As I am almost playing around with Azure virtual machines and Azure Kubernetes service every day, I thought the administration tasks for VMSS are not that different. I was wrong. VMSS is indeed a service on its own and unfortunately, the official documentation is not that thorough.

The reasons for implementing VMSS instead of VM.

The differences could be reviewed here, but in short, the management overhead is different.


Image Source: Virtual Machine Scale Set (VMSS) — MyKloud (

The simplified architecture is pretty…

AKS would require an identity with sufficient permissions to perform the actions like creating additional load balancers, public IP addresses and managed disks on Azure platform. By default, AKS would take care all of this by creating system-assigned managed identities (MI). However, there are situations that administrators would like to use either user-assigned MI or just pure Azure active directory (AAD) service principals (SP).

MI has the characteristic of letting Azure platform to control its lifecycle. System-assigned MI’s lifecycle goes with the service itself and user-assigned MI does not have that trait as it is a separately created identity object…

If you have not read through part 1 of this series, please check it from here.

Create Sample Data in Source PostgreSQL Server

If everything is set up correctly in Part 1, PostgreSQL server could be accessed without issues. Follow through this article to create a new PostgreSQL DB inside the server and insert sample data. The output should be similar to below. This PostgreSQL server is without CMK data encryption.

# login the postgresql server
- psql "sslmode=verify-full sslrootcert="./BaltimoreCyberTrustRoot.crt" port=5432 dbname=postgres user=jonw@jonwpostgresqlsrv2 password=xxxx"
# show all databases in the server
- \l
# change to the right database
- \c <database name>
# show all…

Since AKS could be integrated with more and more services on Azure, Pods having the identity to be authenticated by AAD becomes a must. AAD Pod Identity (AAD Pod ID) is designed for this purpose.

Before going through the step-by-step setup instructions, let’s take a look on how everything works behind the scene.

Image Source: Block Diagram and Design | Azure Active Directory Pod Identity for Kubernetes

In the image above, we see whenever a Pod is trying to access an Azure service and without label as “ aks”, MIC would be looking into Azure Identity Binding information and assign EMSI to the corresponding hosting Node. …

I started to play around this service because a request came in about migrating data from a normal PostgreSQL server to a PostgreSQL server with customer-managed key (CMK) data encryption. Before even we can start testing the migration, we would need to


When performing the steps mentioned here, Azure takes care of adding PostgreSQL server managed identity (MI) to AKV’s Access Control List (ACL) with Get, Wrap, Unwrap permissions. So, that is the little discrepancy between documentation and practice. …

If you have not yet checked out AKS Network Deep Dive Part1 and Part2, please click on the links above to go through the content.

In this article, we would be focusing on how Azure CNI operates inside AKS.

What is CNI?

Abbreviated for Container Networking Interface. It is a specification, where all the networking implementation is done by Plugins. It was developed to have simple contract between Container Runtime and networking implementation on containers.

— Quoted from here

This article would be introducing what monitoring solutions administrators could use to visually observe AKS metrics. Specifically, we would be talking about Prometheus and Azure Monitor (Log Analytics Workspace) as metrics-monitoring services and Grafana as the dashboard service.


Firstly, we would need to install Prometheus on AKS cluster to have the scrapped information from each resource. This article already provides detailed step-by-step guidance. As the installation process requires HELM v3, please follow the official site or this site to complete HELM v3 installation.

# check HELM version
- helm version
# check whether the namespace for Prometheus is created
- kubectl…

This actually should not be a part 2 as it is not related to part 1 but actually a different way of setting AKS to get AKV’s resources. I name it as part 2 because I would people to go through either method.

Step-by-Step Guidance

# get the AKS associated service principal
az aks show -g <resource group name> -n <AKS name> | grep identityProfile -A 5
# note down the object ID of the service principal

Pod and Service Communication

To understand how external client gets to access services provided by Pods, we would need to create a simple NGINX Deployment with 3 replicas. Then expose it with native Load Balancer Service.

# create a NGINX Deployment with 2 replicas
- kubectl create deployment my-nginx --image=nginx --replicas=2
# check Pods to see each Pod's IP address and located Nodes
- kubectl get pods -o wide
# expose the Deployment with Load Balancer Service
- kubectl expose deployment my-nginx --type=LoadBalancer --port=80 --name=my-nginx-service

If you are like me, who has not much foundation on Docker and learn every cloud native after K8swas introduced, you might have the same urge to figure out how the networking works within the cluster.

In this series, I would try to touch on

There are always new concepts and solutions coming out in K8s development every year, but I believe these should cover for the most part of K8s networking for now.

For the majority of this series, the environment would…


Learning new things about Kubernetes every day. Hopefully, the learning notes could help people on the same journey!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store