{"id":398,"date":"2026-04-13T22:20:37","date_gmt":"2026-04-13T22:20:37","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/azure-kubernetes-service-aks-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute\/"},"modified":"2026-04-13T22:20:37","modified_gmt":"2026-04-13T22:20:37","slug":"azure-kubernetes-service-aks-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/azure-kubernetes-service-aks-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute\/","title":{"rendered":"Azure Kubernetes Service (AKS) Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Compute"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Compute<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Azure Kubernetes Service (AKS) is Microsoft Azure\u2019s managed Kubernetes offering in the <strong>Compute<\/strong> category. It lets you run containerized applications on Kubernetes without having to build and operate a Kubernetes control plane yourself.<\/p>\n\n\n\n<p>In simple terms: <strong>AKS runs your containers on a cluster of Azure virtual machines, and Azure manages the Kubernetes \u201cbrains\u201d (the control plane)<\/strong>. You focus on deploying apps, scaling them, and operating workloads; Azure handles much of the underlying Kubernetes management.<\/p>\n\n\n\n<p>In technical terms: AKS provides a managed Kubernetes API server and related control plane components, integrates with Azure networking (VNets, load balancers, private endpoints), identity (Microsoft Entra ID), security (Azure Policy, Microsoft Defender for Cloud), and observability (Azure Monitor\/Log Analytics). You supply and pay for worker nodes (VMs) and associated resources, and you manage Kubernetes objects (Deployments, Services, Ingress, etc.) using standard Kubernetes tooling.<\/p>\n\n\n\n<p>AKS solves a common problem: teams want Kubernetes\u2019 portability and ecosystem (Helm, GitOps, Operators, service mesh) without the operational burden of standing up, upgrading, and hardening Kubernetes control planes and core integrations on raw infrastructure.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Azure Kubernetes Service (AKS)?<\/h2>\n\n\n\n<p><strong>Official purpose:<\/strong> Azure Kubernetes Service (AKS) is a managed service for running Kubernetes clusters on Azure. It aims to reduce the complexity and operational overhead of managing Kubernetes by offloading control plane management and providing deep integration with Azure services.<\/p>\n\n\n\n<p><strong>Core capabilities<\/strong>\n&#8211; Provision and manage Kubernetes clusters with managed control plane components.\n&#8211; Run container workloads on scalable node pools (backed by Azure Virtual Machines \/ VM Scale Sets).\n&#8211; Integrate with Azure identity, networking, storage, and monitoring services.\n&#8211; Support rolling upgrades, node image updates, and operational add-ons (monitoring, policy, etc.).\n&#8211; Provide features for production readiness: autoscaling, multi-node-pool design, private networking options, and governance controls.<\/p>\n\n\n\n<p><strong>Major components<\/strong>\n&#8211; <strong>Managed control plane<\/strong> (Kubernetes API server and control plane services managed by Azure).\n&#8211; <strong>Node pools<\/strong>: groups of worker nodes (VMs) that run your pods; typically a <strong>system node pool<\/strong> plus one or more <strong>user node pools<\/strong>.\n&#8211; <strong>Cluster networking<\/strong>: integrates with Azure Virtual Network (VNet) through supported CNI models.\n&#8211; <strong>Ingress and load balancing<\/strong>: integration with Azure Load Balancer and optional ingress controllers.\n&#8211; <strong>Storage<\/strong>: CSI drivers integrating with Azure Disks, Azure Files, and other storage offerings.\n&#8211; <strong>Identity &amp; access<\/strong>: Kubernetes RBAC plus Azure integration (Microsoft Entra ID).\n&#8211; <strong>Observability &amp; governance<\/strong>: Azure Monitor (Container insights), Log Analytics, Azure Policy for AKS, Defender for Containers.<\/p>\n\n\n\n<p><strong>Service type<\/strong>\n&#8211; Managed Kubernetes (Container orchestration) in Azure <strong>Compute<\/strong>.<\/p>\n\n\n\n<p><strong>Scope and availability model<\/strong>\n&#8211; AKS clusters are <strong>regional resources<\/strong> (created in a specific Azure region).\n&#8211; Worker nodes live in your Azure subscription and are deployed into a resource group and VNet\/subnets you control (depending on configuration).\n&#8211; Control plane is managed by Azure; networking and resource dependencies depend on cluster mode (public\/private API server, chosen network plugin, etc.).\n&#8211; Some features can be zone-aware (for regions supporting Availability Zones). Verify region-specific availability in official docs.<\/p>\n\n\n\n<p><strong>How it fits into the Azure ecosystem<\/strong>\nAKS is often the Kubernetes runtime layer in Azure platform architectures:\n&#8211; <strong>CI\/CD and GitOps<\/strong>: Azure DevOps, GitHub Actions, Flux\/Argo CD.\n&#8211; <strong>Container images<\/strong>: Azure Container Registry (ACR).\n&#8211; <strong>Secrets<\/strong>: Azure Key Vault (often via CSI drivers).\n&#8211; <strong>Networking<\/strong>: Azure VNet, Azure Load Balancer, Application Gateway, Azure Firewall, Private Link, DNS.\n&#8211; <strong>Security posture<\/strong>: Microsoft Defender for Cloud, Azure Policy, Azure RBAC\/Entra ID.\n&#8211; <strong>Observability<\/strong>: Azure Monitor, Log Analytics, Managed Grafana (verify current integration options in docs).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Azure Kubernetes Service (AKS)?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster time to production<\/strong>: Kubernetes is complex; AKS reduces undifferentiated heavy lifting.<\/li>\n<li><strong>Standardization<\/strong>: Kubernetes is a common platform across clouds\/on-prem, easing portability and hiring.<\/li>\n<li><strong>Ecosystem leverage<\/strong>: Helm charts, Operators, and CNCF tooling reduce custom platform work.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed control plane<\/strong>: Azure handles critical control plane components, patching, and availability options (see pricing\/SLA details in official docs).<\/li>\n<li><strong>Flexible workload placement<\/strong>: multiple node pools, VM sizes, and scheduling rules.<\/li>\n<li><strong>Kubernetes-native<\/strong>: upstream APIs, kubectl, Helm, standard YAML manifests.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Upgrades and maintenance workflows<\/strong>: supported upgrade paths and node image updates (exact mechanisms can evolve; verify in official docs).<\/li>\n<li><strong>Autoscaling<\/strong>: scale nodes and pods (capabilities depend on add-ons and configuration).<\/li>\n<li><strong>Observability integration<\/strong>: Container insights\/Log Analytics and Azure Monitor.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Identity integration<\/strong>: Microsoft Entra ID-backed authentication for cluster access.<\/li>\n<li><strong>Policy and governance<\/strong>: Azure Policy for AKS can enforce guardrails.<\/li>\n<li><strong>Network isolation<\/strong>: private clusters and VNet integration options.<\/li>\n<li><strong>Supply chain controls<\/strong>: integrate with ACR, image scanning\/signing workflows (capabilities vary; verify current offerings).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Horizontal scale<\/strong>: add nodes, add node pools, scale replicas.<\/li>\n<li><strong>High availability design patterns<\/strong>: multi-zone node pools in supported regions; node pool separation for system\/user workloads.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose AKS when you need:\n&#8211; Kubernetes compatibility and extensibility (service mesh, custom controllers, CRDs).\n&#8211; Multi-team platform hosting multiple services.\n&#8211; Advanced scheduling needs (GPU, memory-intensive workloads).\n&#8211; A production-grade container orchestration layer integrated with Azure networking and security.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>AKS may be the wrong fit when:\n&#8211; You need a <strong>simpler PaaS<\/strong>: consider Azure Container Apps or Azure App Service for containers.\n&#8211; Your workload is small and static: a single container or small set may be cheaper\/easier on simpler services.\n&#8211; You cannot staff Kubernetes operations: despite being managed, AKS still requires Kubernetes skills (networking, upgrades, security, troubleshooting).\n&#8211; You require strict, specialized compliance where a curated alternative (for example Azure Red Hat OpenShift) better matches certification\/support requirements.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Azure Kubernetes Service (AKS) used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SaaS and software companies running multi-service platforms.<\/li>\n<li>Financial services and insurance needing controlled networking and policy enforcement.<\/li>\n<li>Retail and e-commerce with traffic spikes and microservices.<\/li>\n<li>Healthcare and public sector with governance and audit requirements.<\/li>\n<li>Media and gaming with bursty compute and global user bases (often with multi-region patterns).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams building internal developer platforms.<\/li>\n<li>DevOps and SRE teams operating microservices.<\/li>\n<li>Data\/ML engineering teams running batch\/stream workloads in containers (verify best-fit; some ML patterns may prefer specialized services).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microservices APIs (REST\/gRPC).<\/li>\n<li>Background workers and event-driven consumers.<\/li>\n<li>Stateful services (with careful storage design).<\/li>\n<li>CI\/CD runners (with security boundaries).<\/li>\n<li>Ingress-heavy web applications.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hub-spoke VNets with centralized security.<\/li>\n<li>Private clusters with controlled egress via firewall.<\/li>\n<li>GitOps-managed multi-namespace multi-team clusters.<\/li>\n<li>Blue\/green or canary deployment patterns (via ingress controllers\/service mesh).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: multi-node-pool, autoscaling, private API server, policy, monitoring, and robust ingress.<\/li>\n<li><strong>Dev\/Test<\/strong>: smaller clusters, fewer node pools, possibly public API server for simplicity, lower-cost VM sizes.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Azure Kubernetes Service (AKS) is commonly used.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Microservices platform for customer-facing APIs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Many small services need independent deploy\/scale and consistent routing.<\/li>\n<li><strong>Why AKS fits:<\/strong> Kubernetes-native service discovery, rolling updates, and ingress support.<\/li>\n<li><strong>Example:<\/strong> An e-commerce API layer with separate services for catalog, cart, checkout, and pricing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Modernizing a monolith into modular services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A monolithic app needs gradual decomposition without rewriting everything at once.<\/li>\n<li><strong>Why AKS fits:<\/strong> You can run the monolith and new services side-by-side and migrate traffic incrementally.<\/li>\n<li><strong>Example:<\/strong> A legacy .NET application is containerized and deployed alongside new Go services.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Multi-tenant internal platform for multiple teams<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Many teams need a standardized runtime with guardrails.<\/li>\n<li><strong>Why AKS fits:<\/strong> Namespaces, RBAC, quotas, network policies, and policy enforcement.<\/li>\n<li><strong>Example:<\/strong> A platform team provides namespaces and CI\/CD templates to 30 product teams.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Event-driven background processing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Workers must scale with queue depth and be isolated from front-end traffic.<\/li>\n<li><strong>Why AKS fits:<\/strong> Separate node pools for workers, standard deployment patterns, autoscaling options.<\/li>\n<li><strong>Example:<\/strong> Thumbnail generation workers consuming from a messaging service (e.g., Azure Service Bus).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Hybrid connectivity to enterprise networks<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Apps must reach on-prem databases and services securely.<\/li>\n<li><strong>Why AKS fits:<\/strong> VNet integration, private endpoints, and enterprise network patterns.<\/li>\n<li><strong>Example:<\/strong> A customer support portal calls an on-prem SAP service via VPN\/ExpressRoute.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) API gateway + ingress consolidation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Many services require consistent TLS, routing, and WAF policies.<\/li>\n<li><strong>Why AKS fits:<\/strong> Integrates with Azure load balancing and supports ingress controllers.<\/li>\n<li><strong>Example:<\/strong> Central ingress routes to 50 internal services with managed certificates.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Batch jobs and scheduled workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Batch workloads need container packaging and scheduling control.<\/li>\n<li><strong>Why AKS fits:<\/strong> Kubernetes Jobs\/CronJobs with node pool tuning.<\/li>\n<li><strong>Example:<\/strong> Nightly ETL tasks run as CronJobs and publish results to a data store.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) GPU-accelerated inference endpoints (select workloads)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Inference services need GPU nodes and scalable endpoints.<\/li>\n<li><strong>Why AKS fits:<\/strong> Node pools can use GPU VM sizes; Kubernetes scheduling supports GPU resources.<\/li>\n<li><strong>Example:<\/strong> An image classification API runs on GPU node pool and scales replicas.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Secure, private-by-default application hosting<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Compliance requires avoiding public exposure of internal services.<\/li>\n<li><strong>Why AKS fits:<\/strong> Private cluster patterns, internal load balancers, and controlled egress.<\/li>\n<li><strong>Example:<\/strong> Internal HR and finance services are only reachable from corporate networks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Shared CI tooling or build farm (with tight controls)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Build jobs need elastic compute and container isolation.<\/li>\n<li><strong>Why AKS fits:<\/strong> Kubernetes scheduling, separate node pools, and namespace isolation.<\/li>\n<li><strong>Example:<\/strong> Self-hosted runners spin up on-demand to run builds and tests.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Running service mesh (advanced)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Need mTLS, traffic shaping, retries, circuit breaking, and observability.<\/li>\n<li><strong>Why AKS fits:<\/strong> Kubernetes is the common substrate for service mesh solutions.<\/li>\n<li><strong>Example:<\/strong> Canary releases using traffic splitting and mTLS between services. (Verify recommended mesh options for AKS in official docs.)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Multi-environment deployment standardization<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Dev\/stage\/prod drift causes outages.<\/li>\n<li><strong>Why AKS fits:<\/strong> Declarative manifests and GitOps reduce configuration drift.<\/li>\n<li><strong>Example:<\/strong> Same Helm chart promoted across environments with parameterization.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<p>This section focuses on important, currently relevant AKS capabilities. Availability can vary by region, Kubernetes version, and cluster configuration\u2014<strong>verify in official docs<\/strong> for your target environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Managed Kubernetes control plane<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Azure manages Kubernetes control plane components (API server and related services).<\/li>\n<li><strong>Why it matters:<\/strong> Reduces operational burden and risk around control plane patching\/availability.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster provisioning and standardized upgrades.<\/li>\n<li><strong>Caveats:<\/strong> You still manage workloads, node pools, network policies, and day-2 operations (deployments, troubleshooting, security hardening).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Node pools (system and user)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Separates cluster nodes into pools with different VM sizes, scaling rules, and taints\/labels.<\/li>\n<li><strong>Why it matters:<\/strong> Lets you isolate system components and tailor compute to workload needs.<\/li>\n<li><strong>Practical benefit:<\/strong> Run ingress on dedicated nodes, GPU workloads on GPU nodes, and system pods on system pool.<\/li>\n<li><strong>Caveats:<\/strong> More node pools increase operational complexity and cost.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Autoscaling (cluster and workload scaling)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Scale node count (cluster autoscaler) and pod replicas (Horizontal Pod Autoscaler) where configured.<\/li>\n<li><strong>Why it matters:<\/strong> Controls cost and maintains performance under variable load.<\/li>\n<li><strong>Practical benefit:<\/strong> Automatically add nodes during traffic spikes.<\/li>\n<li><strong>Caveats:<\/strong> Requires correct requests\/limits, scheduling constraints, and capacity planning. HPA needs metrics; ensure metrics pipeline is configured.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Kubernetes version upgrades and node image updates<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Supports Kubernetes version upgrades and updating node images.<\/li>\n<li><strong>Why it matters:<\/strong> Security patches and feature updates require regular maintenance.<\/li>\n<li><strong>Practical benefit:<\/strong> Safer, guided upgrade workflows compared to self-managed clusters.<\/li>\n<li><strong>Caveats:<\/strong> Upgrades can cause disruption if PodDisruptionBudgets, readiness probes, and surge settings are not configured properly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Azure networking integration (VNet)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Integrates pods\/services with Azure networking.<\/li>\n<li><strong>Why it matters:<\/strong> Enterprise environments need IP planning, routing, NSGs, and private connectivity.<\/li>\n<li><strong>Practical benefit:<\/strong> Connect to private resources, control egress, and integrate with hub-spoke networks.<\/li>\n<li><strong>Caveats:<\/strong> Networking mode selection affects IP consumption, routing, and troubleshooting complexity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Load balancing and service exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Kubernetes Services of type <code>LoadBalancer<\/code> can integrate with Azure Load Balancer; ingress controllers provide HTTP routing.<\/li>\n<li><strong>Why it matters:<\/strong> Most production apps require stable inbound routing with TLS.<\/li>\n<li><strong>Practical benefit:<\/strong> Standard pattern: <code>Ingress<\/code> + controller for L7 routing.<\/li>\n<li><strong>Caveats:<\/strong> Public load balancers create public endpoints; for private-only services use internal load balancers and private ingress patterns.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Storage via CSI drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Supports persistent volumes using Azure storage backends (commonly Azure Disks and Azure Files) via CSI.<\/li>\n<li><strong>Why it matters:<\/strong> Stateful workloads need durable storage and reliable attach\/mount behavior.<\/li>\n<li><strong>Practical benefit:<\/strong> Use <code>PersistentVolumeClaim<\/code> objects and standard Kubernetes patterns.<\/li>\n<li><strong>Caveats:<\/strong> Storage performance\/availability depends on the selected Azure storage SKU and zone\/region design.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Identity integration (Microsoft Entra ID) and RBAC<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Uses Entra ID for authentication to the cluster; Kubernetes RBAC for authorization.<\/li>\n<li><strong>Why it matters:<\/strong> Centralized identity, auditability, and least privilege.<\/li>\n<li><strong>Practical benefit:<\/strong> Grant engineers access using groups, avoid shared kubeconfigs.<\/li>\n<li><strong>Caveats:<\/strong> Plan role bindings carefully; avoid cluster-admin for day-to-day use.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Private cluster options (API server access control)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Restricts Kubernetes API server access (private endpoint\/private networking patterns).<\/li>\n<li><strong>Why it matters:<\/strong> Reduces attack surface for control plane access.<\/li>\n<li><strong>Practical benefit:<\/strong> Only allow API access from approved networks.<\/li>\n<li><strong>Caveats:<\/strong> Requires private DNS and connectivity planning; developer access may require VPN\/bastion\/jump host.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Policy and governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enforce guardrails such as \u201conly allow approved registries\u201d or \u201crequire resource limits\u201d using Azure Policy for AKS.<\/li>\n<li><strong>Why it matters:<\/strong> Prevent insecure or non-compliant deployments.<\/li>\n<li><strong>Practical benefit:<\/strong> Standardize across teams and clusters.<\/li>\n<li><strong>Caveats:<\/strong> Policy misconfiguration can block deployments; roll out gradually with audit mode first.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring and logging (Azure Monitor \/ Container insights)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Collects logs and metrics for nodes, pods, and cluster components.<\/li>\n<li><strong>Why it matters:<\/strong> Kubernetes troubleshooting is observability-heavy.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster incident response with centralized logs\/metrics.<\/li>\n<li><strong>Caveats:<\/strong> Log Analytics ingestion can be a meaningful cost driver; define retention and collection scope carefully.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Container image integration (ACR)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Integrates AKS with Azure Container Registry for pulling images.<\/li>\n<li><strong>Why it matters:<\/strong> Secure, private image hosting with Azure identity integrations.<\/li>\n<li><strong>Practical benefit:<\/strong> Avoid public registries for proprietary images.<\/li>\n<li><strong>Caveats:<\/strong> Ensure correct permissions and network access (private endpoints\/firewall rules).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>AKS uses a managed control plane and customer-managed worker nodes:\n&#8211; The <strong>control plane<\/strong> exposes the Kubernetes API endpoint.\n&#8211; <strong>Worker nodes<\/strong> (VMs) run kubelet and your pods.\n&#8211; Kubernetes objects (Deployments, Services, Ingress) define desired state.\n&#8211; Azure integrations supply networking, load balancing, identity, and monitoring.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow (typical web app)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A client makes an HTTP request to a public endpoint (often a load balancer or application gateway fronting an ingress controller).<\/li>\n<li>The request is routed to an ingress controller in the cluster.<\/li>\n<li>Ingress routes traffic to a Kubernetes Service.<\/li>\n<li>The Service load-balances to healthy pods.<\/li>\n<li>Pods may access Azure services (databases, caches, storage) via private endpoints or public endpoints with controlled egress.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related Azure services<\/h3>\n\n\n\n<p>Common dependencies in production:\n&#8211; <strong>Azure Virtual Network (VNet)<\/strong>: network isolation and IP address planning.\n&#8211; <strong>Azure Load Balancer \/ Application Gateway<\/strong>: inbound traffic management.\n&#8211; <strong>Azure Container Registry (ACR)<\/strong>: private image registry.\n&#8211; <strong>Azure Key Vault<\/strong>: secret management patterns (often via CSI).\n&#8211; <strong>Azure Monitor + Log Analytics<\/strong>: metrics\/log collection.\n&#8211; <strong>Microsoft Defender for Cloud<\/strong>: threat protection and security posture.\n&#8211; <strong>Azure Policy<\/strong>: governance and compliance guardrails.\n&#8211; <strong>Azure DNS \/ Private DNS<\/strong>: name resolution for private clusters and private endpoints.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model (cluster access)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authentication typically uses <strong>Microsoft Entra ID<\/strong>.<\/li>\n<li>Authorization uses <strong>Kubernetes RBAC<\/strong> (Role\/ClusterRole and bindings).<\/li>\n<li>Workload identity patterns can be used to access Azure resources without long-lived secrets (implementation options evolve; verify current AKS guidance).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model (overview)<\/h3>\n\n\n\n<p>AKS supports different networking approaches (names and specifics can change over time):\n&#8211; Common options include <strong>Azure CNI<\/strong> and <strong>kubenet<\/strong> (legacy\/alternative in some scenarios).<br\/>\n<strong>Verify current recommendations and support status<\/strong> in official docs for your region and Kubernetes version.\n&#8211; Inbound traffic commonly uses:\n  &#8211; <code>Service type LoadBalancer<\/code> (L4)\n  &#8211; Ingress controllers (L7) + load balancer\/application gateway\n&#8211; Egress can be controlled via:\n  &#8211; User-defined routes (UDR) to Azure Firewall\/NVA\n  &#8211; NAT Gateway patterns (where applicable)\n  &#8211; Network policies (Kubernetes or Azure-integrated options)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable cluster and workload logging early; define retention and filtering to manage cost.<\/li>\n<li>Use structured logs in apps; add correlation IDs.<\/li>\n<li>Apply governance:<\/li>\n<li>namespaces per team\/environment<\/li>\n<li>RBAC for least privilege<\/li>\n<li>policy guardrails (audit-first)<\/li>\n<li>standardized labels\/annotations for cost allocation<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[User] --&gt;|HTTPS| LB[Azure Load Balancer Public IP]\n  LB --&gt; ING[Ingress Controller Service]\n  ING --&gt; SVC[Kubernetes Service]\n  SVC --&gt; PODS[Pods (Deployment)]\n  PODS --&gt; DB[(Data Store)]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  Dev[Developer \/ CI] --&gt;|kubectl\/Helm\/GitOps| API[Kubernetes API Server\\n(Managed Control Plane)]\n  subgraph Azure_Region[\"Azure Region\"]\n    subgraph HubVNet[\"Hub VNet\"]\n      FW[Azure Firewall \/ NVA]\n      DNSP[Private DNS Zones]\n      Mon[Azure Monitor + Log Analytics]\n      KV[Azure Key Vault]\n      ACR[Azure Container Registry]\n    end\n\n    subgraph SpokeVNet[\"Spoke VNet (AKS)\"]\n      subgraph AKS[\"AKS Cluster\"]\n        NPsys[System Node Pool]\n        NPuser[User Node Pool(s)]\n        Ingress[Ingress Controller]\n        Svc[Services]\n        Pods[Workload Pods]\n      end\n      ILB[Internal Load Balancer]\n    end\n\n    Internet[(Internet)] --&gt;|HTTPS| WAF[App Gateway \/ WAF\\n(optional pattern)]\n    WAF --&gt; ILB\n    ILB --&gt; Ingress\n    Pods --&gt;|pull images| ACR\n    Pods --&gt;|secrets| KV\n    Pods --&gt;|logs\/metrics| Mon\n    Pods --&gt;|egress| FW\n    API --&gt; DNSP\n  end\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Azure account and subscription<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Azure subscription<\/strong> with billing enabled.<\/li>\n<li>Permission to create:<\/li>\n<li>Resource groups<\/li>\n<li>Virtual networks\/subnets (if using custom networking)<\/li>\n<li>AKS clusters and related managed resources<\/li>\n<li>Public IP\/load balancer resources (for public services)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>Minimum permissions depend on your organization, but commonly you need one of:\n&#8211; <strong>Owner<\/strong> or <strong>Contributor<\/strong> on the target subscription\/resource group, plus permissions to assign managed identities\/roles as required.\n&#8211; If using ACR integration or role assignments, you may need permission to grant <code>AcrPull<\/code> to the cluster identity.<\/p>\n\n\n\n<p>For cluster access control:\n&#8211; Microsoft Entra ID users\/groups for Kubernetes authentication (recommended in most enterprises).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AKS itself may have a management fee depending on features\/tiers (for example, uptime\/SLA options). <strong>Verify current pricing model<\/strong>.<\/li>\n<li>You pay for underlying resources: VMs, disks, load balancers, public IPs, log ingestion, etc.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<p>Install locally:\n&#8211; <strong>Azure CLI<\/strong>: https:\/\/learn.microsoft.com\/cli\/azure\/install-azure-cli\n&#8211; <strong>kubectl<\/strong>: often installed via <code>az aks install-cli<\/code> (verify your OS-specific steps).\n&#8211; Optional:\n  &#8211; <strong>Helm<\/strong> (for charts): https:\/\/helm.sh\/docs\/intro\/install\/\n  &#8211; <strong>Git<\/strong> for GitOps workflows<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AKS is available in many regions, but:<\/li>\n<li>Kubernetes version availability varies by region.<\/li>\n<li>Availability Zones support varies by region.<\/li>\n<li>Some add-ons\/features are region-limited.<\/li>\n<li>Always validate in the official AKS documentation for your region.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure resource quotas for:<\/li>\n<li>vCPU limits in a region<\/li>\n<li>Public IP addresses<\/li>\n<li>Load balancers<\/li>\n<li>Managed disks<\/li>\n<li>AKS has limits such as node count and pod density per node (depends on networking mode and VM sizes). <strong>Verify in official docs<\/strong> for current limits.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services (commonly used)<\/h3>\n\n\n\n<p>For the lab in this tutorial, you\u2019ll use:\n&#8211; Azure Resource Group\n&#8211; AKS\n&#8211; Azure Load Balancer (created automatically for Service type LoadBalancer)\nOptional (recommended for real environments):\n&#8211; Azure Container Registry\n&#8211; Azure Monitor \/ Log Analytics workspace<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>AKS costs are best understood as <strong>AKS management cost + underlying Azure infrastructure cost<\/strong>. Exact numbers vary by region, VM SKU, discounts (Reservations\/Savings Plans), and negotiated agreements\u2014so avoid relying on static estimates.<\/p>\n\n\n\n<p><strong>Official pricing page:<\/strong> https:\/\/azure.microsoft.com\/pricing\/details\/kubernetes-service\/<br\/>\n<strong>Azure Pricing Calculator:<\/strong> https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (what you pay for)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Cluster management \/ control plane<\/strong>\n   &#8211; In many common configurations, AKS control plane management is offered without a separate hourly fee.\n   &#8211; Certain features\/tiers (for example, uptime\/SLA options) may introduce a per-cluster charge.\n   &#8211; <strong>Verify the current model and your cluster tier<\/strong> on the official pricing page.<\/p>\n<\/li>\n<li>\n<p><strong>Worker nodes (VMs)<\/strong>\n   &#8211; You pay for node VMs (often VM Scale Sets under the hood).\n   &#8211; Cost depends on:<\/p>\n<ul>\n<li>VM size (vCPU\/RAM)<\/li>\n<li>OS type (Linux\/Windows)<\/li>\n<li>On-demand vs Spot<\/li>\n<li>Reserved Instances \/ Savings Plans<\/li>\n<li>Region<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Storage<\/strong>\n   &#8211; Managed disks for node OS and persistent volumes.\n   &#8211; Azure Files or other storage services if used.\n   &#8211; Snapshots\/backups if configured.<\/p>\n<\/li>\n<li>\n<p><strong>Networking<\/strong>\n   &#8211; Load balancers, public IPs, NAT gateways, firewalls, and data egress.\n   &#8211; Inter-zone and outbound data transfer may apply depending on design.\n   &#8211; Private Link\/private endpoints for dependent services can add cost.<\/p>\n<\/li>\n<li>\n<p><strong>Observability<\/strong>\n   &#8211; Log Analytics ingestion and retention can be substantial.\n   &#8211; Metrics and managed dashboards may have separate costs (verify current Azure Monitor pricing).<\/p>\n<\/li>\n<li>\n<p><strong>Container registry<\/strong>\n   &#8211; ACR SKU and storage\/egress for pulling images.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier (if applicable)<\/h3>\n\n\n\n<p>AKS often has no separate \u201cper cluster\u201d charge for basic management, but the definition of \u201cfree\u201d changes depending on SLAs and optional features. Treat \u201cfree tier\u201d claims carefully and <strong>confirm in the official pricing<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key cost drivers (most impactful)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Node VM size and count<\/strong> (largest lever).<\/li>\n<li><strong>Autoscaling behavior<\/strong> (peak capacity vs average utilization).<\/li>\n<li><strong>Log Analytics ingestion\/retention<\/strong> (especially in noisy clusters).<\/li>\n<li><strong>Egress traffic<\/strong> to the public internet and cross-zone\/cross-region transfers.<\/li>\n<li><strong>Load balancer + public IP footprints<\/strong> (one per service can add up if you expose many services directly).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden\/indirect costs to plan for<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Multiple environments<\/strong>: dev\/stage\/prod clusters multiply node and monitoring costs.<\/li>\n<li><strong>Overprovisioning<\/strong>: too many nodes due to conservative requests\/limits.<\/li>\n<li><strong>Idle clusters<\/strong>: clusters left running for dev\/test 24&#215;7.<\/li>\n<li><strong>DNS, TLS, WAF<\/strong>: production-grade ingress often requires additional services.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost (practical checklist)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-size node pools; use smaller VMs for dev\/test.<\/li>\n<li>Use <strong>cluster autoscaler<\/strong> for variable load patterns.<\/li>\n<li>Use separate node pools for bursty workloads; consider <strong>Spot<\/strong> for fault-tolerant jobs (with eviction-aware design).<\/li>\n<li>Limit log collection:<\/li>\n<li>reduce verbosity<\/li>\n<li>tune retention<\/li>\n<li>collect only required namespaces\/workloads when possible (capabilities depend on tooling).<\/li>\n<li>Consolidate ingress paths rather than creating many public LoadBalancer services.<\/li>\n<li>Use reservations\/savings plans for steady baseline capacity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n<p>A minimal learning setup commonly includes:\n&#8211; 1 small system node pool with 1\u20132 nodes\n&#8211; 1 public LoadBalancer service for a demo app\n&#8211; Minimal logging<\/p>\n\n\n\n<p>Your monthly spend will mainly be:\n&#8211; VM runtime hours\n&#8211; Managed disk storage\n&#8211; Load balancer\/public IP\n&#8211; Any log ingestion<\/p>\n\n\n\n<p>Because VM SKUs and prices vary by region, use the <strong>Azure Pricing Calculator<\/strong> and choose a small VM size available in your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In a production design, costs often come from:\n&#8211; Multiple node pools across zones (higher node count)\n&#8211; ACR (private images), firewall\/NAT, private endpoints\n&#8211; Observability at scale (logs\/metrics)\n&#8211; WAF\/application gateway (if used)\n&#8211; Higher availability patterns (extra replicas, surge capacity during upgrades)<\/p>\n\n\n\n<p>A common cost governance approach is to tag resource groups and standardize cluster naming to allocate spend per environment\/team.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Deploy a small containerized web app to <strong>Azure Kubernetes Service (AKS)<\/strong>, expose it publicly using a Kubernetes <code>Service<\/code> of type <code>LoadBalancer<\/code>, verify functionality, and clean up resources safely.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create a resource group.\n2. Create an AKS cluster (small, cost-aware configuration).\n3. Connect to the cluster using <code>kubectl<\/code>.\n4. Deploy a sample app.\n5. Expose it via a public endpoint.\n6. Validate and troubleshoot.\n7. Clean up all resources.<\/p>\n\n\n\n<p>This lab uses only standard Kubernetes resources and Azure CLI. It avoids advanced add-ons to keep it beginner-friendly and low-cost.<\/p>\n\n\n\n<blockquote>\n<p>Notes:\n&#8211; Some flags and defaults change across AKS versions. If a command fails due to a CLI\/API change, use <code>az aks create -h<\/code> and <strong>verify in official docs<\/strong>.\n&#8211; Costs will accrue while resources exist.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Set variables and sign in<\/h3>\n\n\n\n<p>1) Open a terminal and sign in:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az login\n<\/code><\/pre>\n\n\n\n<p>2) Select the subscription (if you have more than one):<\/p>\n\n\n\n<pre><code class=\"language-bash\">az account list -o table\naz account set --subscription \"&lt;SUBSCRIPTION_ID_OR_NAME&gt;\"\n<\/code><\/pre>\n\n\n\n<p>3) Set variables:<\/p>\n\n\n\n<pre><code class=\"language-bash\">RG=\"rg-aks-lab\"\nLOCATION=\"eastus\"          # choose a region close to you\nAKS_NAME=\"aks-lab-001\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You are authenticated and have a target subscription selected.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a resource group<\/h3>\n\n\n\n<pre><code class=\"language-bash\">az group create --name \"$RG\" --location \"$LOCATION\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> A new resource group exists.<\/p>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az group show --name \"$RG\" -o table\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create an AKS cluster (small and beginner-friendly)<\/h3>\n\n\n\n<p>Create a small cluster. This example uses a single node pool and enables a managed identity. VM size and node count must be available in your region.<\/p>\n\n\n\n<pre><code class=\"language-bash\">az aks create \\\n  --resource-group \"$RG\" \\\n  --name \"$AKS_NAME\" \\\n  --location \"$LOCATION\" \\\n  --node-count 1 \\\n  --generate-ssh-keys\n<\/code><\/pre>\n\n\n\n<p>Optional (recommended for many environments): choose a specific VM size:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># Example only. Verify available sizes in your region.\naz aks create \\\n  --resource-group \"$RG\" \\\n  --name \"$AKS_NAME\" \\\n  --location \"$LOCATION\" \\\n  --node-count 1 \\\n  --node-vm-size \"Standard_DS2_v2\" \\\n  --generate-ssh-keys\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> AKS cluster is created successfully. This can take several minutes.<\/p>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az aks show --resource-group \"$RG\" --name \"$AKS_NAME\" -o table\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Install kubectl (if needed) and get cluster credentials<\/h3>\n\n\n\n<p>Install kubectl via Azure CLI (if you don\u2019t have it):<\/p>\n\n\n\n<pre><code class=\"language-bash\">az aks install-cli\n<\/code><\/pre>\n\n\n\n<p>Get kubeconfig credentials:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az aks get-credentials --resource-group \"$RG\" --name \"$AKS_NAME\"\n<\/code><\/pre>\n\n\n\n<p>Check cluster connectivity:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl get nodes\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You see one (or more) nodes in <code>Ready<\/code> state.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Deploy a sample app (Deployment)<\/h3>\n\n\n\n<p>Create a namespace:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl create namespace demo\n<\/code><\/pre>\n\n\n\n<p>Deploy a simple web app (NGINX is commonly used for demos):<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl -n demo create deployment web --image=nginx:stable\n<\/code><\/pre>\n\n\n\n<p>Check pods:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl -n demo get pods -o wide\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> A pod is running (<code>Running<\/code> status). If it\u2019s <code>ContainerCreating<\/code>, wait and re-check.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Expose the app publicly (Service type LoadBalancer)<\/h3>\n\n\n\n<p>Expose the Deployment:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl -n demo expose deployment web --port 80 --type LoadBalancer\n<\/code><\/pre>\n\n\n\n<p>Check the service:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl -n demo get svc web -o wide\n<\/code><\/pre>\n\n\n\n<p>Wait for <code>EXTERNAL-IP<\/code> to appear (can take a few minutes). You can watch it:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl -n demo get svc web -w\n<\/code><\/pre>\n\n\n\n<p>Once you have an external IP, test it:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -I http:\/\/&lt;EXTERNAL-IP&gt;\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You receive an HTTP response (e.g., <code>HTTP\/1.1 200 OK<\/code> or <code>301\/302<\/code> depending on the image and headers).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Scale the app (simple scaling)<\/h3>\n\n\n\n<p>Scale to 3 replicas:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl -n demo scale deployment web --replicas=3\nkubectl -n demo get pods -o wide\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> Three pods are running. Requests to the service are load-balanced across pods.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Inspect cluster resources (what AKS created)<\/h3>\n\n\n\n<p>List resources in your resource group:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az resource list --resource-group \"$RG\" -o table\n<\/code><\/pre>\n\n\n\n<p>Also note that AKS typically creates a separate <strong>managed resource group<\/strong> for node resources (name often starts with <code>MC_...<\/code>). You can find it:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az aks show --resource-group \"$RG\" --name \"$AKS_NAME\" --query nodeResourceGroup -o tsv\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You identify the node resource group where VMSS, NICs, and load balancer resources are created.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Run the following checks:<\/p>\n\n\n\n<p>1) Cluster health:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl get nodes\nkubectl -n kube-system get pods\n<\/code><\/pre>\n\n\n\n<p>2) App health:<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl -n demo get deploy,po,svc -o wide\ncurl -I http:\/\/&lt;EXTERNAL-IP&gt;\n<\/code><\/pre>\n\n\n\n<p>3) Confirm load balancer provisioning events (if needed):<\/p>\n\n\n\n<pre><code class=\"language-bash\">kubectl -n demo describe svc web\n<\/code><\/pre>\n\n\n\n<p>You should see events indicating the Azure load balancer was provisioned and bound to the service.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<p>1) <strong><code>EXTERNAL-IP<\/code> stays <code>&lt;pending&gt;<\/code><\/strong>\n&#8211; Cause: Load balancer provisioning issues, quota limits, or policy restrictions.\n&#8211; Fix:\n  &#8211; Check service events:\n    <code>bash\n    kubectl -n demo describe svc web<\/code>\n  &#8211; Check Azure quotas (Public IPs\/Load Balancers) in your region.\n  &#8211; Confirm your subscription allows public IP allocation.\n  &#8211; If your organization blocks public endpoints, use an internal load balancer pattern (requires extra annotations and subnet planning\u2014verify in official docs).<\/p>\n\n\n\n<p>2) <strong>Pods stuck in <code>ImagePullBackOff<\/code><\/strong>\n&#8211; Cause: image pull issues, DNS, outbound restrictions.\n&#8211; Fix:\n  <code>bash\n  kubectl -n demo describe pod &lt;POD_NAME&gt;<\/code>\n  &#8211; If egress is restricted (firewall\/UDR), allow access to required registries or use a private ACR with proper permissions.<\/p>\n\n\n\n<p>3) <strong><code>kubectl get nodes<\/code> fails after <code>az aks get-credentials<\/code><\/strong>\n&#8211; Cause: context mismatch or authentication issues.\n&#8211; Fix:\n  <code>bash\n  kubectl config get-contexts\n  kubectl config use-context &lt;CONTEXT_NAME&gt;<\/code>\n  If using Entra ID integration, ensure you can authenticate per your org\u2019s flow (device code, browser auth, etc.).<\/p>\n\n\n\n<p>4) <strong><code>curl<\/code> to external IP times out<\/strong>\n&#8211; Cause: NSGs, corporate firewall, or load balancer rules not ready.\n&#8211; Fix:\n  &#8211; Wait a few minutes and retry.\n  &#8211; Confirm service has endpoints:\n    <code>bash\n    kubectl -n demo get endpoints web<\/code>\n  &#8211; Ensure your network allows outbound HTTP to the IP.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges, delete the resource group (this removes the cluster and associated resources):<\/p>\n\n\n\n<pre><code class=\"language-bash\">az group delete --name \"$RG\" --yes --no-wait\n<\/code><\/pre>\n\n\n\n<p>Verify deletion:<\/p>\n\n\n\n<pre><code class=\"language-bash\">az group exists --name \"$RG\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The resource group is deleted (may take several minutes). Costs stop accruing once resources are removed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>multiple node pools<\/strong> for:<\/li>\n<li>system components (system node pool)<\/li>\n<li>user workloads (user node pool)<\/li>\n<li>specialized workloads (GPU, memory optimized)<\/li>\n<li>Design for failure:<\/li>\n<li>multiple replicas across nodes<\/li>\n<li>PodDisruptionBudgets<\/li>\n<li>readiness\/liveness probes<\/li>\n<li>Prefer <strong>private connectivity<\/strong> for dependencies (databases, registries) using private endpoints where feasible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Microsoft Entra ID<\/strong> for authentication and Kubernetes RBAC for authorization.<\/li>\n<li>Avoid persistent admin kubeconfigs; prefer just-in-time access.<\/li>\n<li>Implement least privilege:<\/li>\n<li>namespace-scoped Roles for app teams<\/li>\n<li>restrict cluster-admin to a small platform group<\/li>\n<li>Separate duties:<\/li>\n<li>platform admins manage cluster-wide resources<\/li>\n<li>app teams manage only their namespaces<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use autoscaling thoughtfully; set min\/max bounds.<\/li>\n<li>Right-size requests\/limits; avoid over-requesting CPU\/memory.<\/li>\n<li>Keep dev\/test clusters small; stop\/delete when not used.<\/li>\n<li>Control observability costs:<\/li>\n<li>reduce noisy logs<\/li>\n<li>set retention appropriately<\/li>\n<li>only collect what you use<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use node labels\/taints to place latency-sensitive workloads appropriately.<\/li>\n<li>Prefer fewer, well-managed ingress endpoints instead of many load balancers.<\/li>\n<li>Use appropriate storage SKUs for stateful apps; test IOPS\/latency.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Plan upgrades:<\/li>\n<li>test upgrades in a staging cluster<\/li>\n<li>use maintenance windows<\/li>\n<li>validate critical add-ons for Kubernetes version compatibility<\/li>\n<li>Use multiple availability zones when region supports it (and your SLA requires it).<\/li>\n<li>Keep core add-ons and controllers updated, but avoid unplanned changes in production.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize:<\/li>\n<li>cluster naming<\/li>\n<li>resource groups by environment<\/li>\n<li>labels\/annotations (<code>app<\/code>, <code>team<\/code>, <code>env<\/code>, <code>costCenter<\/code>)<\/li>\n<li>Implement runbooks:<\/li>\n<li>node not ready<\/li>\n<li>image pull failure<\/li>\n<li>DNS issues<\/li>\n<li>ingress 502\/504 troubleshooting<\/li>\n<li>Monitor:<\/li>\n<li>node CPU\/memory\/disk<\/li>\n<li>pod restarts<\/li>\n<li>error rates and latency at ingress<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource group naming:<\/li>\n<li><code>rg-&lt;app\/platform&gt;-&lt;env&gt;-&lt;region&gt;<\/code><\/li>\n<li>AKS cluster naming:<\/li>\n<li><code>aks-&lt;platform&gt;-&lt;env&gt;-&lt;region&gt;-&lt;nnn&gt;<\/code><\/li>\n<li>Tags:<\/li>\n<li><code>Environment<\/code>, <code>Owner<\/code>, <code>CostCenter<\/code>, <code>Application<\/code>, <code>DataClassification<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Humans\/operators<\/strong>:<\/li>\n<li>Authenticate with Microsoft Entra ID<\/li>\n<li>Authorize with Kubernetes RBAC<\/li>\n<li><strong>Workloads<\/strong>:<\/li>\n<li>Prefer identity-based access to Azure services (workload identity patterns) rather than embedding secrets.<\/li>\n<li>If you must use secrets, scope them to namespaces and restrict access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data at rest:<\/li>\n<li>Node OS disks and managed disks support encryption capabilities in Azure; confirm your encryption requirements and SKUs.<\/li>\n<li>Data in transit:<\/li>\n<li>Use TLS at ingress.<\/li>\n<li>Consider mTLS between services where required (service mesh or app-level TLS).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Minimize public endpoints:<\/li>\n<li>Use private clusters for API server where required.<\/li>\n<li>Use internal load balancers for internal services.<\/li>\n<li>Control egress:<\/li>\n<li>Route outbound traffic through a firewall\/NVA for inspection and allowlisting when needed.<\/li>\n<li>Apply network policies to restrict pod-to-pod communications (verify supported implementations for your networking mode).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid storing secrets in plain YAML.<\/li>\n<li>Use Kubernetes Secrets cautiously; treat base64 as not encryption.<\/li>\n<li>Prefer integration with Azure Key Vault for sensitive material (exact driver\/add-on approach depends on current AKS guidance\u2014verify in official docs).<\/li>\n<li>Rotate secrets and credentials regularly.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable audit trails:<\/li>\n<li>Azure activity logs for resource changes<\/li>\n<li>Kubernetes audit\/logging per your compliance needs (implementation details vary\u2014verify in official docs)<\/li>\n<li>Centralize logs; restrict access to logs containing sensitive data.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Map controls to requirements (PCI, HIPAA, SOC, ISO).<\/li>\n<li>Use policy-as-code for guardrails.<\/li>\n<li>Implement image provenance controls:<\/li>\n<li>restrict registries<\/li>\n<li>scan images<\/li>\n<li>enforce signed images if your toolchain supports it (verify your chosen approach)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Granting <code>cluster-admin<\/code> broadly.<\/li>\n<li>Exposing the Kubernetes API publicly without access controls.<\/li>\n<li>Allowing unrestricted outbound internet from all namespaces.<\/li>\n<li>Running privileged containers unnecessarily.<\/li>\n<li>Not setting resource requests\/limits, leading to noisy neighbor and DoS risks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use private ACR and restrict image sources.<\/li>\n<li>Enforce:<\/li>\n<li>non-root containers where possible<\/li>\n<li>read-only root filesystem when feasible<\/li>\n<li>drop Linux capabilities unless required<\/li>\n<li>Use Pod Security controls (current Kubernetes mechanisms evolve; verify recommended approach for AKS and your Kubernetes version).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>AKS is mature, but there are important realities to plan for.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations \/ constraints (examples)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Kubernetes complexity remains<\/strong>: AKS manages the control plane, but you still own workload reliability, manifests, and incident response.<\/li>\n<li><strong>Region and version variance<\/strong>: not all Kubernetes versions and features are available in every region at the same time.<\/li>\n<li><strong>Networking choices affect scale<\/strong>:<\/li>\n<li>Some networking modes consume more IPs.<\/li>\n<li>Pod density per node can be constrained by IP planning and CNI behavior.<\/li>\n<li><strong>Stateful workloads require care<\/strong>:<\/li>\n<li>Storage performance and zonal behavior must match your HA design.<\/li>\n<li><strong>Windows node pools<\/strong>:<\/li>\n<li>If you run Windows containers, verify feature parity, networking constraints, and image requirements in official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Subscription vCPU quotas can block scaling unexpectedly.<\/li>\n<li>Public IP and load balancer quotas can impact service exposure patterns.<\/li>\n<li>Kubernetes object and node scaling limits exist\u2014<strong>verify current AKS limits<\/strong> in official documentation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Availability Zones support differs per region.<\/li>\n<li>Private cluster and add-on availability varies\u2014validate before committing to architecture.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Log Analytics ingestion and retention costs.<\/li>\n<li>Egress bandwidth charges for internet-facing or data-heavy workloads.<\/li>\n<li>Multiple load balancers\/public IPs from many <code>LoadBalancer<\/code> services.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Helm charts and controllers may not support your Kubernetes version immediately.<\/li>\n<li>Upgrades can break deprecated APIs in manifests; run API deprecation checks before upgrades.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ingress is not \u201cset and forget\u201d; certificates, routes, and controller upgrades need lifecycle management.<\/li>\n<li>Cluster upgrades require planning for disruption budgets and surge capacity.<\/li>\n<li>Mis-sized requests\/limits can cause:<\/li>\n<li>poor bin packing (higher cost)<\/li>\n<li>evictions and instability<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Moving from self-managed Kubernetes to AKS can require:<\/li>\n<li>networking redesign (IP ranges, ingress)<\/li>\n<li>identity redesign (Entra ID)<\/li>\n<li>storage class differences<\/li>\n<li>Moving from AKS to another Kubernetes platform requires careful handling of:<\/li>\n<li>load balancer\/ingress specifics<\/li>\n<li>managed identity integrations<\/li>\n<li>CSI driver behavior<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Below is a practical comparison of AKS with nearby options.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Azure Kubernetes Service (AKS)<\/strong><\/td>\n<td>Teams needing full Kubernetes<\/td>\n<td>Kubernetes-native APIs, strong Azure integration, flexible node pools<\/td>\n<td>Requires Kubernetes expertise; ops burden remains<\/td>\n<td>Standard choice for Kubernetes on Azure<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Container Apps<\/strong><\/td>\n<td>Simpler microservices and event-driven apps<\/td>\n<td>Less infrastructure management, easier scaling model (service-focused)<\/td>\n<td>Less control than Kubernetes; platform constraints<\/td>\n<td>When you want PaaS simplicity over Kubernetes control<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure App Service (Containers)<\/strong><\/td>\n<td>Web apps\/APIs with minimal orchestration needs<\/td>\n<td>Strong PaaS experience, built-in scaling patterns<\/td>\n<td>Not Kubernetes; less suited for complex multi-service platform patterns<\/td>\n<td>When the workload is primarily web hosting and you want managed platform ops<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Red Hat OpenShift (ARO)<\/strong><\/td>\n<td>Enterprises needing OpenShift and Red Hat support<\/td>\n<td>OpenShift ecosystem, enterprise support model<\/td>\n<td>Different operational model and cost profile<\/td>\n<td>When OpenShift-specific tooling\/compliance\/support is required<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed Kubernetes on Azure VMs<\/strong><\/td>\n<td>Highly customized control plane or niche requirements<\/td>\n<td>Maximum control<\/td>\n<td>Highest ops burden, patching and HA complexity<\/td>\n<td>Only when AKS constraints prevent your requirements<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS EKS<\/strong><\/td>\n<td>Kubernetes on AWS<\/td>\n<td>Strong AWS ecosystem<\/td>\n<td>Different networking\/identity model<\/td>\n<td>Choose if your org is AWS-first<\/td>\n<\/tr>\n<tr>\n<td><strong>Google GKE<\/strong><\/td>\n<td>Kubernetes on Google Cloud<\/td>\n<td>Mature Kubernetes platform, strong autopilot options<\/td>\n<td>Different cloud dependencies<\/td>\n<td>Choose if your org is GCP-first<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated internal platform for multiple teams<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A financial services company needs a standardized container platform for 20+ internal apps with strict network controls and auditability.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>AKS in a spoke VNet, integrated into a hub-spoke network<\/li>\n<li>Private cluster API endpoint with private DNS<\/li>\n<li>Egress routed through Azure Firewall with allowlists<\/li>\n<li>Private endpoints for ACR and Key Vault<\/li>\n<li>Centralized logging to Log Analytics with defined retention<\/li>\n<li>Azure Policy for AKS enforcing baseline controls (no privileged pods, resource limits required, allowed registries)<\/li>\n<li><strong>Why AKS was chosen:<\/strong><\/li>\n<li>Kubernetes standardization across teams<\/li>\n<li>Azure-native identity and networking integration<\/li>\n<li>Ability to implement strong governance without building a platform from scratch<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Faster onboarding of new services with reusable templates<\/li>\n<li>Improved audit posture and reduced risk of misconfiguration<\/li>\n<li>Better cost visibility through standardized tagging and capacity controls<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS API with predictable growth<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A startup has 8 microservices and expects traffic growth; they want a scalable platform but must control spend.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Single AKS cluster with two node pools (system + user)<\/li>\n<li>ACR for private images<\/li>\n<li>One ingress controller for all services<\/li>\n<li>Autoscaling for user node pool with conservative limits<\/li>\n<li>Basic monitoring with carefully set log retention<\/li>\n<li><strong>Why AKS was chosen:<\/strong><\/li>\n<li>Supports microservices growth and standard Kubernetes tooling<\/li>\n<li>Consolidates services onto a shared runtime<\/li>\n<li>Avoids rewriting deployment tooling later when scale increases<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Controlled costs with autoscaling and right-sizing<\/li>\n<li>Faster release cycles with standardized deployments<\/li>\n<li>Clear path to production hardening as the company grows<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1) Is Azure Kubernetes Service (AKS) the same as Kubernetes?<\/h3>\n\n\n\n<p>No. AKS is a managed Azure service that runs Kubernetes clusters. Kubernetes is the open-source platform; AKS provides a managed way to operate it on Azure.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2) Do I still need Kubernetes expertise with AKS?<\/h3>\n\n\n\n<p>Yes. Azure manages the control plane, but you still manage workloads, manifests, upgrades planning, networking behaviors, troubleshooting, and security posture.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3) What do I pay for with AKS?<\/h3>\n\n\n\n<p>You pay for worker nodes (VMs) and related resources (storage, networking, logging). AKS control plane pricing depends on tier\/features\u2014check the official AKS pricing page for the current model.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4) How do I expose an application publicly on AKS?<\/h3>\n\n\n\n<p>Commonly via:\n&#8211; A Kubernetes <code>Service<\/code> of type <code>LoadBalancer<\/code> (simple)\n&#8211; An ingress controller (recommended for multiple HTTP services)\nProduction often uses a single ingress front end with TLS and routing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5) Can AKS run stateful workloads?<\/h3>\n\n\n\n<p>Yes, using Persistent Volumes via CSI drivers (e.g., Azure Disks\/Azure Files). You must design for storage performance, backups, and availability-zone behavior.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6) Can I make my AKS cluster private?<\/h3>\n\n\n\n<p>AKS supports private cluster patterns where the Kubernetes API endpoint is not publicly accessible. This requires network and DNS planning (private DNS, VPN\/ExpressRoute, etc.). Verify current setup steps in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7) How do I control who can access the cluster?<\/h3>\n\n\n\n<p>Use Microsoft Entra ID for authentication and Kubernetes RBAC for authorization. Grant access via groups and least-privilege roles.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">8) What is a node pool?<\/h3>\n\n\n\n<p>A node pool is a group of nodes (VMs) with the same configuration. You typically use multiple node pools to isolate system components and tailor compute to different workloads.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9) What\u2019s the difference between a Deployment and a Service?<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Deployment<\/strong> manages pods (replicas, rolling updates).<\/li>\n<li><strong>Service<\/strong> provides stable networking and load balancing to pods.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) How do I update applications safely?<\/h3>\n\n\n\n<p>Use rolling updates with Deployments, define readiness probes, set PodDisruptionBudgets, and use progressive delivery patterns (blue\/green\/canary) where needed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">11) Does AKS support Windows containers?<\/h3>\n\n\n\n<p>AKS can support Windows node pools for Windows container workloads. Feature parity and constraints can differ; verify in official docs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">12) How do I connect AKS to Azure Container Registry (ACR)?<\/h3>\n\n\n\n<p>Commonly by granting the cluster identity permissions (e.g., <code>AcrPull<\/code>) on the registry and configuring network access. Exact steps vary; follow official guidance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">13) How should I monitor AKS?<\/h3>\n\n\n\n<p>Use Azure Monitor\/Container insights for cluster logs and metrics, plus application-level telemetry (OpenTelemetry\/Prometheus patterns depending on your stack). Manage retention to control cost.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">14) What are common reasons pods can\u2019t pull images?<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Missing registry permissions<\/li>\n<li>Network egress restrictions<\/li>\n<li>DNS issues<\/li>\n<li>Incorrect image reference\/tag<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">15) Can I run multiple environments in one AKS cluster?<\/h3>\n\n\n\n<p>Yes via namespaces and policy\/RBAC isolation, but many teams prefer separate clusters for production vs non-production to reduce blast radius and simplify access controls.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">16) What\u2019s a good first production hardening step after a basic cluster works?<\/h3>\n\n\n\n<p>Implement:\n&#8211; Entra ID + RBAC (if not already)\n&#8211; private registry (ACR) and restrict allowed registries\n&#8211; centralized monitoring with defined retention\n&#8211; least-privilege network exposure (ingress consolidation; internal services private)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">17) How often should I upgrade AKS?<\/h3>\n\n\n\n<p>Regularly\u2014Kubernetes versions have support windows and deprecations. Use a predictable cadence (for example quarterly) and test in staging first. Verify the current AKS Kubernetes version support policy in official docs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Azure Kubernetes Service (AKS)<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>AKS documentation (Learn) \u2013 https:\/\/learn.microsoft.com\/azure\/aks\/<\/td>\n<td>Primary source for AKS concepts, how-to guides, and feature documentation<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>AKS pricing \u2013 https:\/\/azure.microsoft.com\/pricing\/details\/kubernetes-service\/<\/td>\n<td>Current pricing model and cost dimensions<\/td>\n<\/tr>\n<tr>\n<td>Pricing calculator<\/td>\n<td>Azure Pricing Calculator \u2013 https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/td>\n<td>Build region-specific cost estimates for VMs, storage, and monitoring<\/td>\n<\/tr>\n<tr>\n<td>Getting started<\/td>\n<td>Create an AKS cluster (official tutorial) \u2013 https:\/\/learn.microsoft.com\/azure\/aks\/tutorial-kubernetes-deploy-cluster<\/td>\n<td>Step-by-step official onboarding for AKS<\/td>\n<\/tr>\n<tr>\n<td>Architecture center<\/td>\n<td>Azure Architecture Center (AKS baseline\/reference architectures) \u2013 https:\/\/learn.microsoft.com\/azure\/architecture\/<\/td>\n<td>Production patterns and reference designs; search for AKS baseline architectures<\/td>\n<\/tr>\n<tr>\n<td>Security<\/td>\n<td>AKS security guidance \u2013 https:\/\/learn.microsoft.com\/azure\/aks\/security-baseline<\/td>\n<td>Security recommendations and baseline controls<\/td>\n<\/tr>\n<tr>\n<td>Networking<\/td>\n<td>AKS networking concepts \u2013 https:\/\/learn.microsoft.com\/azure\/aks\/concepts-network<\/td>\n<td>Understand network plugins, IP planning, and traffic flow<\/td>\n<\/tr>\n<tr>\n<td>Observability<\/td>\n<td>Monitor AKS (Container insights) \u2013 https:\/\/learn.microsoft.com\/azure\/azure-monitor\/containers\/container-insights-overview<\/td>\n<td>Practical monitoring\/logging setup and operational guidance<\/td>\n<\/tr>\n<tr>\n<td>CLI reference<\/td>\n<td><code>az aks<\/code> CLI reference \u2013 https:\/\/learn.microsoft.com\/cli\/azure\/aks<\/td>\n<td>Accurate CLI syntax and up-to-date parameters<\/td>\n<\/tr>\n<tr>\n<td>Kubernetes upstream<\/td>\n<td>Kubernetes docs \u2013 https:\/\/kubernetes.io\/docs\/home\/<\/td>\n<td>Authoritative Kubernetes object and behavior documentation<\/td>\n<\/tr>\n<tr>\n<td>Samples (official)<\/td>\n<td>Azure Samples on GitHub \u2013 https:\/\/github.com\/Azure-Samples<\/td>\n<td>Many AKS-related examples and deployment patterns (validate repo relevance)<\/td>\n<\/tr>\n<tr>\n<td>Videos (official)<\/td>\n<td>Microsoft Azure YouTube \u2013 https:\/\/www.youtube.com\/@MicrosoftAzure<\/td>\n<td>Product updates, walkthroughs, and architecture content (search for AKS topics)<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>CNCF landscape \u2013 https:\/\/landscape.cncf.io\/<\/td>\n<td>Map the Kubernetes ecosystem and commonly used tools<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<p>The following providers are listed as neutral training resources. Confirm course outlines, schedules, and accreditation details directly on their websites.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams, beginners<\/td>\n<td>DevOps + Kubernetes + cloud operational practices<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>DevOps learners, CI\/CD practitioners<\/td>\n<td>SCM, DevOps tooling, automation fundamentals<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud engineers, operations teams<\/td>\n<td>Cloud operations and DevOps practices (verify AKS-specific offerings)<\/td>\n<td>check website<\/td>\n<td>https:\/\/cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, reliability engineers, platform teams<\/td>\n<td>SRE practices: SLOs, incident response, observability<\/td>\n<td>check website<\/td>\n<td>https:\/\/sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams, monitoring\/automation engineers<\/td>\n<td>AIOps concepts, monitoring automation (verify AKS relevance)<\/td>\n<td>check website<\/td>\n<td>https:\/\/aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<p>These are listed as trainer-related sites\/platforms. Verify specific AKS course availability and trainer profiles directly.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/Kubernetes training content (verify exact scope)<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps and Kubernetes training (verify AKS modules)<\/td>\n<td>DevOps engineers, students<\/td>\n<td>https:\/\/devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps consulting\/training listings (verify offerings)<\/td>\n<td>Teams seeking short-term help<\/td>\n<td>https:\/\/devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and training resources (verify AKS coverage)<\/td>\n<td>Ops\/DevOps teams needing practical support<\/td>\n<td>https:\/\/devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<p>These organizations are listed neutrally. Validate service catalogs, case studies, and references directly on their websites.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company Name<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify AKS specialization)<\/td>\n<td>Platform setup, CI\/CD, cloud migrations<\/td>\n<td>AKS cluster landing zone design; CI\/CD standardization; observability rollout<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and training<\/td>\n<td>DevOps transformation, Kubernetes adoption<\/td>\n<td>AKS onboarding; GitOps pipeline implementation; best-practice hardening workshops<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>Automation, container platforms, operations<\/td>\n<td>AKS cost review; security baseline implementation; incident response runbooks<\/td>\n<td>https:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before AKS<\/h3>\n\n\n\n<p>To succeed with Azure Kubernetes Service (AKS), build fundamentals in:\n&#8211; <strong>Linux basics<\/strong>: processes, networking, DNS, filesystems\n&#8211; <strong>Containers<\/strong>: Docker fundamentals, images, registries, runtime concepts\n&#8211; <strong>Kubernetes fundamentals<\/strong>:\n  &#8211; Pods, Deployments, Services, Ingress\n  &#8211; ConfigMaps and Secrets\n  &#8211; namespaces, RBAC basics\n  &#8211; requests\/limits, probes, rolling updates\n&#8211; <strong>Azure fundamentals<\/strong>:\n  &#8211; resource groups, VNets\/subnets, NSGs\n  &#8211; identities (managed identities, Entra ID basics)\n  &#8211; load balancers and private networking<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after AKS<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production networking<\/strong>:<\/li>\n<li>ingress controllers, TLS automation, internal vs external exposure<\/li>\n<li>egress control and hub-spoke design<\/li>\n<li><strong>Observability<\/strong>:<\/li>\n<li>logging pipelines, metrics, tracing (OpenTelemetry)<\/li>\n<li>SLOs\/SLIs and alerting strategy<\/li>\n<li><strong>Security hardening<\/strong>:<\/li>\n<li>policy guardrails, image supply chain, secret management<\/li>\n<li>workload identity patterns and least privilege<\/li>\n<li><strong>Platform engineering<\/strong>:<\/li>\n<li>GitOps (Flux\/Argo CD)<\/li>\n<li>service catalogs, templates, golden paths<\/li>\n<li><strong>Reliability engineering<\/strong>:<\/li>\n<li>disaster recovery planning<\/li>\n<li>chaos testing approaches<\/li>\n<li>capacity management<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use AKS<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Engineer (Azure)<\/li>\n<li>DevOps Engineer<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>Platform Engineer<\/li>\n<li>Kubernetes Administrator \/ Kubernetes Platform Owner<\/li>\n<li>Security Engineer (cloud\/container security)<\/li>\n<li>Solutions Architect<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (Azure and Kubernetes)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure fundamentals and architect paths (Azure certifications evolve; verify current options on Microsoft Learn).<\/li>\n<li>Kubernetes certifications:<\/li>\n<li>CKA\/CKAD\/CKS from CNCF\/Linux Foundation (useful for Kubernetes skills; not Azure-specific).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a multi-service app (API + worker + frontend) with Helm.<\/li>\n<li>Implement GitOps deployments to AKS.<\/li>\n<li>Create a private cluster pattern in a hub-spoke VNet (in a sandbox subscription).<\/li>\n<li>Add policy guardrails (require resource limits; restrict registries).<\/li>\n<li>Implement structured logging + dashboards and alerts with an error budget approach.<\/li>\n<li>Run a controlled upgrade simulation and document a runbook.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AKS<\/strong>: Azure Kubernetes Service, Azure\u2019s managed Kubernetes offering.<\/li>\n<li><strong>Kubernetes<\/strong>: Open-source platform for container orchestration.<\/li>\n<li><strong>Cluster<\/strong>: A Kubernetes deployment consisting of control plane and worker nodes.<\/li>\n<li><strong>Control plane<\/strong>: Kubernetes components that manage the cluster (API server, scheduling, controllers). Managed by Azure in AKS.<\/li>\n<li><strong>Node<\/strong>: A worker machine (VM) that runs Kubernetes pods.<\/li>\n<li><strong>Node pool<\/strong>: A group of nodes with the same configuration (VM size, OS, scaling settings).<\/li>\n<li><strong>Pod<\/strong>: The smallest deployable unit in Kubernetes; one or more containers sharing network\/storage context.<\/li>\n<li><strong>Deployment<\/strong>: Kubernetes object that manages stateless app replicas and rolling updates.<\/li>\n<li><strong>Service<\/strong>: Stable endpoint for accessing a set of pods; can be internal or external.<\/li>\n<li><strong>Ingress<\/strong>: L7 HTTP\/HTTPS routing rules to services, implemented by an ingress controller.<\/li>\n<li><strong>Namespace<\/strong>: Logical partition in a cluster for isolation and organization.<\/li>\n<li><strong>RBAC<\/strong>: Role-Based Access Control; controls who can do what in Kubernetes.<\/li>\n<li><strong>CNI<\/strong>: Container Network Interface; defines how pods get network connectivity.<\/li>\n<li><strong>CSI<\/strong>: Container Storage Interface; defines how storage is provisioned\/attached for Kubernetes.<\/li>\n<li><strong>HPA<\/strong>: Horizontal Pod Autoscaler; scales pod replicas based on metrics.<\/li>\n<li><strong>Cluster autoscaler<\/strong>: Scales node count based on pending pods and capacity.<\/li>\n<li><strong>ACR<\/strong>: Azure Container Registry, private registry for container images.<\/li>\n<li><strong>Log Analytics<\/strong>: Azure log store and query engine commonly used with Azure Monitor.<\/li>\n<li><strong>Azure Policy for AKS<\/strong>: Governance controls to audit\/enforce cluster configuration and workload constraints.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Azure Kubernetes Service (AKS) is Azure\u2019s managed Kubernetes platform in the <strong>Compute<\/strong> category. It provides a managed control plane and integrates deeply with Azure identity, networking, storage, and monitoring so you can run Kubernetes workloads without operating the control plane yourself.<\/p>\n\n\n\n<p>AKS matters because Kubernetes is a powerful standard for container orchestration, but it brings operational complexity. AKS reduces that complexity while still giving you Kubernetes-native flexibility for microservices, internal platforms, and regulated enterprise workloads.<\/p>\n\n\n\n<p>Cost is primarily driven by worker nodes (VMs), networking resources, storage, and observability ingestion\/retention. Security success depends on Entra ID + RBAC, minimizing public exposure, controlling egress, using strong secret management patterns, and enforcing governance with policy.<\/p>\n\n\n\n<p>Use AKS when you need Kubernetes compatibility and a flexible platform. Prefer simpler Azure container PaaS options when Kubernetes control is unnecessary. Next, build hands-on confidence by extending the lab: add a private registry (ACR), an ingress controller with TLS, and a baseline set of policies and monitoring tuned for production.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Compute<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,26,27],"tags":[],"class_list":["post-398","post","type-post","status-publish","format-standard","hentry","category-azure","category-compute","category-containers"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=398"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/398\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}