Protect container traffic to Azure AKS with BIG-IP

Summary

In an earlier article, I shared a demo to deploy AWS EKS, deploy an app, and then deploy a BIG-IP to expose that application securely to the internet.

This article will do similar but for Azure's AKS service.

What this demo will deploy:

GitHub repo:

This demo is hosted here and full instructions can be found here too. Otherwise you can continue below:

Pre-requisites:

1. You will need a Terraform client.
2. I personally use an Ubuntu 18.04 machine and for this demo I used Terraform version 0.12.23
3. You need details of a ServicePrincipal in Azure.
4. In this demo your Azure account will be accessed by Terraform using a Service Principal. You can set up a ServicePrincipal by following these instructions. In my example, I use a ServicePrincipal and client secret, but you can also authenticate with client certificate, or Managed Service Identity. The SP should have contributor access in the subscription.

Run git clone to copy the Terraform files we need locally

git clone https://github.com/mikeoleary/azure-aks-bigip.git

We now need to update the file called variables.tf in the root module to reflect your own Service Principle details:

cd azure-aks-bigip/infra
vi variables.tf

You want your variables.tf file to include this below. Obviously, replace my xxx with your SP details, and you can create your own prefix value and Azure location if you wish. Of course, in production, use a better password than below.

#Azure SP cred details
variable "client_id" {default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}
variable "client_secret" {default = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
variable "subscription_id" {default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}
variable "tenant_id" {default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}
#BIG-IP variables
variable "prefix" {default = "someuniquevalue"}
variable "uname" {default = "azureuser"}
variable "upassword" {default = "Default12345"}
variable "location" {default = "East US 2"}
#Network variables
variable "network_cidr" {default = "10.0.0.0/16"}
variable "mgmt_subnet_prefix" {default = "10.0.1.0/24"}
variable "external_subnet_prefix" {default = "10.0.2.0/24"}
variable "internal_subnet_prefix" {default = "10.0.3.0/24"}

Now let's run Terraform! You will need to type "yes" at the last prompt and you will get billed for resources deployed.

terraform init
terraform plan
terraform apply 

Now let's change directories and run Terraform and build apps!

cd ../apps/

You will need to type "yes" at the last prompt.

terraform init
terraform plan
terraform apply 

Once this is complete, you should see an output called appUrl. Visit this URL, and you should see a simple demo app (the Azure vote demo app). This demo app is a good example because it involves 2 services within Kubernetes (a front end service, with multiple pods, and a backend service, with one pod). Here is the command to print this output on the screen:

cd ../infra/ 
terraform output appUrl

The output of this command is a URL for you to visit. The demo is successful when you see this app below. This microservices app is 2-tier, running in AKS, and exposed to the internet via the F5 BIG-IP. Now, you can apply firewall rules, iRules, SSL termination, or any other F5 app services at your F5 BIG-IP, and still get the benefit of running in AKS.

Finally, don't forget to delete your resources! Again - you'll need to type "yes" when prompted. Let's ensure we delete the resources from the "apps" directory and then from the "infra" directory.

cd ../apps
terraform destroy

And now back to the /infra directory and destroy those resources too.

cd ../infra
terraform destroy

Once in a while, Azure will destroy these resources without considering dependencies, and you'll see an error when you delete your resources. If this happens, just destroy again with the command above, or just delete the Azure Resource Group via the Azure portal.

Thanks for reading, and please share your experiences and thoughts!