by Contributed | May 8, 2023 | Technology
This article is contributed. See the original author and article here.
This blog post has been co-authored by Microsoft and Dhiraj Sehgal, Reza Ramezanpur from Tigera.
Container orchestration pushes the boundaries of containerized applications by preparing the necessary foundation to run containers at scale. Today, customers can run Linux and Windows containerized applications in a container orchestration solution, such as Azure Kubernetes Service (AKS).
This blog post will examine how to set up a Windows-based Kubernetes environment to run Windows workloads and secure them using Calico Open Source. By the end of this post, you will see how simple it is to apply your current Kubernetes skills and knowledge to rule a hybrid environment.
Container orchestration at scale with AKS
After creating a container image, you will need a container orchestrator to deploy it at scale. Kubernetes is a modular container orchestration software that will manage the mundane parts of running such workloads, and AKS abstracts the infrastructure on which Kubernetes runs, so you can focus on deploying and running your workloads.
In this blog post, we will share all the commands required to set up a mixed Kubernetes cluster (Windows and Linux nodes) in AKS – you can open up your Azure Cloud Shell window from the Azure Portal and run the commands if you want to follow along.
If you don’t have an Azure account with a paid subscription, don’t worry—you can sign up for a free Azure account to complete the following steps.
Resource group
To run a Kubernetes cluster in Azure, you must create multiple resources that share the same lifespan and assign them to a resource group. A resource group is a way to group related resources in Azure for easier management and accessibility. Keep in mind that each resource group must have a unique name.
The following command creates a resource group named calico-win-container in the australiaeast location. Feel free to adjust the location to a different zone.
az group create --name calico-win-container --location australiaeast
Cluster deployment
Note: Azure free accounts cannot create any resources in busy locations. Feel free to adjust your location if you face this problem.
A Linux control plane is necessary to run the Kubernetes system workloads, and Windows nodes can only join a cluster as participating worker nodes.
az aks create --resource-group calico-win-container --name CalicoAKSCluster --node-count 1 --node-vm-size Standard_B2s --network-plugin azure --network-policy calico --generate-ssh-keys --windows-admin-username
Windows node pool
Now that we have a running control plane, it is time to add a Windows node pool to our AKS cluster.
Note: Use `windows` as the value for the ‘–os-type’ argument.
az aks nodepool add --resource-group calico-win-container --cluster-name CalicoAKSCluster --os-type Windows --name calico --node-vm-size Standard_B2s --node-count 1
Calico for Windows
Calico for Windows is officially integrated into the Azure platform. Every time you add a Windows node in AKS, it will come with a preinstalled version of Calico. To check this, use the following command to ensure EnableAKSWindowsCalico is in a Registered state:
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableAKSWindowsCalico')].{Name:name,State:properties.state}"
Expected output:
Name State
------------------------------------------------- ----------
Microsoft.ContainerService/EnableAKSWindowsCalico Registered
If your query returns a Not Registered state or no items, use the following command to enable AKS Calico integration for your account:
az feature register --namespace "Microsoft.ContainerService" --name "EnableAKSWindowsCalico"
After EnableAKSWindowsCalico becomes registered, you can use the following command to add the Calico integration to your subscription:
az provider register --namespace Microsoft.ContainerService
Exporting the cluster key
Kubernetes implements an API Server that provides a REST interface to maintain and manage cluster resources. Usually, to authenticate with the API server, you must present a certificate, username, and password. The Azure command-line interface (Azure CLI) can export these cluster credentials for an AKS deployment.
Use the following command to export the credentials:
az aks get-credentials --resource-group calico-win-container --name CalicoAKSCluster
After exporting the credential file, we can use the kubectl binary to manage and maintain cluster resources. For example, we can check which operating system is running on our nodes by using the OS labels.
kubectl get nodes -L kubernetes.io/os
You should see a similar result to:
NAME STATUS ROLES AGE VERSION OS
aks-nodepool1-64517604-vmss000000 Ready agent 6h8m v1.22.6 linux
akscalico000000 Ready agent 5h57m v1.22.6 windows
Windows workloads
If you recall, Kubernetes API Server is the interface that we can use to manage or maintain our workloads.
We can use the same syntax to create a deployment, pod, service, or Kubernetes resource for our new Windows nodes. For example, we can use the same OS selector that we previously used for our deployments to ensure Windows and Linux workloads are deployed to their respective nodes:
kubectl apply -f https://raw.githubusercontent.com/frozenprocess/wincontainer/main/Manifests/00_deployment.yaml
Since our workload is a web server created by Microsoft’s .NET technology, the deployment YAML file also packages a service load balancer to expose the HTTP port to the Internet.
Use the following command to verify that the load balancer successfully acquired an external IP address:
kubectl get svc win-container-service -n win-web-demo
You should see a similar result:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
win-container-service LoadBalancer 10.0.203.176 20.200.73.50 80:32442/TCP 141m
Use the “EXTERNAL-IP” value in a browser, and you should see a page with the following message:
Perfect! Our pod can communicate with the Internet.
Securing Windows workloads with Calico
The default security behavior for the Kubernetes NetworkPolicy resource permits all traffic. While this is a great way to set up a lab environment in a real-world scenario, it can severely impact your cluster’s security.
First, use the following manifest to enable the API server:
kubectl apply -f https://raw.githubusercontent.com/frozenprocess/wincontainer/main/Manifests/01_apiserver.yaml
Use the following command to get the API Server deployment status:
kubectl get tigerastatus
You should see a similar result to:
NAME AVAILABLE PROGRESSING DEGRADED SINCE
apiserver True False False 10h
calico True False False 10h
Calico offers two security policy resources that can cover every corner of your cluster. We will implement a global policy since it can restrict Internet addresses without the daunting procedure of explicitly writing every IP/CIDR in a policy.
kubectl apply -f https://raw.githubusercontent.com/frozenprocess/wincontainer/main/Manifests/02_default-deny.yaml
If you go back to your browser and click the Try again button, you will see that the container is isolated and cannot initiate communication to the Internet.
Note: The source code for the workload is available here.
Clean up
If you have been following this blog post and did the lab section in Azure, please make sure that you delete the resources, as cloud providers will charge you based on usage.
Use the following command to delete the resource group:
Conclusion
While network policy is not relevant for lab scenarios, production workloads have a different level of security requirements to meet. Calico offers a simple and integrated way to apply network policies to Windows workloads on Azure Kubernetes Service. In this blog post, we covered the basics for implementing a network policy to a simple web server. You can check out more information on how Calico works with Windows on AKS in our documentation page.
Additional links:
by Contributed | May 6, 2023 | Technology
This article is contributed. See the original author and article here.
DAX is now your Friend
Learning and understanding DAX in Power BI can come with some challenges especially for Beginners. What if you can write DAX with just natural language, Isn’t that awesome?
Yes, DAX is now your friend.
Let’s analyze the magic happening in the image below.
1. Write what you want to achieve in natural language and the AI automatically generate the DAX function to achieve it
2. If you notice, I intentionally misspelt “Total” by writing “Toal” yet, it understood what I am trying to do.
Now imagine what you will learn going through this live session with us.
This session focuses on helping you to improve your DAX knowledge and skill.
We will do this by working on a full Power BI Report project and use the new AI capabilities in DAX to get this done.
About the Session
Are you ready to witness the latest and greatest capabilities of Power BI’s DAX language, now infused with Artificial Intelligence? In this session, we will take you through an exhilarating journey of building a complete Power BI report project, utilizing the powerful DAX language and its new AI capabilities.
Our expert presenters will showcase how to leverage the DAX suggestions feature to optimize your data model and make your report building process faster and more efficient. You will learn how to use DAX to create custom calculations and measure your data, while also harnessing the power of AI to enhance the accuracy and intelligence of your reports.
Throughout the session, you will get an inside look at how DAX suggestions can simplify and streamline your data analysis process, allowing you to focus on creating valuable insights and visualizations for your audience.
Whether you are a seasoned Power BI user or just starting out, this live session will provide you with valuable insights and practical tips to help you master the art of building end-to-end Power BI projects with DAX suggestions.
Join us for an exciting and informative Power BI live session that is sure to leave you inspired and equipped with the latest tools and techniques to take your data analysis and reporting to the next level.
Register
Event Date: May 18th, 2023
Time: 2PM (GMT+1)
To register, kindly click on the link here https://aka.ms/PowerBIDAXSuggestion
Additional Resources
Start Learning About DAX Suggestion Here
by Contributed | May 4, 2023 | Technology
This article is contributed. See the original author and article here.
Today Data Exposed went live at 9AM PT for a special Ask Me Anything and news update. If you missed the episode, you can find them all at https://aka.ms/AzureSQLYT. This month we’ll recap all the updates in April. This was a special May the Fourth [be with you] episode, and we had great guests (and fun) with the product group and our MVP community.
By the way, if you want to see a summary of all the updates in 2022, check out the blog https://aka.ms/NewsUpdate2022. If you want a summary of all the updates in 2023’s first quarter, check out the blog https://aka.ms/newsupdate2023q1.
You can read this blog to get all the updates and references mentioned in the show. Here’s the May 2023 update:
Let’s start with Azure SQL Managed Instance, which had several general availability (GA) announcements in April. First, the GA of Link feature for Azure SQL Managed Instance for SQL Server 2016 and 2019 happened. This capability allows you to set up near real-time replication between a SQL Server and SQL MI. You can use this link for scale, migration, read-only workloads, etc. To learn more, review the announcement blog. The team also announced the GA of CETAS. This stands for Create External Table As Select, which essentially means you can create an external table while in parallel exporting the results of a SELECT statement. This has been a customer ask and you can learn how to take advantage of it here.
For Azure SQL Database, a couple things landed in the security space related to auditing and TDE. Auditing can be connected to a storage account using an access key, but now you can also use a managed identity! For more information, refer to the announcement blog. For transparent data encryption (TDE), using customer-managed keys (CMK) is something we’ve been working on. In public preview, we announced support for database-level as well as cross-tenant TDE with CMK for Azure SQL Database. Prior to this, TDE with CMK was always set at the server level, and is inherited by all encrypted databases associated with that server. The database-level feature allows setting the TDE protector as a customer-managed key individually for each database within the server. The cross-tenant feature allows you to use TDE with CMK without the need to have the Azure SQL logical server be in the same Azure Active Directory (Azure AD) tenant as the Azure Key Vault that stores the customer-managed key used to protect the server. In a limited preview, we recently announced DOP Feedback for Azure SQL Database, learn more about the preview here.
SQL Server on Azure Virtual Machines is powered by the SQL IaaS Agent extension, which enables you to get a lot of benefits for managing your SQL Server Azure VMs with ease. There are a couple of announcements in this space, including that we are retiring modes (no more selecting Lightweight or Full, you just pick to enable the features or not!). We also announced the GA of AAD authentication for SQL Server on Azure VMs. This is available starting with SQL Server 2022, and we have made it easy for you to enable and configure in Azure. Finally, we are always updating and enhancing the SQL IaaS extension, and now we have an auto-upgrade setting! This is on by default for new instances, but you can also opt-in. More information.
For Hybrid, we announced the new centrally managed Azure Hybrid Benefit for SQL Server. This is a new Azure portal feature that helps you improve SQL Server license management at multiple levels, including at account and subscription levels. More information.
On the tooling and developer front, Azure Data Studio 1.43 went GA, including SQL Database Projects extension GA, Connectivity improvements, and other ‘odds and ends’ as Erin Stellato says. Get the details in the release blog. I also want to highlight her awesome (and viral) blog called “April Tools Day” (released on April 1), where she debunks some myths about Azure Data Studio, SSMS, Drivers, and more. I don’t want to summarize it further, because you really should just go read it. We also open-sourced ScriptDOM, which is a powerful .NET library for code parsing, generating an abstract syntax tree (AST) that can be leveraged to apply code formatting, detect antipatterns, and more.
Videos
We continued to release new and exciting episodes this month. Here is the list, or you can just see the playlist we created with all the episodes!
- Use Microsoft Purview DevOps policies to control access and limit insider threats
- [MVP Edition] Bring your SQL expertise to the Data Lake with Serverless SQL Pools
- Don’t let change pass you by! Get started with Change Tracking in your SQL Database
- SQL Insider Series: Get Started with Azure Cognitive Search for Azure SQL
- Registering SQL Server on Azure Virtual Machines with New IaaS Agent Extension Benefits (Ep. 12)
- SQL Server 2022: T-SQL Enhancements [Ep. 6]
- [MVP Edition] Capturing Query Metrics in Azure SQL Database
We’ve also had some great Data Exposed Live sessions this year. Subscribe to our YouTube channel to see them all and get notified when we stream.
Events
If you are looking to attend some in-person and virtual events this month, the Azure Data team has you covered. We’ll be at the following events and are looking forward to seeing you there!
May 6: SQLSaturday Jacksonville
– May 5: The SQL Server 2022 Workshop, Bob Ward
– May 6: SQL Server 2022 and the Wheel of Power, Bob Ward
May 12: New Stars of Data, Virtual
– From your Couch to the Cloud: When and Why to use the Azure Portal, Makena Barickman
May 15-17: Techorama, Belgium
– Confidential computing with Always Encrypted using enclaves, Pieter Vanhove
May 22-25: Dell Technologies World, Las Vegas
– Microsoft & Dell: Evolve your data strategy with SQL Server and Azure Arc, Bob Ward
– Take control of your data using Microsoft Azure Hybrid, Bob Ward
May 23: Red Hat Summit, Boston
– Enterprise data management foundations: The benefit of Red Hat platforms for enterprise workloads, Bob Ward
May 23-25: Microsoft Build, Seattle & Online
– Increase developer velocity with Azure SQL Database, from data to API
– Modernize your applications on Azure SQL Managed Instance Q&A
– Do more on Azure SQL Database Hyperscale Q&A
– Protect your data from tampering with ledger in Azure Managed Instance
– Further, Faster, with Azure Functions and Azure SQL Integration
Blogs to follow
There are a lot of blogs that I follow to stay up to date. If you want more details than I give here, I recommend checking out:
Anna’s Pick of the Month
You’ve been hearing a lot about OpenAI and ChatGPT. My pick of the month comes from Valentina Alto, who wrote a super fascinating blog which details how you can use Azure OpenAI and Azure SQL Database to query your SQL tables. You don’t want to miss it!
Until next time…
That’s it for now! Be sure to check back next month for the latest updates. We also release new episodes of Data Exposed on Thursdays at 9AM PT and new #MVPTuesday episodes on the last Tuesday of every month at 9AM PT at aka.ms/DataExposedyt.
Having trouble keeping up? Be sure to follow us on twitter to get the latest updates on everything, @AzureSQL.
We hope to see you next time, on Data Exposed :)
–Anna and Marisa
Recent Comments