Azure
/
ARO-Landing-Zone-Accelerator
зеркало из https://github.com/Azure/ARO-Landing-Zone-Accelerator.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
ARO-Landing-Zone-Accelerator/Scenarios/Secure-Baseline
История
Pierre Malarme b2a5ebbcaa Add front door subnet. Update README to fix the order of the modules and the sample app. Fix the sample deployment script to ensure that if the project already exists it is set and not created. This leaded to an error. Add the disable of private link service for the Front Door subnet. Update the version of ARO to latest version of 4.12. Fix description in Front Door bicep 2024-09-22 18:12:48 +00:00
..
Apps/RatingsApp
bicep
bicepWithAVM Add front door subnet. Update README to fix the order of the modules and the sample app. Fix the sample deployment script to ensure that if the project already exists it is set and not created. This leaded to an error. Add the disable of private link service for the Front Door subnet. Update the version of ARO to latest version of 4.12. Fix description in Front Door bicep 2024-09-22 18:12:48 +00:00
terraform
README.md
script.ps1
script.sh

README.md

ARO Secure Baseline

A deployment of ARO-hosted workloads typically requires a separation of duties and lifecycle management in different areas, such as prerequisites, the host network, the cluster infrastructure, the shared services and finally the workload itself. This reference implementation is no different. Also, be aware that our primary purpose is to illustrate the topology and decisions involved in the deployment of an ARO cluster. We feel a "step-by-step" flow will help you learn the pieces of the solution and will give you insight into the relationship between them. Ultimately, lifecycle/SDLC management of your cluster and its dependencies will depend on your situation (organizational structures, standards, processes and tools), and will be implemented as appropriate for your needs.

There are various ways to secure your ARO cluster. From a network security perspective, these can be classified into securing the control plane and securing the workload.

By the end of this, you would have deployed a secure ARO cluster, compliant with ARO landing zone accelerator guidance and best practices. We will also be deploying a workload known as the Ratings app that is also featured in the Azure Kubernetes Services Workshop.

For this scenario, we have various IaC technology as well as the Azure CLI option that you can choose from depending on your preference.

Deployment

The deployment of this solution can be done individually through various means. Walking through the Azure CLI option will ensure that your ARO environment is not only configured but you control every aspect of the deployment. Alternatively, you can deploy the server environment using other methods. The options available are deployed below:

Below is the architecture of this scenario: Architectural diagram for the secure baseline scenario.

The architecture is very similar to the AKS secure baseline private cluster architecture with minor tweaks to optimize it for ARO. The main differences are as follows:

  1. The use of Front door as opposed to application gateway to take advantage of more of the ARO features such as its ingress controller
  2. The use for Azure ARC for Kubernetes in order to take advantage of native monitoring of the cluster
  3. The use of CosmosDB as opposed to using a database pod

For more information about the architecture, please check out the ARO Landing Zone Accelerator documentation on Microsoft Docs.

Next Steps to implement ARO Landing Zone Accelerator

Pick one of these options below

▶️ Bicep with AVM

▶️ Terraform