Service EPG Configuration Examples

For more information on service EPGs, see:

The following sections provide configuration examples for service EPGs.

Azure Kubernetes Services (AKS) Service EPG Configuration Example

This section provides procedures for configuring an example service EPG with the following settings:

  • Service Type: Azure Kubernetes Services (AKS)

  • Deployment type: Cloud Native Managed. In this type of deployment, the service is instantiated in your VNet or subnet (created through the Cisco Cloud APIC). For example, an Azure Kubernetes Services (AKS) service could be deployed in a subnet that is managed by the Cisco Cloud APIC.

  • Access type: Private

The procedures to configure this example service EPG for AKS are provided in the following sections.

Creating a Subnet in the Cloud Context Profile

These procedures describe how to create a subnet in a cloud context profile to be used by the Azure Kubernetes Services (AKS) service EPG. You will be making configurations through the Cisco Cloud APIC GUI in these procedures.

Before you begin

  • In one browser window, log into your Cisco Cloud APIC GUI.

  • In another browser window, log into your Azure account for the Cisco Cloud APIC infra tenant and go to the Azure management portal:

    https://portal.azure.com/#home

Procedure

Step 1

In the Cisco Cloud APIC GUI, click the Intent icon.

The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create Cloud Context Profile.

The Create Cloud Context Profile window appears.

Step 4

Enter the following information in the Create Cloud Context Profile window.

  • Name: Enter the name of the cloud context profile. For example, ct_ctxprofile_eastus.

  • Tenant: Click Select Tenant, choose a tenant for the cloud context profile for this use case, then click Select.

  • Region: Click Select Region, choose the region (for example, eastus), then click Select.

  • VRF: Click Select VRF, select the appropriate VRF, then click Select.

  • Add CIDR: Enter the CIDR information.

    1. Click Add CIDR.

    2. Enter the address in the CIDR Block Range field.

      For example, 30.1.0.0/16.

    3. Uncheck (disable) the Primary check box.

    4. Click Add Subnet and enter the subnet address in the Address field.

      For example, 30.1.0.0/17. Note that AKS cluster requires 338 addresses.

    5. Click Add.

  • VNet Gateway Router: Leave the box unchecked (unselected) for this field.

  • VNet Peering: Check this box to enable VNet peering.

Step 5

Click Save when finished.

What to do next

Go to Creating the Cloud Service EPG for AKS.

Creating the Cloud Service EPG for AKS

These procedures describe how to create the cloud service EPG with the Azure Kubernetes Services (AKS) service type. You will be making configurations through the Cisco Cloud APIC GUI in these procedures.

Before you begin

Complete the procedures in Creating a Subnet in the Cloud Context Profile before proceeding with these procedures.

Procedure

Step 1

In the Cisco Cloud APIC GUI, click the Intent icon.

The Intent menu appears.

Step 2

Click the drop-down arrow below the Intent search box and choose Application Management.

A list of Application Management options appear in the Intent menu.

Step 3

From the Application Management list in the Intent menu, click Create EPG.

The Create EPG window appears.

Step 4

Enter the following information in the Create EPG window.

  • Name: Enter the name of the cloud service EPG. For example, svc-Hub-AzureAKS.

  • Tenant: Click Select Tenant, choose a tenant for the cloud service EPG for this use case, then click Select.

  • Application Profile: Click Select Application Profile, choose the application profile, then click Select.

  • Type: Choose Service as the EPG type.

  • VRF: Click Select VRF, select the appropriate VRF, then click Select.

  • Service Type : Choose the Azure Kubernetes Services (AKS) service type.

  • Deployment Type: Choose the Cloud Native Managed deployment type.

  • Access Type: Choose the Private access type.

Step 5

Click Add Endpoint Selector.

The Add Endpoint Selector window appears.

For this use case, we will be creating an endpoint selector where the IP address matches the subnet information configured in the previous step, 30.1.0.0/17. Having the IP address in the endpoint selector match the subnet in the previous step allows the Cisco Cloud APIC to program the NSG to allow all of the required rules for this service type.

Step 6

In the Add Endpoint Selector window, enter a name in the Name field.

Step 7

Click the Key drop-down list to choose a key.

At this time, IP is the only option available as a key for this access type.

Step 8

Click the Operator drop-down list and choose equals.

Step 9

In the Value field, enter 30.1.0.0/17, then click the check mark to validate the entry.

Step 10

Click Add.

Step 11

Click Save when finished.

What to do next

Go to Verifying the Outbound Security Rules.

Verifying the Outbound Security Rules

These procedures describe how to verify that the necessary outbound security rules are getting configured correctly. The Cisco Cloud APIC configures all of the outbound security rules in Azure that are needed for AKS to be deployed in the Azure portal.

Before you begin

Complete the procedures in Creating the Cloud Service EPG for AKS before proceeding with these procedures.

Procedure

Step 1

In the Azure portal, navigate to the network security group for the subnet that was automatically created:

  1. Navigate to appropriate resource group.

  2. Select the subnet that was used for the AKS service EPG.

  3. Locate the necessary outbound security group.
Step 2

Locate the Outbound security rules area in the page and verify that the outbound security rules for the NSG are configured correctly.

For more information on the outbound security rules, see:

https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic

What to do next

Go to Creating a Kubernetes Service.

Creating a Kubernetes Service

These procedures describes how to create a Kubernetes service. You will be making configurations through the Azure portal in these procedures.


Note

The following procedure describes how to create a Kubernetes service through the Azure portal. An alternative method for creating a Kubernetes service is also provided in the Using Azure Kubernetes Service with Cisco Cloud APIC document.

Before you begin

Complete the procedures in Verifying the Outbound Security Rules before proceeding with these procedures.

Procedure

Step 1

In the Azure portal, search for the term Kubernetes Service by Microsoft and click on the search result.

The Kubernetes Service page appears.

Step 2

Click Create in the Kubernetes Service page.

The Create Kubernetes cluster page appears.

Step 3

In the Basics tab, configure the following areas:

  • Subscription: Select the appropriate subscription.

  • Resource Group: Select the appropriate resource group.

  • Kubernetes cluster name: Enter a unique name for this Kubernetes cluster.

  • Region: Select the appropriate region.

  • Kubernetes version: Leave the default selection as-is.

  • Node size: Leave the default selection as-is.

  • Node count: Verify that the scroll bar is all the way to the left so that the entry for this field is 1.

Step 4

Click Next: Node pools. Leave the default entries as-is and click Next: Authentication to advance to the Authentication tab.

Step 5

In the Authentication tab, configure the following areas:

  • Authentication method: Choose Service principal.

    The Service principal field appears.

  • Service principal: Click Configure service principal.

    In the Configure service principal window, configure the following areas:

    • Service principal: Choose either Create new or Use existing.

      If you choose Use existing, enter the following information for the existing service principal:

      • Service principal client ID

      • Service principal client secret

    Note 

    Make a note of the entries that you enter in these two fields. You will be using the entries in these fields later in these procedures.

    Click OK to return to the Authentication tab in the Create Kubernetes cluster window.

  • Role-based acces control (RBAC): Choose Enabled.

  • AKS-managed Azure Active Directory: Choose Disabled.

  • Encryption type: Leave the default selection as-is.

Step 6

Click Next: Networking to advance to the Networking tab.

Step 7

In the Networking tab, configure the following areas:

  • Network configuration: Choose Azure CNI.

  • Virtual network: Choose the corresponding virtual network.

  • Cluster subnet: Choose the Cisco Cloud APIC-managed subnet.

  • Kubernetes service address range: Leave the default selection as-is, or change the entry, if necessary.

  • Kubernetes DNS service IP address: Leave the default selection as-is, or change the entry, if necessary.

  • Docker Bridge address: Leave the default selection as-is, or change the entry, if necessary.

  • DNS name prefix: Leave the default selection as-is, or change the entry, if necessary.

  • Load balancer: Standard

  • Enable HTTP application routing: Leave the default selection as-is (not enabled), or change the entry, if necessary.

  • Enable Private cluster: Leave the default selection as-is (not enabled), or change the entry, if necessary.

Step 8

Click Next: Integration, then Next: Tags, to advance through those screens without changing any of the default entries, then click Next: Review+Create.

Step 9

In the Review+Create window, click Create, then click Create again after the validations pass to create the Kubernetes cluster.

You will see the message Deployment is in progress and the Overview screen for the Kubernetes service will appear.

Wait until the Kubernetes service is deployed successfully before proceeding (the amount of time it takes to deploy varies). Once this process is completed, the main AKS service will be in your original resource group. Azure will also create an additional resource group specifically for the Kubernetes service, with all of the agentpools VM scales set.

What to do next

Go to Verifying the New Kubernetes Service.

Verifying the New Kubernetes Service

These procedures describe how to verify that the new Kubernetes service is in the resource group that was created specifically for the Kubernetes service.

Before you begin

Complete the procedures in Creating a Kubernetes Service before proceeding with these procedures.

Procedure

Step 1

In the Azure portal, click on Resource groups in the left nav bar to navigate to the resource groups page.

Step 2

In the Resource groups page, locate the resource group that was created specifically for the Kubernetes service and click the link for that resource group.

The resource group created specifically for the Kubernetes service will have the following format:

MC_resourcegroupname_clustername_region

Where:

For example:

MC_aks_acme-aks-cluster_centralus

The Overview page for the Kubernetes service resource group appears.
Step 3

Locate the line for the Virtual machine scale set and click on that link.

This is where the AKS agent is running.
Step 4

In the left nav bar, click on Instances to display the virtual machine instances for this Kubernetes service resource group.

Step 5

Click on any of the three instances in this window, then verify that the IP address shown in the Private IP address field matches your hub subnet IP address.

All three instances shown in this window should have an IP address from the subnet that you selected in Step 7 in Creating a Kubernetes Service.

Step 6

Navigate back to the Overview page for the Kubernetes service resource group, then locate the kubernetes entry, shown with Load balancer as the Type, and click that link.

The Overview page for the Kubernetes load balancer appears.
Step 7

In the left nav bar, click Backend pools to view the AKS agents.

Step 8

If a virtual machine was created as part of the process of configuring the contract (for example, if a virtual machine was created for the consumer), and if you have AKS as the provider, verify that the rules were configured correctly.

  1. In the Azure portal, navigate back to the infra resource group.

  2. Choose Group by type for the records shown in the Overview page for the infra resource group.

  3. Scroll down until you see the Virtual machine area and click on the virtual machine for the consumer in your contract.

    The Overview window for that virtual machine appears.

  4. In the left nav bar, under Settings, click Networking.

    The Networking window for that virtual machine appears, with information on the inbound and outbound port rules.

  5. Click on the Outbound port rules tab, then click on one of the outbound port rules listed in the table.

    A window slides in from the right, displaying additional information on these outbound port rules. For example, the entry in the Destination IP addresses/CIDR ranges area provides information on the addresses that are associated with the AKS cluster.

What to do next

Go to Installing the Azure and AKS CLI.

Installing the Azure and AKS CLI

These procedures describe how to install the Azure and AKS CLI.

Before you begin

Complete the procedures in Verifying the New Kubernetes Service before proceeding with these procedures.

Procedure

Step 1

On the consumer VM that has internet access, install the Azure CLI.

For more information, see:

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux

For example, to install the Azure CLI in an Ubuntu Linux VM in Azure:

# curl -sL https://aka.ms/InstallAzureCliDeb | sudo bash
Step 2

Download and install kubectl, the Kubernetes command-line tool, and kubelogin, a client-go credential (exec) plugin implementing azure authentication: 

# az aks install-cli
Step 3

Log in with the service principle information that you entered in Step 5 in Creating a Kubernetes Service in these procedures: 


# az login --service-principal --username <service_principal_client_id> 
--password '<service_principal_client_secret>' --tenant <tenant_ID>

Where:

For example:

# az login --service-principal --username 12a3b456-7c89-1234-5de6-7f89012gh3i4 
--password 'secretkey12341234!' --tenant 98765zy4-xwv-3ut2-1uts-rq0pon98m765
Step 4

Set a subscription to be the current active subscription.

# az account set --subscription <AKS_rg_subscription_ID>

Where <AKS_rg_subscription_ID> is the subscription ID of the resource group that Azure created for the Kubernetes service in Verifying the New Kubernetes Service.

For example:

# az account set --subscription 56klm789n-o0p1-234q-5r6s-7t890123u4v5
Step 5

From the consumer VM, enter the following to log in and connect to AKS.

root@hub-vm:/home/capic# az aks get-credentials --resource-group <resource_group> --name <AKS_cluster_name> --admin

Where:

For example:

root@hub-vm:/home/capic# az aks get-credentials --resource-group capic_infra_westus --name azureaksclus --admin

A message similar to the following appears:

Merged "azureaksclus-admin" as current context in /root/.kube/config
Step 6

Check the internal IP addresses of each of the nodes.

root@hub-vm:/home/capic# kubectl get nodes -o wide

Output similar to the following appears:

The IP addresses listed in the INTERNAL-IP column are in your hub subnet.

Note 

In the example output above, the entries in the EXTERNAL-IP column are shown as <none> because the Access Type was set to Private in Step 4 in Creating the Cloud Service EPG for AKS. IP addresses would be displayed in the EXTERNAL-IP column if the Access Type is set to Public and Private.

Step 7

(Optional) Assign an admin role to a new user, if necessary.

  1. In the Azure portal, navigate back to the infra resource group.

  2. In the records area in the page, scroll down until you find the Kubernetes service entries.

  3. Click on the Kubernetes service that you configured.

    The Overview page for that Kubernetes service is displayed.

  4. In the left nav bar, click on Access Control (IAM).

    The Access Control (IAM) for that Kubernetes service is displayed.

  5. Click + Add, then select Add role assignment from the drop-down menu.

  6. In the Add role assignment page, make the following selections:

    • In the Role field, select Azure Kubernetes Service Cluster Admin Role from the drop-down menu.

    • In the Assign access to field, select User, group, or service principal.

    • Select the appropriate key.

  7. Click Save at the bottom of the screen.