Kubernetes ‘done right’ is pretty hard and needs well-talented people within the organization to provide a good set of integrations to make it production-ready. For that purpose, two technology giants, Microsoft and Red Hat, have put their hands together to co-develop, jointly manage and provide an enterprise version of the OpenShift Kubernetes platform.
What is ARO?
ARO, standing for “Azure Red Hat OpenShift”, is an enterprise-grade, open-source platform, which permits to run container-based solutions and includes unified signup, service management and technical support. It offers fully managed clusters, regulatory compliance with multiple standards and provides better integration with Azure services.
Looking at the bigger picture
Let’s go a bit more into detail and check out ARO’s architecture and what it provides to end-users.
An overall overview of ARO
ARO is provisioned with two Application Load Balancers, one for the Console/API called “Master Load Balancer” and a separate one, “Wildcard App Zone Load Balancer”, to expose the applications running as pods on top of the worker nodes.
The whole set of Azure resources and OpenShift nodes of the cluster, including the master, Infra and worker nodes are accessible in Read-Only mode. This was enforced by Microsoft to be able to provide customers with a certain level of SLA. During the writing-process of this article, ARO had a guaranteed monthly SLA of 99.9%.
Provisioning & Integration
ARO can be easily provisioned using a well-simplified method.
Using the following AZ command you create a cluster from scratch with minimum efforts. (Some prerequisites are needed, such as creating a ServicePrincipal, and not limited to.)
az openshift create -n AROCluster -g ROResourceGroup
Once the provisioning is done, you can check your cluster details as follows:
az openshift show - n AROCluster -g AROResourceGroup
ARO provides you with the ability to enable a VNET-peering starting from the deployment of the cluster, as no modifications can be applied later.
Looking to destroy the cluster?
az openshift delete -n AROCluster -g AROResourceGroup
Solution availability and pricing
For an updated regional availability of the solution please check this link.
The pricing for an ARO cluster is computed on the resources used by the whole cluster, which includes the Master, Infra and Compute nodes as described in this link. This leds to more than 43k euro a year for pay as you go. The pricing do not include any data exchange or storage fees.
Compliance & Security
For improved security and management, ARO lets you integrate amazingly with a well-tested identity provider like Azure AD, and enables Kubernetes RBAC (Role-Based Access Control).
Azure AD supports Multi-Factor Authentication (MFA) and Single Sign-On. As ARO can be linked to AzureAD, access to it will be automatically secured with MFA, if multi-factor is enabled.
Microsoft has a lot of certifications that ensure various levels of compliance, such as ISO 27001, SOC, HIPAA, HITRUST, and much more. Check the broadest set of offering from Microsoft Azure in this link.
The ARO cluster will run in a Virtual Network VNET. The ARO VNET can be connected to an existing VNET via VNET Peering and is configured with additional layer of security, including security groups.
ARO itself can also implement more segregated networking with enabled security policies restricting or allowing cross-project communication. This is enabled through the usage of Kubernetes Network Security plugins, applied on the OpenVSwitch layer.
The usage of an API Gateway is recommeneded to enable more control over the application layer.
Honest return on experience
Enjoy my next Article: “Azure Red Hat Openshift — An honest Return-on-Experience”
Keep in mind that this is just a quick overview of Azure Red Hat OpenShift. There are many other factors to consider when selecting the most suitable solution for your customer and this depends on the project size and needs. Examples are costs, performance, features, the availability by region, and especially compliance and IT Security.
A solution is never an equally good solution for all.