nett: architecture DevOps External Mgmt. CSS Styles

1. Azure Pipelines automates container AKS Virtual image build, push and release to Azure Active Network Directory Kubernetes service, triggered by source Namespace Namespace … Namespace code updates. Load Balancer VM VM VM VM Internal

2. Azure Kubernetes Services provides the Express … always-on service for meter reading and Routes connects with Azure managed databases On-prem to process the massive amounts of data services Infrastructure the IoT devices generate Cosmos SQL Azure Table Container DB Server Search Storage Monitor 3. Azure API Management serves as the secure gateway that helps connect to …

data and services anywhere. Log GitHub Application Insights Analytics

4. Azure network and Active Directory … provides fine-grain controls for external Terraform and inter-service communication. Key Vault 5. Azure Monitor provides a single pane of glass for cluster-to-container monitoring. Bosch Increases Vehicle Safety Using Precision “What we like about AKS is the simplified Kubernetes experience. It's click and deploy, GPS Algorithms and Azure Kubernetes Service it’s click and scale. It’s infrastructure as code too, which is quite cool for us.” — Christian Jeschke, Product Owner, Bosch Challenge: Bosch designed a software development kit (SDK) that can be used by original equipment manufacturers (OEMs) to embed driving safety information at scale. For such a service to work commercially, they had to build a real-time data ingestion and processing pipeline capable of detecting hazards and notifying drivers within seconds

Solution: The solution is deployed as multiple microservices running in containers behind an Azure API Management gateway. AKS provided the simplicity a serverless Kubernetes experience that provided the elastic provisioning they wanted without the need to manage the infrastructure.

Outcome: By running their solution, which has been downloaded by 12 million users, on Azure and AKS, the average time to detect driving hazards dropped to approximately 60 milliseconds.

Click icon to learn more SDK Hotspots WDW Service

Bosch: architecture Public API Key Vault

1. Sensor data is generated and streamed to Azure Web Apps API Management

VNet 2. AKS cluster runs microservice that are deployed Security as containers behind a service mesh; containers are built using a DevOps process and stored in Azure Container Registry AKS Kafka Streams AKS mVISE Service on HD Insights Map matching ACR 3. Ingest service stores data in an Azure Cosmos DB and other data storage destinations

4. Asynchronously, the map matching service receives the data from Kafka Streams on Azure HDInsight Data Explorer Blob Cosmos Cache for PostgreSQL Clusters Storage DB Redis Server 5. Data is processed and stored the result in Azure Database for PostgreSQL and maps are continuously updated using Azure Databricks Databricks 6. A web app running in Azure App Service is used to visualize the results DNV GL scales up machine learning using Azure “We decided to address the friction areas of our internal company deployment, Kubernetes Service management, and operations, and after evaluating commercial offerings, we chose to develop ML Factory based on Azure Challenge: Initially, the group trained machine learning models locally services.” and deployed each application to Azure Virtual Machines. — Kristian Ramsrud, Machine Learning group This process took up to 2 weeks and consumed more DNV GL Maritime Azure resources than needed.

Solution: DNV GL created a service using that builds and deploys each machine learning application as a container on AKS. They’re able to use the Kubernetes Cluster Autoscaler to add resources on demand as the need for more compute power arises.

Outcome: Data scientists and developers at DNV GL can now deliver more solutions to their internal and external customers with more speed, for less money, and with a more elastic software stack. Now the data scientists and engineers at DNV GL can focus on developing new, predictive solutions and providing real business value.

Click icon to learn more DNV GL: architecture ML Factory

1. Data scientists create their machine learning API API applications as containers using the ML Factory Gateway AKS Management development tools

2. ML Apps are built using automatically using Azure

Container Registry Tasks and are deployed to Azure Consuming Support ML development Kubernetes Service applications components and monitoring Active App Key ML Factory Directory Service Vault 3. Realtime logs can be streamed directly for Web portal debugging purposes. Azure Log Analytics also provides access to historical logs within defined retention periods Blob Storage Storage Accounts ACR ML Factory Developer tools 4. As the data flows through the platform, multiple functions hosted in Azure Functions work together SQL Event Function to fire alerts or trigger actions, triggered by signals Server Grid Apps from Azure Event Grid

5. Published applications are automatically added to the company’s corporate API Management gateway and the internal API catalog Maersk uses AKS for a customer service process “Using Kubernetes on Azure satisfies our objectives for efficient software development. to elevate NSAT, an industry-wide challenge It aligns well with our digital plans and our choice of open-source solutions for specific programming languages.” Needs: Get near-real-time data to provide better customer service — Rasmus Hald, Head of Cloud Architecture, Collect data for future Machine Learning driven features A.P. Moller - Maersk

Challenges: Compute & memory intensive features Data integration difficulties Limited organisational experience in Cloud & Kubernetes

Requirements: Spend less time on container software management Automation and continuous delivery Full visibility to application, container and infrastructure Fine grained security and access control

Outcomes: Reduced environment provisioning time from 1+ weeks to 2.5 hours AKS and CaaS can potentially save 33% on run cost

Click icon to learn more Maersk: architecture

App Gateway

1. Azure Pipelines for automation Firewall

and CI/CD pipelines; adding Data Azure AKS w/ Data Management On-premises Terraform for further automation Pipelines RBAC Factory Gateway database

2. Key Vault to secure secrets and Express Route for persistent configuration store Key Vault SQL Database

SQL Cosmos 3. Azure Monitor for containers to Database DB

provide better logging, Azure troubleshooting, with no direct Monitor Event Hub Performance container access Document DB

Batch processing App Service Bus 4. RBAC control for fine grained Insights Event Simulation Kubernetes resources access control Internal Queuing Cloud computing supports value-based care “Using Azure Kubernetes Service puts us into a position to not only deploy our business development for medical technology provider logic in Docker containers, including the orchestration, but also … to easily manage the exposure and control and meter the Challenge: Siemens Healthineers wanted to develop more of its access.” solutions in the cloud—on-premises systems were proving — Thomas Gossler, Lead Architect, Digital complicated for data aggregation and analytics—but strict Ecosystem Platform compliance requirements were making that transition Siemens Healthineers tricky.

Solution: The company selected Microsoft Azure for its cloud development platform thanks in large part to the number of regulatory certifications Azure has earned worldwide. With that decision, the company now deploys its distributed applications in Docker containers, orchestrates those containers using Kubernetes, and monitors and manages the environment with AKS.

Outcome: AKS enables developers to quickly and easily work with their applications with minimal operations and maintenance overhead, leading to shorter release cycles and helping the company achieve its desired continuous delivery approach.

Click icon to learn more Ambit Energy uses cloud to electrify pace of “Azure support for Docker, Kubernetes, Puppet, Terraform, Cassandra, and other innovation and expansion open source tools has become very important to us and has really accelerated our move into Azure.” Challenge: To meet aggressive growth goals, Ambit Energy needed to — Robert Rudduck, Director of Architecture automate infrastructure provisioning to match their pace of and DevOps, Ambit Energy new software creation.

Solution: To stand up infrastructure quickly, Ambit used Microsoft Azure services such as Azure Container Service, together with infrastructure as code and open source technologies, to completely automate infrastructure provisioning.

Outcome: By implementing Azure, Ambit can move dramatically faster to enhance its services and enter new markets. Infrastructure redundancy is flexible and worry-free. And costs are 22 percent lower, which helps Ambit compete in the crowded electricity market.

Click icon to learn more Altair Engineering uses cloud to democratize “Customers are limited as to what they can do on workstations, but with Azure we can give HPC access them a scalable, cost-effective back-end HPC infrastructure.”

Challenge: Altair needed a specialized HPC architecture containing — Sam Mahalingam, Chief Technical Officer Cloud Computing and High-Performance high-performance graphics processing units to deliver their Computing Strategy, Altair Engineering latest topology optimization and analysis application to customers.

Solution: Altair used Kubernetes in Azure Container Service to handle back-end functions and increase the density of services running across compute nodes.

Outcome: With Azure, Altair provides customers with a scalable, cost- effective back-end HPC infrastructure, eliminating the need for expensive engineering workstations.

Click icon to learn more Varian uses cloud and container software technology “With AKS, developers get a safe place to innovate and to experiment with new to streamline IT and focus on innovation technologies and ideas…It’s the best of open service combined with the best of Azure.”

Challenge: Varian needed to provide broader cancer care and enable — Shivakumar Gopalakrishnan Senior Manager, Varian Medical Systems faster innovation for the benefit of cancer patients.

Solution: Varian chose Microsoft Azure as its cloud platform and Azure Kubernetes Service to scale application deployments to thousands of customers, utilizing containers to modernize existing apps and create new ones.

Outcome: With AKS, Varian’s developers can deliver features to customers quickly and get their feedback without the overhead of provisioning a group of virtual machines.

Click icon to learn more Falkonry uses cloud and machine learning to “We’re very happy with the speed of deployment we can offer our customers create a “data scientist in a box” with Azure. If we had to fly people out to configure and set up hardware and software, we would lose several weeks in the process.” Challenge: Falkonry needed a solution to scale the deployment of its — Sanket Amberkar, Senior VP of Marketing, machine learning application to reach customers in the oil Falkonry and gas industries.

Solution: Falkonry used Azure Kubernetes Service to automate the deployment of Kubernetes clusters to deliver their application globally.

Outcome: With Azure Kubernetes Service, Falkonry is able to deploy their solutions in days, compared to months it takes for companies using a more traditional platform approach.

Click icon to learn more OpenAI uses cloud to drive flexibility and “Because Kubernetes provides a consistent API, we can move our research experiments scalability for deep learning experiments very easily between clusters… [We] have a number of teams that run their experiments both in Azure and in our own data centers, Challenge: OpenAI needed infrastructure for deep learning that would just depending on which cluster has free capacity, and that's hugely valuable.” allow experiments to run either in the cloud or in its own data center, and to easily scale. — Christopher Berner, Head of Infrastructure, OpenAI Solution: OpenAI migrated its Kubernetes clusters to Azure, running key experiments in fields including robotics and gaming both in Azure and in its own data centers.

Outcome: Researchers now spend far less time launching experiments and scaling them out to hundreds of GPUs. OpenAI has also benefited from greater portability and lower costs given the ability to use its own data centers when appropriate.

Click icon to learn more Eni quickly delivers business applications “AKS allows us to deploy and run containers very fast, without dealing with the burden of using Azure Kubernetes Service allocating VMs, storage, and configuring networking. Moreover, changing decisions about deployment parameters is quick and Challenge: Eni wanted to find a cloud service that met its goal to avoid easy.” Kubernetes vendor lock-in while creating an infrastructure — Giuseppe Zicari, Cloud Architect, Eni SpA where project onboarding happened fast and developers could begin work immediately.

Solution: After starting with Kubernetes on premises, Eni expanded to the cloud and added Microsoft Azure Kubernetes Service (AKS). The hybrid platform includes a suite of opensource tools and supports infrastructure as code (IaC).

Outcome: Eni achieved a full infrastructure as code scenario using Terraform and Azure, and now has native cloud speed along with enterprise-grade controls and configurations, with everything stored and enforced through code.

Click icon to learn more From monolith to microservices, Vipps “With Azure, we can scale Vipps as it grows and streamline future development, upgrades, transforms into a cloud-native company and innovation. That allows us to focus less on operations and more on building new services, creating value, and competing Challenge: Vipps, a mobile payment app for smartphones developed effectively.” by Norweign savings bank DNB, was built on-premises — Thomas Wold Johansen, Chief Technology using a monolithic architecture. The app’s wild success— Officer, Vipps Norwegians don’t just send money anymore; they Vippse it—required a fundamental overhaul.

Solution: Vipps experimented with different approaches for transitioning to a microservices architecture from the original monolithic one. The goal was to determine how to separate functional concerns while maintaining velocity and speed.

After multiple iterations, starting with simple VMs, Vipps chose Azure Kubernetes Service (AKS) in conjunction with Azure API Management to effectively develop, deploy, and manage the microservices transition.

Technology: Vipps used a variety of Azure products to make this transition, including AKS, Azure API Management, Azure SQL Database, and more. Ernst & Young accelerates application delivery “As EY becomes a more product-based company, we’re using Azure DevOps to and innovation with Azure build more agile practices and shift into a more rolling product-delivery approach to software and services development.” Challenge: The Ernst & Young (EY) Client Technology team builds — Sanjay Narang, Global Lead - Cloud the software that EY uses to provide great services to Architecture and Strategy, Ernst & Young customers. But with disparate processes in use across the organization, EY wanted to standardize development and create new solutions faster.

Solution: With Microsoft Azure DevOps and Azure Kubernetes Services, EY is creating more agile development practices and using containerization to drive more value in the solutions that it delivers.

Technology: Since standardizing its development approach with Azure, EY is now delivering more consistent, secure, and innovative solutions to its employees and customers— and faster than ever before. Kubernetes Deepdive Source control CI/CD pipeline

Dev Spaces git commit git push 1. The “Integration” dev space is running a full baseline version of the entire application helm upgrade helm upgrade Container --install --install 2. John and Sanjay are collaborating on registry values.test.yaml values.prod.yaml

FeatureX; it is setup as a dev space AKS cluster and running all the modified services Lisa required to implement a feature 'up' or F5 debug Lisa values.dev.yaml namespace 3. Code is committed to the master source control Integration Production namespace namespace 4. A CI/CD pipeline can be triggered to John John namespace deploy into “Integration,” which FeatureX updates the team's baseline namespace 5. The same Helm assets used during development are used in later Sanjay environments by the CD system Sanjay namespace 6. Lei connects using the local computer Lei to seamlessly run and debug service(s) Local locally computer Network traffic

Dev Spaces enabled Dev Spaces is enabled per Kubernetes namespaces and can be defined as anything. Any namespace in Environment variables, files which Dev Spaces is NOT enabled runs *unaffected*. Pull Request flow in Dev Spaces GitHub Actions Source workflow builds code control and deploys

1. John is working out of branch “feature-x” Open pull Pull request merged, locally request, deploy master updated feature-branch 2. John commits his code and pushes his branch to his remote GitHub repo Azure Dev Spaces + AKS cluster

3. John creates a pull request before PR namespace merging the changes into the feature-x created, changes application’s main branch deployed master 4. GitHub Actions workflow is triggered feature-x namespace upon PR creation; a delta namespace for namespace the pull request is created and the code is deployed to the namespace John Developer 5. A team member reviews the changes in the context of the entire application

6. The pull request is approved and a GitHub workflow is triggered to update the master namespace with the merged Lisa code changes Reviewer Horizontal Pod Autoscaler The horizontal pod autoscaler (HPA) uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If a service needs more resources, the number of pods is automatically increased to meet the demand.

1. HPA obtains resource metrics and Node1 compares them to user-specified Horizontal threshold Pod Autoscaler Deployment ReplicaSet Pod Kubelet 2. HPA evaluates whether user specified replicas++

threshold is met or not replicas-- Pod cAdvisor

3. HPA increases/decreases the replicas

based on the specified threshold NodeX Grabs 4. The Deployment controller adjusts metrics Metrics Node2 Server the deployment based on Pod

increase/decrease in replicas Kubelet Collects metrics from all containers on the node

cAdvisor Collects metrics from all nodes Cluster Autoscaler The cluster autoscaler watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes.

Cluster 1. HPA obtains resource metrics and Azure Autoscaler Pod Pod compares them to user-specified threshold

2. HPA evaluates whether user specified Additional Pods are in threshold is met or not nodes needed pending state

3. HPA increases/decreases the replicas Pending pods based on the specified threshold are scheduled Node is granted AKS cluster 4. The Deployment controller adjusts the deployment based on increase/decrease in replicas Node Node

Pod Pod Pod Pod Azure Pipelines for AKS

Deep traceability 1. As part of the CI, developers check in their code to a central repository, like GitHub; Azure Pipelines automatically builds application binaries, runs unit Source Container Repository image Pod test, and pushes container image into a registry

2. Developers then deploy the application to a testing environment and run integration test as part of the CD workflow

3. Developers can review which pod is running which Source Release AKS code Build Pipelines Pipelines cluster container image, what source code is built into an image, and what tests are run against each image Continuous Continuous Deploy Integration Delivery strategies at any point of time 4. For production deployment, Azure Pipelines automatically executes pre-defined deployment strategy and progressively rolls out application to Azure an AKS cluster Monitor

5. Enable app telemetry, container health monitoring, and real-time log analytics; insights used to address Iterate Monitor issues and feed into next sprint plans GitHub Actions for Kubernetes on Azure

Action 1. Authenticate and login securely to an Azure docker-login subscription

2. Set the target AKS cluster Action 3. Create Kubernetes secret objects to manage aks-set-context sensitive information

4. Connect to the Kubernetes cluster and deploy manifests, etc. Action k8s-create-secret

Action k8s-deploy Azure Container Registry geo-replication Push image to a single registry and ACR takes care of geographical Container replication, including local notifications. Developer image

1. US-based developer commits codes to build container image

2. Image is pushed to the nearest Azure Container Registry (ACR) region based on DNS contoso.azurecr.io contoso.azurecr.io East US West Europe 3. Geographical webhook triggers deployment to AKS CD ACR ACR CD AKS East US

4. ACR geo-replicates to configured regions Geo-Replication

5. Geographical webhook triggers deployment to contoso.azurecr.io/app:v1 contoso.azurecr.io/app:v1 West Europe

6. Both AKS clusters pull from contoso.azurecr.io Serverless Kubernetes using AKS virtual nodes

• Elastically provision compute capacity in seconds Node Node Pods Pods • No infrastructure to manage

• Built on open sourced Virtual Kubelet technology, donated to the Cloud Native Azure Container Computing Foundation (CNCF) Instances (ACI) Kubernetes control plane Pods

Virtual node Kubernetes-based event-driven auto-scaling (KEDA)

Open-source component jointly built by Microsoft and Kubernetes cluster RedHat

• Event-driven container creation & scaling Scaler AKS cluster Allows containers to “scale to zero” until an event comes in, which will then create the container and External process the event, resulting in more efficient trigger source utilization and reduced costs Controller

• Native triggers support Containers can consume events directly from the Metrics adapter event source, instead of routing events through HTTP

• Can be used in any Kubernetes service This includes in the cloud (e.g., AKS, EKS, GKE, etc.) KEDA or on-premises with OpenShift—any Kubernetes workload that requires scaling by events instead of traditional CPU or memory scaling can leverage this component. Service Mesh Interface (SMI)

SMI defines a set of APIs that can be implemented by individual mesh providers. Service meshes and tools Apps Tooling Ecosystem can either integrate directly with SMI or an adapter can consume SMI and drive native mesh APIs.

• Standard interface for service mesh on Kubernetes

• Basic feature set to address most common Service Mesh Interface scenarios Routing Telemetry Policy • Extensible to support new features as they become widely available

…and more

Kubernetes Internal External User User Security overview

Azure Container App Gateway AKS with RBAC Developer Registry 1. Image and container level security Internal External • AAD authenticated Container registry Load Balancer Load Balancer access • ACR image scanning and content trust for image validation Azure VNet 2. Node and cluster level security Kubernetes • Automatic security patching nightly Ingress Ingress External Active Admin • Nodes deployed in private virtual network Directory Controller Controller DNS subnet w/o public addresses Node Node • Network policy to secure communication paths between namespaces (and nodes) Pod Pod • Pod Security Policies using Gatekeeper • K8s RBAC and AAD for authentication • Threat protection on nodes AAD Pod Identity 3. Pod level security • Pod level control using AAD Pod Identity Azure • Pod Security Context Key Vault

4. Workload level security Azure Storage SQL Database Cosmos DB • Azure Role-based Access Control (RBAC) & security policy groups • Secure access to resources & services (e.g. Azure Key Vault) via Pod Identity • Storage Encryption • App Gateway with WAF to protect against threats and intrusions Encrypted Storage Pod identity

Developer

1. Kubernetes operator defines an <\> identity map for K8s service accounts

2. Node Managed Identity (NMI) watches for mapping reaction and syncs to Managed Service Identify Kubernetes (MSI) Kubernetes Azure controller Identity Azure SQL 3. Developer creates a pod with Binding Pod Server a service account, and pod uses standard Azure SDK to fetch a token bound to MSI

Active Token 4. Pod uses access token to consume Directory other Azure services; services validate Pod Identity Azure MSI token

NMI + EMSI Secure network communications with VNET and CNI

On-premises 1. Uses Azure subnet for both your infrastructure

containers and cluster VMs Azure VNet A Enterprise system Backend 2. Allows for connectivity to existing AKS subnet services subnet Azure Azure services in the same VNet Express AKS cluster SQL Server Route 3. Use Express Route to connect to on- premises infrastructure Azure SQL PaaS DB 4. Use VNet peering to connect to other VNets Service Endpoint 5. Connect AKS cluster securely and VNet peering privately to other Azure resources using VNet endpoints Other peered VNets

AKS VNet integration works seamlessly with your existing network infrastructure Identity and access management through AAD and RBAC

1. A developer authenticates to the AAD token issuance endpoint and requests an access token Azure Active Directory 2. The AAD token issuance endpoint issues the access token

3. The access token is used to Developer

authenticate to the secured resource Token AKS

4. Data from the secured resource is returned to the web application

Token

Azure delivers a streamlined identity and access management solution with Azure Active Directory (AAD) and Azure Kubernetes Services (AKS) Azure Policy for clusters

1. Cloud architect assigns a deployment policy across cluster(s) Cloud Azure Architect Policy 2. Developer uses standard Kubernetes API to deploy to the cluster

3. Real-time deployment enforcement Compliance reports (acceptance/denial) provided to developer based on policy Cluster-1 Cluster-2 Cluster-3

4. Cloud architect obtains compliance report for the entire environment and can drill down to individual pod level

AKS Developer Cluster-1 Cluster-2 Cluster-3 Azure Pipelines build audit & enforcement using Azure Policy

1. Cloud architect assigns a policy across Cloud Azure clusters; policy can be set to block non- Architect Policy compliance (deny) or generate non- compliance warnings (audit)

2. Developer makes code change that kicks off a build on Azure Pipelines

3. Azure Pipelines evaluates the request for CI/CD Pipelines policy compliance Deny policy Yes No 4. If policy is set to deny, Azure Pipelines Fail Developer rejects the build attempt if any non- Compliance check AKS compliance is identified

Cluster-1 Cluster-2 Cluster-3 5. If policy is set to audit, a non-compliance event is logged and the build is allowed to proceed Pass AKS Support in Azure Security Center

1. For managed subscriptions, each new AKS Azure Continuous discovery of managed AKS instances cluster and node are discovered in ASC Security Center Raw security events 2. ASC monitors AKS cluster for security Actionable recommendations misconfigurations and provides for security best practices actionable recommendations for Audit log compliance with security best practices Detect threats across AKS nodes and clusters using 3. ASC continuously analyzes AKS for advanced analytics potential threats based on: Azure Kubernetes Service

a. Raw security events such as network AKS security configuration Verified by Security Center data and process creation Node1 Node2 Node3 API Server b. Kubernetes log audit Workers

Master Container runtime Container runtime Container runtime …and reports any threats and malicious Security center Security center Security center activity detected (e.g., “API requests to your cluster from a suspicious IP was detected”) Azure Monitor for containers Azure Monitor for containers

Prometheus

1. Get detailed insights about your Cloud native experience workloads with Azure Monitor for Azure Monitor with Observe live container Prometheus integration logs and Kubernetes 2. Filter for details about nodes, event log on container controllers, and containers deployment status Visualization Visualize overall health and Azure performance from cluster to Azure Kubernetes 3. See graphical insights about clusters containers with drilldowns Pipelines Service and filters Observability 4. Pull events and logs for detailed Insights Provide insights with activity analysis cluster health rollup view

Monitor & Monitor and analyze analyze Kubernetes and container Virtual deployment performance, node events, health, and logs

Response Native alerting with integration to issue management and ITSM tools Azure Monitor for containers Configuration management scenario

Azure Cluster Resource Cluster 1. Deploy Azure Arc for Kubernetes operator Manager Connect RP Kubernetes on-prem agent

Azure Arc 2. Azure Arc agent registers cluster with agent ARM Cluster Config RP 3. Cluster operator applies cluster configuration via ARM Config agent 4. Configuration agent picks up Azure Policy configuration and syncs state from git repo

5. Configuration agent informs Azure policy of status Cluster operator/ Application dev GitHub 6. Cluster operator or application developer pushes changes via GitHub What is a container?

VM VM Containers Containers

App1 App2 App1 App1 Binaries & Binaries & libraries libraries Binaries & Binaries & libraries libraries Guest OS Guest OS

Virtual machines Containers

Virtualize the hardware Virtualize the operating system VMs as units of scaling Applications as units of scaling Traditional virtualized environment

From dev to production agility across development and operations teams Virtual machine Virtual machine

Low utilization of resources

Container Container Container Container Containerization of applications and their dependencies for portability App App

Hypervisor

Host OS

Hardware Advantages of a containerized environment

Containers are lighter weight and faster to scale dynamically Virtual machine Virtual machine

Migrate containers and their Container Container dependencies to underutilized VMs for improved density and isolation

Container Container Decommission unused resources for efficiency gains and cost savings App

DockerHypervisor Engine

Host OS

Hardware Simplest container development experience Powered by automation and integration with familiar tools

1. Automatically containerize and scaffold Container any applications directly from IDE Container Registry 2. Auto-build to a secure container registry App

3. Rapidly iterate, test, and debug microservices

4. A few clicks to a full CI/CD pipeline and pre-configured deployment strategy Production environment

5. Built-in monitoring and logging to get Monitoring full visibility of container health and app and logging telemetry API-driven development with Kubernetes: overview Putting API at the center of the development process to clearly separate app accessibility and app logic

API defines how internal world communicates with outside world

• External interface to the world Cloud app Website • Formalizes parameters for internal and external user access Kubernetes platform • Allows definition and enforcement of policies, like security and usage API Security, governance, identity • Provides abstraction of the underlying details • Enables decoupling of interface development from logic development Kubernetes • Acts as proxy for app logic

Infrastructure automation

Kubernetes provides app orchestration Mobile app B2B partner environment and scalability needs Infrastructure • Simplifies migration and modernization • Enables developers to focus on app logic • Provides orchestration and scalability across apps and services Accessibility Logic API-driven development with Kubernetes: architecture Putting API at the center of the development process to clearly separate app accessibility and app logic

App 1. API is defined by API developers and developers published via the API Management portal API

2. Application developers define the API Management microservices and associated logic developers Portal Kubernetes platform and deploy to Kubernetes Security, governance, identity

3. API users (internal and/or external) use API Developer the API developer portal to learn about users Portal Kubernetes the API and use them in their applications

Infrastructure automation 4. Applications access APIs via the API Gateway Gateway Infrastructure

5. API Gateway, after ensuring the API request meets security and other policies e.g. throttling, forwards the request to Accessibility Logic service running in Kubernetes API-driven development with Kubernetes: benefits Putting API at the center of the development process to clearly separate app accessibility and app logic

Benefits of using API with Azure • Create API gateway and developer portal in minutes Kubernetes • Publish APIs easily for internal or external use API

• Manage, secure, optimize all your APIs in one place Management Portal Security, • Connect to back-end services anywhere governance, identity

Enabling technologies Developer • Broad support for technologies to fit your migration, Portal On-prem, modernization, transformation, and API needs cloud, or • Extensive infrastructure and services to simplify hybrid security, compliance, and standardization

• Refined management plane to ease the task of Gateway development and management • Support for multi-cloud and hybrid* Infrastructure automation

Accessibility Logic

*Map illustration represents existing and future availability for Azure. Map is not all-inclusive. Java on Azure Java Matters

Monolith Containerized Monolith Monolith + new Parts of monolith Microservices or microservices extracted serverless application

Virtual Machines

Containers

Managed Services

Serverless

Java SE

Java EE

Data

Messaging

DevOps

Azure Kubernetes Service Azure Container Instances Azure Container Registry

Azure App Service

App Service Cosmos DB

Azure Monitor Azure DevOps

Blob Storage Key Vault Active Directory Service Bus Event Hub Event Grid

Azure Functions Logic Apps

Jointly developed, Managed service operated, and supported

Out-of-the-box Zero code changes monitoring and tracing

Spring Data R2DBC Spring Resource Spring Cache Spring Messaging

• SQL Database • SQL Database • Storage • Redis Cache • Service Bus • MySQL • PostgreSQL • PostgreSQL

• Maria DB Spring Boot Spring Cloud Spring Security Micrometer • Cosmos DB • Virtual Machines • App Configuration • Active Directory (AAD) • Monitor - includes • SQL • MongoDB • Containers in Azure • Event Hubs • ADD - B2C Log Analytics • Cassandra Kubernetes Service • Service Bus • Microsoft 365 • Gremlin (AKS) • Storage • Microsoft Account • App Service on Linux • Redis • PCF on Azure • Functions

http://cloud.spring.io/spring-cloud-azure/

Azure Pipelines Azure DevOps Azure SDK

Solution Samples Sample Solution I

Azure Load Balancer

Traffic Manager Active Directory

Azure DevOps Container Registry Azure Monitor Kubernetes Service

Key Vault Cosmos DB

Traffic Manager Active Directory

App Service

Key Vault Service Bus

Functions Cosmos DB Web App

Blob Storage Logic Apps Functions Service Bus Web App

Functions

https://azure.microsoft.com/en-us/develop/java/

https://docs.microsoft.com/en-us/java/azure/

https://azure.microsoft.com/en- us/documentation/samples/?term=java

Spring Boot 40%

Spring MVC 36%

JSF 19%

Struts 9%

GWT 6% 40% Vaadin 5% Play 3% Spring Boot has the largest share of Java among application Gralis 3% development frameworks JHipster 3%

DropWizard 3%

Wicket 2%

Other 8%

None 21%

https://snyk.io/blog/jvm-ecosystem-report-2018-platform-application/ Spring-based microservices development

Spring Boot Spring Cloud Build anything Coordinate anything

designed to get you provides a set of up and running as tools that makes quickly as possible, communication with minimal upfront between configuration of microservices Spring easier Common challenges

App Spring Cloud Spring Spring Cloud Cloud Consumers Components Cloud Apps Components Services

Breaker Service High effort required to dashboard registry manage cloud infrastructure Microservices for Spring boot applications

IoT Application lifecycle is Message brokers difficult to manage Microservices API Mobile Gateway Painful to troubleshoot Databases application issues Microservices Browser Config Distributed dashboard tracing Azure Spring Cloud A fully managed service for Spring Boot microservices

More choices and full integration into Azure’s ecosystem and services

Fully managed Built-in app Ease of infrastructure lifecycle monitoring management

Enterprise ready 185

Simplify your cloud infrastructure for Spring boot applications

DIY with Spring Azure Spring Responsibilities Boot Cloud Service Azure DNS Azure Monitor Azure Active Directory Application iteration, debugging User Public IP User Public IP

Azure CI/CD Database For User Environment MySQL Build and manage Clusters Service Binding Azure Cosmos DB Host Spring App 1 App 2 App 3 App N Azure Spring Cloud Pivotal Build Service Cloud agents Middleware Azure Kubernetes Service

Monitoring and logging Azure Spring Cloud service runtime Azure Cache for Redis Config Scaling Source

User 1 User 1 User 2 User 2 Core Services Agent Managers Patching User Git Repository Config Server Service Discovery Config Server Service Discovery

Support Azure Spring Cloud

Customer Pivotal Microsoft 186

Simplify your cloud infrastructure for Spring boot applications

DIY with Spring Azure Spring Responsibilities Boot Cloud Service Azure DNS Azure Monitor Azure Active Directory Application iteration, debugging User Public IP User Public IP

Monitoring and logging Azure Spring Cloud service runtime Azure Cache for Redis Config Scaling Source

User 1 User 1 User 2 User 2 Core Services Agent Managers Patching User Git Repository Config Server Service Discovery Config Server Service Discovery

Support Azure Spring Cloud

Customer Pivotal Microsoft Built-in application lifecycle management

Simple app lifecycle management

Easily deploy source code or build artifacts

Automatically wire your app with Spring Cloud infrastructure

Integrated CI/CD pipeline for deployment Ease of monitoring

Gain insights with Azure Monitor

Aggregate metrics

Identify reliable issues Deploy and visualize

[email protected] CONTOSO Set up diagnostics

[email protected] CONTOSO How can I know which app instance is misbehaving? Troubleshoot Monitor performance Azure Spring Cloud benefits

Simplify infrastructure Built-in application Easily monitor management lifecycle management your apps

Easily identify performance Run your Spring Boot apps Spring Cloud components bottlenecks

Gain insight into app dependencies Scalable global infrastructure Deploy source code or build artifacts using Azure Monitor

Reduce downtime and deployment Automatically wire your app with Aggregate metrics risk Spring Cloud infrastructure Spring on Azure

Spring Data R2DBC Spring Resource Spring Cache Spring Messaging

SQL Database SQL Database Storage Redis Cache Service Bus

MySQL PostgreSQL

PostgreSQL Spring Boot Spring Cloud Spring Security Micrometer Maria DB

Cosmos DB Virtual machines App Configuration Azure Active Directory Monitor – includes Log (ADD) Analytics SQL Containers in Azure Event Hubs Kubernetes Service (AKS) ADD – B2C MongoDB Service Bus App Service on Linux Microsoft 365 Cassandra Storage PCF on Azure Microsoft account Gremlin Redis Functions

http://cloud.spring.io/spring-cloud-azure/ Get started with Azure Spring Cloud service

Try out Check out Learn how to launch Azure Spring Cloud these resources a Spring Boot app using the Azure portal Demo

Client

Deploy Spring Cloud app API to Azure without worrying Gateway about:

Infrastructure and scaling Rest API Rest API Rest API Config Service Statistics Service Account Service Notification Service Spring Cloud middleware – config, registry, tracing and

gateway, or Auth Service Statistics DB Account DB Notification DB Monitoring

Service Discovery Create the service app Create service

$ az spring-cloud create -n piggymetrics -g demogroup -l westeurope

$ az configure --defaults group=demogroup name=piggymetrics Create app

$ az spring-cloud app create --name account-service \ --cpu 2 \ --memory 4 \ --instance-count 3 \

# By default, 1 CPU, 1GB and 1 microservice instances will be assigned. $ az spring-cloud app create --name auth-service $ az spring-cloud app create --name gateway Account-service Up(UP3 ()3)

Auth-service Up(2) gateway Up(1), Down(1) Configure Spring Cloud Config Server

$ az spring-cloud config-server set --config-file application.yml spring: cloud: config: server: git: uri: https://github.com/xscript/piggymetrics-config.git pattern: prod* Deploy app

$ cd piggymetrics

# Use Pivotal Build Service compile source code, containerize the app of account-service, deploy it to created Azure Spring Cloud app named “account-service” and get it running. $ az spring-cloud app deploy --name account-service \ --target-module account-service Account-service Up(UP3 ()3)

Auth-service Up(2) gateway Up(1), Down(1)

Thank You!

[email protected]

0032 497 219577

@kvaes