- Published on
Azure AKS Enterprise Platform: Skalierbare Anwendungen für Konzerne
- Authors
- Name
- Phillip Pham
- @ddppham
Warum Azure AKS für Enterprise-Umgebungen?
Azure Kubernetes Service (AKS) ist die führende Managed Kubernetes-Plattform für Enterprise-Umgebungen. Im Gegensatz zu On-Premise Kubernetes bietet AKS:
- Managed Control Plane - Microsoft übernimmt die Kubernetes-Verwaltung
- Enterprise-Grade Security - Azure AD Integration, RBAC, Network Policies
- Automatische Skalierung - Cluster und Pod Auto-Scaling
- Multi-Region Deployment - Globale Verfügbarkeit
- Cost Optimization - Spot Instances, Reserved Instances
- Compliance - ISO 27001, SOC 2, DSGVO-konform
Enterprise AKS Architektur
# Enterprise AKS Architecture
azure-aks-enterprise:
infrastructure:
aks-clusters:
- production-cluster:
region: 'West Europe'
node-count: 10-50
vm-size: 'Standard_D8s_v3'
os-disk-size: 128GB
- staging-cluster:
region: 'West Europe'
node-count: 5-20
vm-size: 'Standard_D4s_v3'
os-disk-size: 64GB
- development-cluster:
region: 'West Europe'
node-count: 3-10
vm-size: 'Standard_D2s_v3'
os-disk-size: 32GB
networking:
vnet: Custom VNet mit Subnetzen
network-policy: Azure Network Policy
load-balancer: Azure Load Balancer
ingress: NGINX Ingress Controller
security:
identity: Azure AD + Azure RBAC
secrets: Azure Key Vault
compliance: Azure Policy
monitoring:
logging: Azure Monitor + Log Analytics
metrics: Azure Monitor + Prometheus
alerting: Azure Monitor Alerts
Phase 1: AKS Cluster Setup
1.1 Azure CLI & Tools Setup
# Azure CLI installieren
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
# Azure CLI login
az login
# AKS CLI Tools installieren
az aks install-cli
# Subscription setzen
az account set --subscription "your-subscription-id"
1.2 Resource Group & VNet Setup
# Resource Group erstellen
az group create \
--name "rg-aks-enterprise" \
--location "West Europe"
# VNet erstellen
az network vnet create \
--resource-group "rg-aks-enterprise" \
--name "vnet-aks" \
--address-prefix "10.0.0.0/16" \
--subnet-name "subnet-aks" \
--subnet-prefix "10.0.1.0/24"
# Subnet für Application Gateway (optional)
az network vnet subnet create \
--resource-group "rg-aks-enterprise" \
--vnet-name "vnet-aks" \
--name "subnet-appgw" \
--address-prefix "10.0.2.0/24"
1.3 AKS Cluster erstellen
# Production AKS Cluster
az aks create \
--resource-group "rg-aks-enterprise" \
--name "aks-production" \
--node-count 3 \
--node-vm-size "Standard_D8s_v3" \
--network-plugin "azure" \
--network-policy "azure" \
--vnet-subnet-id "/subscriptions/.../subnets/subnet-aks" \
--enable-managed-identity \
--enable-aad \
--enable-azure-rbac \
--enable-cluster-autoscaler \
--min-count 3 \
--max-count 50 \
--enable-addons monitoring \
--workspace-resource-id "/subscriptions/.../workspaces/loganalytics-workspace" \
--generate-ssh-keys
# Staging AKS Cluster
az aks create \
--resource-group "rg-aks-enterprise" \
--name "aks-staging" \
--node-count 2 \
--node-vm-size "Standard_D4s_v3" \
--network-plugin "azure" \
--network-policy "azure" \
--vnet-subnet-id "/subscriptions/.../subnets/subnet-aks" \
--enable-managed-identity \
--enable-aad \
--enable-azure-rbac \
--enable-cluster-autoscaler \
--min-count 2 \
--max-count 20 \
--enable-addons monitoring \
--workspace-resource-id "/subscriptions/.../workspaces/loganalytics-workspace"
Phase 2: Enterprise Security Setup
2.1 Azure AD Integration
# azure-ad-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: azure-ad-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: 'azure-ad-group-id' # Azure AD Group ID
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer-role
namespace: default
rules:
- apiGroups: ['']
resources: ['pods', 'services', 'configmaps']
verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
- apiGroups: ['apps']
resources: ['deployments', 'replicasets']
verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
2.2 Azure Key Vault Integration
# key-vault-csi-driver.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: azure-kvname
namespace: default
spec:
provider: azure
parameters:
usePodIdentity: 'false'
useVMManagedIdentity: 'true'
userAssignedIdentityID: 'managed-identity-client-id'
keyvaultName: 'your-key-vault-name'
objects: |
array:
- |
objectName: "database-password"
objectType: "secret"
objectVersion: ""
- |
objectName: "api-key"
objectType: "secret"
objectVersion: ""
secretObjects:
- data:
- key: password
objectName: database-password
- key: api-key
objectName: api-key
secretName: app-secrets
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-with-secrets
spec:
replicas: 3
selector:
matchLabels:
app: app-with-secrets
template:
metadata:
labels:
app: app-with-secrets
spec:
containers:
- name: app
image: your-app:latest
volumeMounts:
- name: secrets-store-inline
mountPath: '/mnt/secrets-store'
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: 'azure-kvname'
Phase 3: Monitoring & Observability
3.1 Azure Monitor Integration
# azure-monitor-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: azure-monitor-config
namespace: monitoring
data:
prometheus-config.yaml: |
global:
scrape_interval: 30s
evaluation_interval: 30s
scrape_configs:
- job_name: 'kubernetes-pods'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: kubernetes_pod_name
3.2 Grafana Dashboards für AKS
# aks-grafana-dashboard.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: aks-cluster-dashboard
namespace: monitoring
labels:
grafana_dashboard: '1'
data:
aks-cluster-dashboard.json: |
{
"dashboard": {
"id": null,
"title": "AKS Cluster Overview",
"tags": ["azure", "aks", "kubernetes"],
"panels": [
{
"id": 1,
"title": "Node CPU Usage",
"type": "graph",
"targets": [
{
"expr": "100 - (avg by (instance) (irate(node_cpu_seconds_total{mode=\"idle\"}[5m])) * 100)",
"legendFormat": "{{instance}}"
}
]
},
{
"id": 2,
"title": "Node Memory Usage",
"type": "graph",
"targets": [
{
"expr": "(node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) / node_memory_MemTotal_bytes * 100",
"legendFormat": "{{instance}}"
}
]
},
{
"id": 3,
"title": "Pod Status by Namespace",
"type": "piechart",
"targets": [
{
"expr": "sum(kube_pod_status_phase) by (phase, namespace)",
"legendFormat": "{{namespace}} - {{phase}}"
}
]
},
{
"id": 4,
"title": "Azure Load Balancer Health",
"type": "stat",
"targets": [
{
"expr": "azure_loadbalancer_health_probe_status",
"legendFormat": "{{probe_name}}"
}
]
}
]
}
}
Phase 4: Microservices Migration
4.1 Monolith zu Microservices Migration
# migration-strategy.yaml
migration-phases:
phase-1-strangler-fig:
description: 'Strangler Fig Pattern - Schrittweise Migration'
steps:
- 'API Gateway vor Monolith platzieren'
- 'Neue Features als Microservices entwickeln'
- 'Alte Features schrittweise migrieren'
- 'Traffic graduell umleiten'
phase-2-database-migration:
description: 'Database Migration Strategy'
steps:
- 'Shared Database Pattern'
- 'Database per Service Pattern'
- 'Event Sourcing für Datenkonsistenz'
phase-3-deployment-strategy:
description: 'Blue-Green Deployment'
steps:
- 'Neue Version parallel deployen'
- 'Traffic schrittweise umleiten'
- 'Alte Version nach Validierung entfernen'
4.2 Service Mesh mit Istio
# istio-service-mesh.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: monolith-vs
spec:
hosts:
- 'api.company.com'
gateways:
- company-gateway
http:
- match:
- uri:
prefix: '/api/v1'
route:
- destination:
host: monolith-service
port:
number: 8080
weight: 70
- destination:
host: microservice-v1
port:
number: 8080
weight: 30
- match:
- uri:
prefix: '/api/v2'
route:
- destination:
host: microservice-v2
port:
number: 8080
weight: 100
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: monolith-destination
spec:
host: monolith-service
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
connectionPool:
tcp:
maxConnections: 100
http:
http1MaxPendingRequests: 1024
maxRequestsPerConnection: 10
outlierDetection:
consecutive5xxErrors: 5
interval: 30s
baseEjectionTime: 30s
Phase 5: Multi-Cloud Management mit Crossplane
5.1 Crossplane Setup für AKS
# crossplane-aks-provider.yaml
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-azure
spec:
package: crossplane/provider-azure:v0.19.0
---
apiVersion: azure.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: azure-provider-config
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: azure-secret
key: credentials
---
apiVersion: containerservice.azure.crossplane.io/v1beta1
kind: AKSCluster
metadata:
name: aks-crossplane
spec:
forProvider:
location: 'West Europe'
resourceGroupName: 'rg-aks-enterprise'
kubernetesVersion: '1.28.0'
dnsPrefix: 'aks-crossplane'
defaultNodePool:
name: 'default'
count: 3
vmSize: 'Standard_D8s_v3'
osDiskSizeGB: 128
enableAutoScaling: true
minCount: 3
maxCount: 50
networkProfile:
networkPlugin: 'azure'
networkPolicy: 'azure'
serviceCidr: '10.0.0.0/16'
dnsServiceIP: '10.0.0.10'
dockerBridgeCidr: '172.17.0.1/16'
providerConfigRef:
name: azure-provider-config
5.2 Multi-Cloud Resource Management
# multi-cloud-resources.yaml
apiVersion: database.example.org/v1alpha1
kind: PostgreSQLInstance
metadata:
name: production-db
spec:
forProvider:
region: 'West Europe'
version: '13'
size: 'Standard_D8s_v3'
storageGB: 100
backupRetentionDays: 30
providerConfigRef:
name: azure-provider-config
---
apiVersion: cache.example.org/v1alpha1
kind: RedisInstance
metadata:
name: production-cache
spec:
forProvider:
region: 'West Europe'
size: 'Standard_C4'
sku: 'Standard'
capacity: 2
providerConfigRef:
name: azure-provider-config
---
apiVersion: storage.example.org/v1alpha1
kind: BlobStorage
metadata:
name: app-storage
spec:
forProvider:
region: 'West Europe'
accountTier: 'Standard'
accountReplicationType: 'GRS'
accessTier: 'Hot'
providerConfigRef:
name: azure-provider-config
Phase 6: Developer Platform (IDP)
6.1 Internal Developer Platform Setup
# idp-platform.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: idp-config
namespace: platform
data:
platform-config.yaml: |
apiVersion: platform.company.com/v1
kind: PlatformConfig
spec:
environments:
- name: development
cluster: "aks-development"
namespace: "dev"
resourceQuota:
cpu: "4"
memory: "8Gi"
- name: staging
cluster: "aks-staging"
namespace: "staging"
resourceQuota:
cpu: "8"
memory: "16Gi"
- name: production
cluster: "aks-production"
namespace: "prod"
resourceQuota:
cpu: "16"
memory: "32Gi"
services:
- name: "web-api"
type: "REST API"
language: "Node.js"
framework: "Express"
database: "PostgreSQL"
cache: "Redis"
monitoring: "Prometheus"
logging: "ELK Stack"
templates:
- name: "microservice-template"
source: "https://github.com/company/microservice-template"
variables:
- name: "SERVICE_NAME"
- name: "DATABASE_NAME"
- name: "API_VERSION"
6.2 Self-Service Portal
# self-service-portal.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: idp-portal
namespace: platform
spec:
replicas: 2
selector:
matchLabels:
app: idp-portal
template:
metadata:
labels:
app: idp-portal
spec:
containers:
- name: portal
image: company/idp-portal:latest
env:
- name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: azure-credentials
key: client-id
- name: AZURE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: azure-credentials
key: client-secret
- name: AZURE_TENANT_ID
valueFrom:
secretKeyRef:
name: azure-credentials
key: tenant-id
ports:
- containerPort: 8080
resources:
requests:
memory: '256Mi'
cpu: '250m'
limits:
memory: '512Mi'
cpu: '500m'
---
apiVersion: v1
kind: Service
metadata:
name: idp-portal-service
namespace: platform
spec:
selector:
app: idp-portal
ports:
- port: 80
targetPort: 8080
type: ClusterIP
Cost Optimization
7.1 AKS Cost Management
# cost-optimization.yaml
cost-strategies:
node-pool-optimization:
- 'Spot Instances für Development/Staging'
- 'Reserved Instances für Production'
- 'Auto-Scaling basierend auf Workload'
resource-optimization:
- 'Resource Requests/Limits optimieren'
- 'Pod Disruption Budgets verwenden'
- 'Horizontal Pod Autoscaler konfigurieren'
storage-optimization:
- 'Managed Disks mit Premium Tier'
- 'Azure Files für Shared Storage'
- 'Azure Blob Storage für Backups'
7.2 Resource Quotas & Limits
# resource-quotas.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: production-quota
namespace: production
spec:
hard:
requests.cpu: '16'
requests.memory: 32Gi
limits.cpu: '32'
limits.memory: 64Gi
persistentvolumeclaims: '20'
services.loadbalancers: '10'
services.nodeports: '20'
---
apiVersion: v1
kind: LimitRange
metadata:
name: production-limits
namespace: production
spec:
limits:
- default:
cpu: 1000m
memory: 2Gi
defaultRequest:
cpu: 500m
memory: 1Gi
type: Container
Troubleshooting
Common AKS Issues
1. Node Pool Scaling Issues
# Node Pool Status prüfen
az aks show --resource-group rg-aks-enterprise --name aks-production --query agentPoolProfiles
# Node Pool manuell skalieren
az aks scale --resource-group rg-aks-enterprise --name aks-production --node-count 5
# Auto-Scaling Status prüfen
az aks show --resource-group rg-aks-enterprise --name aks-production --query agentPoolProfiles[0].enableAutoScaling
2. Network Connectivity Issues
# VNet Integration prüfen
az aks show --resource-group rg-aks-enterprise --name aks-production --query networkProfile
# Network Policies prüfen
kubectl get networkpolicies --all-namespaces
# Service Endpoints prüfen
az network vnet subnet show --resource-group rg-aks-enterprise --vnet-name vnet-aks --name subnet-aks --query serviceEndpoints
3. Azure AD Integration Issues
# Azure AD Integration Status
az aks show --resource-group rg-aks-enterprise --name aks-production --query aadProfile
# RBAC Status prüfen
az aks show --resource-group rg-aks-enterprise --name aks-production --query enableAzureRbac
# Cluster Admin Credentials abrufen
az aks get-credentials --resource-group rg-aks-enterprise --name aks-production --admin
Fazit
Azure AKS als Enterprise-Plattform bietet enorme Vorteile:
- Managed Kubernetes - Microsoft übernimmt die Control Plane
- Enterprise Security - Azure AD, RBAC, Network Policies
- Multi-Cloud Ready - Crossplane für Multi-Cloud Management
- Developer Experience - Self-Service Platform (IDP)
- Cost Optimization - Spot Instances, Auto-Scaling
- Compliance - Enterprise-Grade Compliance
Nächste Schritte:
- AKS Cluster nach diesem Guide aufsetzen
- Azure AD Integration konfigurieren
- Monitoring und Observability implementieren
- Microservices Migration planen
- Developer Platform (IDP) aufbauen
Mit diesem Setup haben Sie eine enterprise-ready AKS-Plattform, die den Anforderungen von Konzernen entspricht und skalierbare Anwendungen ermöglicht.
📖 Verwandte Artikel
Weitere interessante Beiträge zu ähnlichen Themen
azureaks
AKS GPU Workloads Kostenrechner: Azure Kubernetes Service für ML/AI in Deutschland 2025
🚀 Kompletter Guide für GPU-basierte Workloads auf Azure AKS mit interaktivem Kostenrechner. ML/AI-Projekte in Deutschland optimal planen und budgetieren. Inkl. Tesla V100/T4 Vergleich!
azureaks
Azure Kubernetes Services Anfänger | Jetzt implementieren
Azure Kubernetes Services Anfänger: Kompletter Guide für AKS-Einsteiger. Jetzt implementieren und erste Anwendung deployen!
migrationmicroservices
Kubernetes Migration: Legacy-Anwendungen erfolgreich migrieren
Wie deutsche Unternehmen Legacy-Anwendungen erfolgreich auf Kubernetes migrieren – von Monolith zu Microservices bis hin zu Cloud-Native Architekturen.