Azure Insights: Kubernetes API access; Firewall updates; Certifications; Cloud native and serverless

Source:-msdynamicsworld.com

Microsoft Azure pros share their thoughts on security Kubernetes API access, Firewall updates in February, changes to certifications and the impact of cloud-native, serverless and containerized tech.

Securing Kubernetes API access
Richard Hooper, writing on Pixel Robots, explained how to secure access to the Kubernetes API on an Azure Kubernetes Service (AKS) cluster. By default, the API is internet accessible with HTTPS. Initially, Hooper cleared up any confusion for readers of his recent blogs pertaining to role-based access control and Azure Active Directory. Although these services provide valuable security and “lock down” of the system, for some organizations they made not be enough. In fact, Azure Security Center even warns users if it detects that security recommendations aren’t being met.

Fortunately, it’s easy to update access control with Azure CLI. Navigating in the environment, Hooper selected an AKS cluster and defined allowed IP addresses and confirmed access with a kubectl command. Users have to be cautious to allow Azure DevOps IP ranges if they are using the service or builds may break. He wrote:

It’s a bit of a pain, but as I am sure you are aware Security always is. I for one will be using this for all of my AKS clusters going forward and would advise you do too. Just remember if your pipeline fails due to it being unable to connect to the AKS cluster update the IP whitelist.

February Firewall updates
Aidan Finn looked over recent Azure Firewall updates in February and what they mean for users. He tested out the preview of Firewall Manager through the Azure portal GUI. It helps to set firewall policy and centrally managed firewall resources in one or more regions. For customers with multiple identical deployments in different parts of the world, admins can generate parent policies, setting up child policies for each instance. For site-to-site network connection management, IP Groups offers options to abstract network rules while TCP/UDP 64000 constrains rules up to the normal maximum port size.

In Finn’s view, forced IP tunneling from the outside internet back on-prem is probably only useful for governments and a few very security conscious organizations. By contrast, using PowerShell and JSON to configure public IP ranges to allow public IP addresses in private networks allows greater flexibility.

Certifications set to be retired
On Build5Nines, Chris Pietschmann examined Microsoft’s upcoming retirement of the MCSE, MCSD and MCSA certifications in favor of role-based certifications. This means that 15 certifications, totaling 42 exams will be retired on June 30. The move is part of a long-term shift in Microsoft credentialing first signaled in September, 2018. Among the subsets of exams set to disappear are MCSA installments for BI Reporting and SQL Server, MCSD for App Builder, and MCSE for Business Applications, Core Infrastructure, Productivity, Data Management and Analytics. He wrote:

If you on your path to earning these certifications, then you have until June 30, 2020 to pass the required exams to earn the certifications. After that date they will no longer be available to be earned. Once retired, these certifications will remain on your official Microsoft certification transcript. In fact, they will remain on your transcript for 2 years from the June 30, 2020 date; after which they will be moved to the “inactive” section of your transcript. With the new role-based exams being active for a period of 2 years once earned, this change makes sense for the MCSE, MCSD, and MCSA certifications to be in line with that two year expiration / renewal cycle.

The new exam system doesn’t come with exact equivalents, but according to Pietschmann Microsoft is working to define new training paths. For example, those certified for MCSE Core Infrastructure could go for any combination of Azure Administrator Associate, Security Engineer Associate or Solutions Architect Expert.

Thinking about “cloud native”
Karim Vaes kicked off February sharing his experiences migrating from VMchooser to a more serverless and containers. In his latest round of blogging, he did a “brain dump” to explain a few key points about the experience. Vaes came to like containerization around 2015 for the portability and repeatability that it provides. For him, containers are a form of configuration management that could also often be achieved with tools like Ansible or Puppet.

Kubernetes is also an important part of the picture, for its cross-platform capabilities and support for hybrid cloud scenarios. After experimenting with serverless architectures, Vaes wondered why fellow users didn’t simply skip containers and go directly to serverless, which is less infrastructure-oriented than Kubernetes and containers, as well as easier to cost optimize. Users looking to adopt these new approaches can think about using a managed certified Kubernetes service and potentially skipping an orchestrator in-favor of Azure App Service or Container Instance.