I recently added a new playground to cloud-playground-infra: a fully automated KAITO-on-AKS environment.

By the way, you should also check out my other blog post on what cloud-playground-infra helps us do.

What is KAITO?

KAITO (Kubernetes AI Toolchain Operator) is an operator that automates AI/ML model inference and tuning workloads in Kubernetes. Microsoft has enabled KAITO on AKS. KAITO simplifies running AI/ML inference by:

• Automatic node provisioning - Spins up GPU/CPU nodes based on model requirements
• Model lifecycle management - Downloads weights, manages inference server lifecycle
• Preset models - Built-in support for popular models (Llama, Mistral, Falcon, Phi, etc.)
• Custom models - Deploy your own models from HuggingFace, Azure Blob Storage, Azure Files, or Azure ML Model Registry
• OpenAI-compatible API - Provides a standard interface for inference calls

KAITO on AKS vs. Microsoft Foundry

You might wonder: why use KAITO on AKS, when Microsoft Foundry offers thousands of models for inference? Well both approaches solve different problems. Some teams benefit from having both available, while others should choose carefully depending on which industry they serve. Microsoft Foundry is an excellent PaaS product. It gives customers a fully managed, secure, and production-ready platform for running LLMs without touching GPU infrastructure. So, how do we go about understanding when a Kubernetes-native approach like KAITO on AKS makes sense?

Side-by-Side Overview

When KAITO on AKS Makes Sense

Use KAITO on AKS when you need data to remain in your environment, want consistent compute-based costs, have strict compliance requirements, or need deep customization of how models run.

When Microsoft Foundry Makes Sense

Use Foundry when you want a fully managed experience, access to proprietary models like GPT‑4 or Claude, consumption-based pricing, and no GPU or cluster management.

Architecture

KAITO follows the classic Kubernetes CRD/controller pattern. Its major components are:

• Workspace controller - Reconciles the Workspace custom resource, triggers node provisioning via NodeClaim CRDs, and creates inference/tuning workloads based on model preset configurations
• Node provisioner controller (gpu-provisioner) - Uses Karpenter-core NodeClaim CRD to integrate with Azure Resource Manager APIs, automatically adding GPU nodes to AKS clusters

Source: Project KAITO

Preset Models

AKS has enabled support for several open-source models that can be deployed with minimal configuration using KAITO. Instead of defining a custom inference template, you simply specify the preset name in your workspace manifest.

See the full list: KAITO Supported Models

Note: Preset models require GPU-enabled node pools. The current minimum requirement is Standard_NC24ads_A100_v4. Ensure your Azure subscription has sufficient GPU quota. This POC uses a custom model on CPU instead, as GPU quota was not available.

An example preset manifest is available at assets/kubernetes/kaito_preset_model.yaml.

apiVersion: kaito.sh/v1beta1
kind: Workspace
metadata:
  name: ${name}
  namespace: ${namespace}
  # annotations:
  #   kaito.sh/enablelb: "True"  # Creates LoadBalancer service automatically (testing only, not for production)

resource:
  instanceType: ${instanceType} # Must be GPU-enabled instance type.  Ensure your subscription has quota.
  labelSelector:
    matchLabels:
      apps: ${appLabel}

inference:
  preset:
    name: ${presetName}

Custom Models

For more advanced deployments, see the example manifests in assets/kubernetes/:

The custom manifests are much more complex and involved than the preset ones. I encourage you to take a look inside my repo in assets/kubernetes/.

Testing the Model

Infrastructure Overview

The Terraform configuration (terraform/main.tf) provisions:

• AKS Cluster - Kubernetes 1.34.2 with KAITO enabled
• Kubernetes Namespace - kaito-custom-cpu-inference for isolating KAITO workloads
• KAITO Workspace - Custom model deployment (bigscience/bloomz-560m) with kaito.sh/enablelb: "True" annotation for automatic LoadBalancer creation

Note: The kaito.sh/enablelb annotation automatically creates a LoadBalancer service with a public IP. This is for testing only and is NOT recommended for production. For production, use an Ingress Controller to safely expose the service.

POC Model Details

This POC uses bigscience/bloomz-560m, a small multilingual instruction-tuned model (~2.2GB) from Hugging Face. It runs on CPU for simplicity (no GPU quota required). By the way, Hugging Face is basically the open-source registry for modern AI models. Think of it as the GitHub for models that developers can download, fine‑tune, and run anywhere — including on AKS.

Configure kubectl

After deployment, configure kubectl to connect to your AKS cluster:

kaito@aks:~$ az aks get-credentials --resource-group <resource-group> --name <cluster-name>
Merged "aks-********" as current context in ****\.kube\config

Verify that AKS cluster was configured correctly:

kaito@aks:~$ kubectl config get-contexts
CURRENT   NAME                      CLUSTER                   AUTHINFO                                 NAMESPACE
*         aks-********              aks-********              clusterUser_*********_aks-********

kaito@aks:~$ kubectl get namespaces
NAME                         STATUS   AGE
default                      Active   13m
kaito-custom-cpu-inference   Active   11m
kube-node-lease              Active   13m
kube-public                  Active   13m
kube-system                  Active   13m

kaito@aks:~$ kubectl get workspaces -n kaito-custom-cpu-inference
NAME                    INSTANCE           RESOURCEREADY   INFERENCEREADY   JOBSTARTED   WORKSPACESUCCEEDED   AGE
bloomz-560m-workspace   Standard_D16s_v5   True            True                          True                 12m

kaito@aks:~$ kubectl get pods -n kaito-custom-cpu-inference
NAME                                     READY   STATUS    RESTARTS   AGE
bloomz-560m-workspace-78f597c8b8-q5m86   1/1     Running   0          11m

Testing with LoadBalancer

When the kaito.sh/enablelb: "True" annotation is enabled, you can test the inference endpoint directly from your machine using curl:

1. Set the external IP:

# Get the external IP (service name matches workspace name)
kaito@aks:~$ KAITO_IP=$(kubectl get svc bloomz-560m-workspace -n kaito-custom-cpu-inference -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

kaito@aks:~$ echo "KAITO endpoint: http://$KAITO_IP"
KAITO endpoint: http://**.***.***.***

2. Check health:

kaito@aks:~$ curl http://$KAITO_IP/health
{
  "status":"Healthy"
}

3. Sample prompts:

# Question answering
kaito@aks:~$ curl --max-time 60 -X POST http://$KAITO_IP/chat \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "Is pineapple on a pizza acceptable?",
    "return_full_text": false,
    "generate_kwargs": {
      "max_new_tokens": 256,
      "do_sample": false
    }
  }'
{
  "Result":" no"
}

kaito@aks:~$ curl --max-time 60 -X POST http://$KAITO_IP/chat \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "Is a tomato a fruit or a vegetable?",
    "return_full_text": false,
    "generate_kwargs": {
      "max_new_tokens": 256,
      "do_sample": false
    }
  }'
{
  "Result":" vegetable"
}

kaito@aks:~$ curl --max-time 60 -X POST http://$KAITO_IP/chat \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "Answer briefly: What is cloud computing?",
    "return_full_text": false,
    "generate_kwargs": {
      "max_new_tokens": 256,
      "do_sample": false
    }
  }'
{
  "Result":" Cloud computing is a service that allows users to access data and services from a central location."
}

Final Thoughts

So now you’re asking - which should I use: KAITO on AKS or Microsoft Foundry? The answer - it depends.

KAITO on AKS isn’t meant to replace Microsoft Foundry, and it shouldn’t. Foundry is the right tool when you want a fully managed platform, access to premium proprietary models like GPT‑5 or Claude, simple pay‑as‑you‑go pricing, and zero responsibility for GPUs, cluster operations or infrastructure overhead.

KAITO on AKS, on the other hand, is ideal for when your data must stay inside your own environment, when you prefer predictable compute-only costs, when compliance is non‑negotiable, or when you need full control over how your models are configured and executed.

One of the things I always tell people who are learning cloud is this: you need a safe space to experiment. Practice, practice, practice. Somewhere you can break stuff, try new patterns, rebuild quickly.

That’s why I built this: cloud-playground-infra.

Why I Put This Together

I’ve been in plenty of conversations with peers and customers who want to “get hands-on” but aren’t sure how to do it without risk. My answer has always been: build a playground.

But instead of manually clicking around in the Azure portal, I wanted a repeatable, codified setup. Besides, clicking around the portal may be good conceptually but it is definitely not representative of real world scenarios. So I created something modular enough where I can spin up only the pieces I need, swap parts in and out, and still have a consistent foundation. And something that shows the differences between tools like Terraform and Bicep while making it dead simple to use either one in practice.

What’s Inside

The repo is structured to be modular and language-agnostic. Pick your favorite IaC language (Bicep or Terraform) and follow directions in the README within the cloud-playground-infra repo.

This is where it gets powerful. The repo already includes two CI/CD pipelines: terraform-deploy.yml for Terraform deployments and bicep-deploy.yml for Bicep deployments.

You don’t need to wire up your own automation — just call the workflow for the language you prefer, and the pipeline handles the provisioning end to end. To emphasize again, this assumes you’ve followed instructions in the README within the cloud-playground-infra repo.

The idea is simple: cloud playgrounds. You can work in Terraform or Bicep and run the corresponding pipeline. The GitHub Actions Workflows abstract the heavy lifting — you just choose your IaC language and run the pipeline.

Every cloud-native solution starts with a foundation. In this case, it’s a C# console application — intentionally simple, but architecturally aligned with the broader goal: building a full-stack, AI-enabled assistant powered by Azure OpenAI and deployed to Azure Kubernetes Service (AKS).

This console app simulates GPT-style prompts and responses. But more importantly, it sets the tone for the rest of the system — clean architecture, async-first design, and modular components that scale from local dev to production-grade cloud.

🔗 View the code on GitHub

Why Start with a Console App?

Before deploying to AKS or wiring up Azure OpenAI, I wanted to isolate the core logic: prompt handling, response simulation, and structured logging. This CLI tool provides a focused environment to build and test that logic — without distractions.

It’s not a prototype. It’s a foundational component.

What It Does

The copilot-console-simulator:

• Accepts user input from the terminal
• Simulates a GPT-4 Turbo-style response
• Logs prompt/response pairs to an in-memory list or JSON file
• Uses interfaces and dependency injection for clean separation of concerns
• Is structured to plug directly into the backend API layer

Built with the Right Tools

This project was developed entirely in Visual Studio Code, using:

• .NET 9
• ILogger<T> for structured logging
• async/await for non-blocking I/O
• Clean architecture patterns (interfaces, DI, separation of concerns)

To accelerate development and stay in flow, I used GitHub Copilot Chat and Agent Mode. This combination allowed me to:

• Scaffold services and interfaces quickly
• Ask contextual questions directly in the IDE
• Stay focused on architecture and flow, not boilerplate

Strategic Fit

This app is the first of several purpose-built repositories that make up the full solution:

• gpt-api-backend: ASP.NET Core Web API that connects to Azure OpenAI and SQL Server
• gpt-web-client: Razor/Blazor frontend for chat interaction
• gpt-db-schema: SQL schema + EF Core scaffolding
• iac-terraform and iac-bicep: Infrastructure-as-code for AKS, ACR, Key Vault, and more

Each repo is modular, version-controlled, and aligned with cloud-native best practices.

Example Interaction

Welcome to the Copilot Console Simulator!
Session ID: abc123de
Type your questions or commands. Type 'exit' to quit.
Special commands: 'history' to view conversation history, 'clear' to clear history
----------------------------------------------------------------------

You: Hello, how are you?
Copilot: Great question! I think the key thing to consider is: When it comes to coding, I always recommend following best practices and writing clean, maintainable code.

You: Can you help me with a programming problem?
Copilot: I'm here to help! That's an interesting question! Let me think about that for a moment. Feel free to ask me anything you'd like assistance with.

You: history
--- Conversation History (Session: abc123de) ---
[14:30:15] You: Hello, how are you?
[14:30:16] Copilot: Great question! I think the key thing to consider is: When it comes to coding, I always recommend following best practices and writing clean, maintainable code.

[14:30:45] You: Can you help me with a programming problem?
[14:30:46] Copilot: I'm here to help! That's an interesting question! Let me think about that for a moment. Feel free to ask me anything you'd like assistance with.
--- End of History ---

You: exit
Thank you for using the Copilot Console Simulator!

What’s Next

With the simulator complete, the next step is designing the database schema and scaffolding EF Core models. From there, I’ll move into the API layer, frontend, containerization, and infrastructure deployment.

This is a journey — and this console app is the first real checkpoint.

TL;DR

📁 Repo: copilot-console-simulator

🧠 Built with: GitHub Copilot Chat + Agent Mode

🛠️ Editor: Visual Studio Code

🧱 Runtime: .NET 9

Let’s keep building.

Azure Kubernetes Service (AKS) is a powerful tool for managing containerized applications at scale. However, as organizations adopt AKS, the question of multi-tenancy often arises: how do you design an architecture that balances reliability, cost, and security when serving multiple tenants? For smaller companies with limited funding, where cost-optimization is paramount, this question is particularly crucial.

Having worked at a large Fortune 50 organization, where cloud cost was not always a critical strategic decider, I witnessed firsthand how cloud costs, initially seen as manageable, ballooned over time and became a significant issue. Cloud costs became such a significant issue, that they contributed to cost-cutting across IT, including layoffs (or RIFs as they are colloquially known). Now, working for a smaller organization, I’ve come to appreciate the “magic triangle” of cloud cost (directly related to funding), reliability and security. These three elements must work hand in hand to build a sustainable, scalable, secure and cost-conscious infrastructure. What does this mean in the context of Azure and Kubernetes?

The answer lies in identifying the “sweet spot” for multi-tenancy. While the Azure Architecture Center outlines several approaches with pros and cons, there is a sweet spot for startups and smaller organizations. This post explores that sweet spot: using namespaces as tenant separators to separate transactional workloads, combined with strict security measures to maintain isolation and control.

Why Namespace-Based Multi-Tenancy?

Namespaces in Kubernetes provide logical separation within a cluster, making them an ideal candidate for multi-tenancy in cost-conscious environments. Here are a few reasons why namespace-based separation is appealing:

1. Cost Efficiency: Running separate clusters for each tenant can be prohibitively expensive. By sharing a single AKS cluster, you reduce the operational and financial overhead associated with maintaining multiple clusters.

2. Resource Management: Kubernetes namespaces allow you to apply resource quotas, limits, and policies at the namespace level. This enables you to allocate resources fairly and prevent tenants from over-consuming cluster resources.

3. Scalability: A namespace-based approach is well-suited to scaling tenant workloads within a single cluster, allowing smaller companies to start lean and expand gradually.

Achieving Secure Namespace Separation

Security is a common concern when sharing a cluster across multiple tenants. To address this, it is critical to implement robust measures that prevent cross-tenant interference.

Kubernetes’ built-in network policies can enforce strict traffic isolation. For example, you can configure network policies to:

• Block communication between namespaces.
• Allow traffic only from trusted ingress controllers.
• Restrict egress traffic to specific external endpoints.

To limit network traffic for pods within a namespace so that they can only communicate with other pods in the same namespace, you can define a Kubernetes NetworkPolicy as follows:

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: <restrict-to-namespace>
     namespace: <your-namespace-name>
   spec:
     podSelector: {}
     policyTypes:
     - Ingress
     - Egress
     ingress:
     - from:
       - podSelector: {}
     egress:
     - to:
       - podSelector: {}

There you have it! Pretty simple and straightforward. We can use NetworkPolicy to balance security and optimize cost using a single Kubernetes cluster. For more information and more complex scenarios, take a look at the official Kubernetes Network Policies documentation.

Separate Resource Groups

However, here I must caution you against using namespaces for anything but purely transactional workloads that do not store data. While technically possible, I find it more challenging. While namespaces handle separation within a cluster for transaction based processing through pods, other Azure resources that store data (such as Storage Accounts, Databases, Key Vaults, etc.) should reside in tenant-specific Resource Groups (RGs). Data needs to be strictly separated to maintain compliance and security. Azure Platform as a Service (PaaS) offerings separated in tenant-specific RGs offload operational burden for organizations with limited staff and funding.

Final Thoughts

For startups and smaller companies, namespace-based multi-tenancy offers a pragmatic balance between cost and control. By leveraging namespaces for separation and implementing strict security measures, you can create a multi-tenant architecture that scales with your business.

Introduction

Nowdays there are many ways to host your web app ranging from containerization for portability to full-fledged IaaS (Infrastructure as a Service) deployments. However, these two options come with significant management overhead, which can be quite challenging. Another solution is choosing a platform, which manages this for you; this is often referred to as Platform as a Service (PaaS). Two popular choices represent Azure and Heroku. However, the choice between these two depends on individual application as well as business requirements. Let’s assume this scenario: a team is using Azure currently, but wants to consider Heroku. Let’s take a look at how this shakes out!

Requirements

In Scope

How would you begin analyzing a showdown between Azure and Heroku? Obviously, we’ll need to settle on some requirements. For this, let’s consider two important benchmarks: security and performance. This is a business critical application so performance is paramount. We’ll also need to make sure to host our database in Azure. Sensitive data will be flowing, so we’ll need to take that into account.

Additional Assumptions

Let’s assume this Ruby on Rails application requires pretty significant up-time. As a result, this business critical application requires High Availability (HA). Additionally, usually it is best practice for companies to advertise one IP address to the world. Multiple IP addresses can present challenges and unnecessary security risks. This analysis also assumes that SNAT (Source Network Address Translation) is required, so that only one IP address is advertised. This will avoid exposing additional attack vectors. Finally, one last assumption: this is a standard 3-tier app with a web front-end, an API middle tier, and a back-end database tier.

Out of Scope

For this analysis I have ommitted focusing on DevOps and CI/CD and how that could affect the outcome. Both platforms offer support for Git and should offer support for popular code repositories like GitHub. However, this adds an aditional layer of complexity and takes away from the main concerns of analyzing the impact on performance and security. DevOps and CI/CD practices wouldn’t necessarily change this analysis focused on security and performance.

Similarly, I have ommitted disaster recovery (DR), as this, again, introduces an additional layer of complexity and would require global load balancers (like Traffic Manager). This takes away from the main two requirements of analyzing security and performance. This would not change the analysis on performance and security.

Finally, I have also ommitted showing a Content Delivery Network (CDN) for cashing, which, for a critical application should probably be part of the architecture.

Option 1: Azure

Architecture Option 1

First, we’ll require a Hub-and-Spoke architecture. Most LOB (line of business) applications should be separated into their own subscriptions and as a result their own virtual networks (VNets). This creates an additional layer of security as it makes a blast radius of an attack smaller. Take a look at the Azure’s Cloud Adoption Framework Landing Zones for a more detailed deep dive on this. The only public endpoint will be a public IP attached to an Application Gateway (Azure’s Layer 7 load balancer), which will use the WAFv2 SKU to protect incoming web traffic. For application hosting, we should utilize an isolated Internal Load Balancer (ILB) Application Serivce Environment (ASE). This will ensure private traffic for security. App Services, Azure’s PaaS option, in an isolated environment can host a Ruby on Rails application either as a Linux web app or inside a Docker container. ASEs are great for workloads that require

• High scale
• Isolation and secure network access
• High memory utilization
• High requests per second (RPS). You can create multiple App Service Environments in a single Azure region or across multiple Azure regions. This flexibility makes an App Service Environment ideal for horizontally scaling stateless applications with a high RPS requirement.

Additionally, to further keep traffic private, we’ll utilize Private Endpoints to connect to an Azure SQL database. This combination offers full control of traffic flow, and is completely isolated over private network connections within a single LOB VNet with private IPs. This demonstrates network enclaving and offers protection and reduces the blast radius should an attack by a malicious actor occur.

Finally, in order to satisfy our HA requirement for this business-critical application, we’ll utilize zone-redundant deployments for all of our resources.

Pros

• Team is familiar with and currently uses Azure
• Network enclaving increases security and reduces risk
• Fine-grained security control
• Better performance, especially when both application and database are hosted on Azure
• Integration with Microsoft Ecosystem

Cons

• App Service support for Ruby has ended, requiring containerization
• Infrastructure complexity
• Management overhead

Architecture Option 2

Another similar option to ASEs represents Azure Container Apps (ACA). Ever wanted to deploy your containers to Kubernetes but found all the plumbing too complicated? This is where ACA comes in as a managed Kubernetes platform. Whereas Azure Kubernetes Service (AKS) only abstracts away the Kubernetes control plane, ACA takes it a step further and also abstracts away everything else. ACA represents a fully managed Kubernetes PaaS. Most of the architecture will be similar to our ASE architecture above, but now instead of App Services, we are using ACA containers. The architecture appears simpler, cleaner. We maintain security through enclaving and deploying the ACA into an existing VNet with existing security controls. For more information on this see Azure Container Apps Environment Security.

Pros

• Team is familiar with and currently uses Azure
• Network enclaving increases security and reduces risk
• Fine-grained security control
• Better performance, especially when both application and database are hosted on Azure
• Integration with Microsoft Ecosystem
• Includes functionality for auto-scaling and versioning

Cons

• Kubernetes-specific knowledge still required to reap most benefits
• Infrastructure complexity
• Management overhead

Option 2: Heroku

Architecture Option 1

The combination of Heroku application hosting and Azure database hosting creates additional complexity. For security, right out of the gate we want to use Heroku Shield Spaces. This will offer isolation and security similar to Azure Application Service Environments (ASEs) or Azure Container App (ACA) Environments for isolated hosting. Here are the major selling points for Heroku Shield:

• Dedicated environment for high compliance apps
• Ability to sign BAAs for HIPAA compliance
• PCI compliance
• Keystroke logging
• Space level log drains
• Strict TLS enforcement

However, we still need to ensure network enclaving for Azure and individual VNets for LOB applications. Additionally, we’ll need to secure traffic in transit between our Ruby on Rails application hosted in Heroku and our database hosted in Azure. For this, we’ll use a Site-to-Site VPN at a minimum. Heroku offers this very capability with Shield Space VPN Connections. This VPN tunnel offers redundancy and IPSec encryption. (Another option would be to use HTTPS/TLS encrypted traffic, but this would not only introduce additional latency, it would also let our sensitive data flow accross the internet. This is the least desirable option and I would not recommend this.)

Finally, we’ll also need to still utilize the same Site-to-Site VPN tunnel for egress traffic from Heroku through our Azure VNet in order to only expose one public business IP address using SNAT.

Pros

• Heroku Shield is offered for high compliance applications
• Ruby applications can run natively and do not require containerization
• Managed infrastructure offers simplicity
• Applications can be up and running fast

Cons

• Limited control due to managed infrastructure
• Complicated network routing with additional hops and points of failure between Heroku and Azure
• Degraded performance due to additional Site-to-Site VPN hops, which introduce additional latency
• Increased security risk because traffic flows over open internet, even though it is encrypted over a VPN tunnel
• Team has not worked with Heroku
• Potential for vendor lock-in

Architecture Option 2

But what would our Heroku architecture look like if both our web app and database were hosted in Heroku? As can be seen in the diagram below, this represents a massive simplification of the architecture. Not only do we drop the need to containerize our Ruby on Rails application as is the case with Azure PaaS services, but now we can also utilize Heroku Postgres for Shield Spaces. Our entire architecture can now be hosted in Heroku, inside an isolated, secure environment built specifically for high compliance applications.

Pros

• Heroku Shield is offered for high compliance applications
• Ruby applications can run natively and do not require containerization
• Managed infrastructure offers simplicity
• Applications can be up and running fast
• Heroku Postgres for Shield Spaces addition massively simplifies architecture

Cons

• Limited control due to managed infrastructure
• Team has not worked with Heroku
• Potential for vendor lock-in

Recommendation

The choice between Azure and Heroku application hosting for Ruby on Rails depends on project size, complexity, priorities, level of needed control and business direction. Azure offers ASEs and ACAs as PaaS options for performance and high scale through isolation. This is ideal for larger, complex applications requiring flexibility, scalability and fine-grained control. Similarly, a team’s familiarity and built-out processes currently existing with Azure should not be discounted, because migrating those to Heroku could introduce additional cost and risk.

However, Heroku could offer faster application deployments for tasks such as prototyping and proof of concepts. Heroku is great for simplicity and fast deployment, because it does not require containerization for Ruby on Rails applications. In addition, if we drop the requirement to keep data on Azure, Heroku offers a clear choice - it massively simplifies the cloud architecture and maintainability. However, if there is a hard requirement to keep data within Azure, this creates additional complexity and really handicaps Heroku as a choice, because a Site-to-Site VPN would degrade performance and decrease security.

In the end, if a team currently uses containers to deploy a Ruby on Rails application, and absolutely must maintain data within Azure, I would stick to either Azure PaaS offering for web app hosting - Azure Application Service Environments or Azure Container Appps. The added overhead of setting up and maintaining a Site-to-Site VPN between Heroku and Azure really opens up security risks and decreases performance. However, without the data in Azure requirement, Heroku would present a clear winner and a much better choice for developer experience, decreased management overhead and deployment simplicity. The choice depends on data hosting preference, future business direction and a more detailed price comparison.

TL;DR

If you wanna jump straight into it, check out my GitHub repository for this project here. This includes a step-by-step guide, including prerequisites, configuration and deployment of AKS using OIDC, Terraform, GitHub Actions. The goal of this project is to demonstrate the three (3) main points below:

1. Use of OIDC for Microsoft Entra and GitHub Actions authentication,
2. Use of Azure Storage Account as Terraform Backend for state storage, and
3. Deployment of minimum viable product (MVP) Azure Kubernetes Service (AKS).
   

Flexibility, Portability and Security with Kubernetes, Terraform, GitHub, and OpenID Connect (OIDC)

Let’s talk about something that sounds complicated but is actually not as bad as it might seem: deploying Azure Kubernetes Service (AKS) using Terraform, orchestrated through GitHub Actions. And the cherry on top? Let’s make this entire process seamless and more secure by integrating OpenID Connect (OIDC) for authentication. This will give your developer experience a major upgrade!

Keeping It Simple with Trunk-Based Development

For this project, I kept is simple with a Trunk-Based Development strategy. Simply put, it honestly makes the most sense for a single person, or a very small highly skilled team working on a project. For a complete overview of all the different ways you can structure your repositories and workflow strategies, see my blog post on Branching Strategies.

Goodbye Passwords, Hello OIDC

Imagine deploying infrastructure without worrying about safeguarding a pile of secrets or passwords. From an engineer’s or software developer’s lense, this presents a host of challenges. How do you store, manage and rotate those secrets and passwords? Thanks to OIDC, that daunting endeavor is a thing of the past! OIDC simplifies authenticating with Azure, meaning less time fretting over security and more time doing what you love: crafting great code. It’s a smarter, streamlined way to work, and honestly, who doesn’t want that? For more information on how OIDC works with Entra, Azure, GitHub and Azure DevOps, see my blog post titled Authenticating GitHub and Azure DevOps using OpenID Connect. This project uses OIDC. It just makes sense.

Flexibility and Portability

Kubernetes

Why make a big deal about Kubernetes, or K8s as the cool kids call it? Simply put, it gives you the flexibility to manage your applications with ease, regardless of where you choose to run them. The major Cloud Service Providers (CSPs) have all jumped on board - Microsoft with Azure Kubernetes Service (AKS), AWS with Elastic Kubernetes Service (EKS), and Google Cloud Platform (GCP) with Google Kubernetes Service (GKS). Think of K8s as your cloud Swiss Army knife, ready to adapt to whatever your project needs. K8s represents a cloud-agnostic service, pitting the major CSPs against each other to earn your business. Competition is a good thing for the consumer (i.e. you and me!).

Terraform

Finally, what’s all the Terraform fuss about? Some might say - can’t I just use Azure Resource Manager (ARM) Templates? Well, technically, yes. But when you learn Terraform, a cross-CSP Infrastructure as Code (IaC) declarative deployment tool, it enables flexibility for IaC just like K8s does for application hosting. A CSP decides to raise prices for infrastrucuture? Don’t fret, take your Terraform and Kubernetes knowledge to another vendor! Once again, competition is the name of the game. Let’ the CSPs compete for your business!

Why This All Matters

Let’s make sure we hit the point of this post home. In the grand scheme of things, embracing tools such as OIDC, Kubernetes, Terraform and GitHub is about remaining flexible and secure in a technology landscape that is evolving at a rapid pace. It’s about ensuring that as developers, architects, or managers, we’re not just keeping pace but setting the pace, ready to adapt and thrive no matter what comes our way.

So, here’s to making deployment a smoother, more secure part of our development journey. Ready to take the next step? Let’s dive in and see just how much easier and more enjoyable your work can become. Check out the entire repo here!

Introduction

One common misconception is that highly-available, resilient and elastic cloud architectures represent a silver bullet. This is not necessarily the case. Cloud architecture is tightly coupled to healthy programming techniques - a healthy cloud architecture and healthy code hosted on those architectues are two sides of the same coin. This fundamental concept often gets lost. Consider having the most resilient, multi-AZ (Availability Zone), multi-Region cloud architecture that unscrupulously autoscales additional nodes horizontally to handle additional load caused by sudden spikes of REST API calls. Now also consider that these additional calls are caused by unhealthy code. This is not only inefficient and can crash a REST API, but it can also crash an entire cloud infrastructure and cause runaway costs incurred by additional horizontal scaling. In this post, let’s examine healthy programming techniques such as reusing HTTP connections and building thread-safe code with a coffee shop metaphor.

In the world of software development, optimizing cloud application performance, especially REST APIs, is similar to managing a highly efficient coffee shop. Just as a coffee shop tries to serve as many customers as efficiently as possible, cloud applications try to handle requests and tasks effectively. What can coffee shops teach us about reusing HTTP connections, thread-safe programming, avoiding deadlocks, and employing the singleton pattern for better performance and resource management? Let’s dive in!

Reusing HTTP Connections: The Art of Efficient Service

Imagine as soon as you walk into your favorite coffee shop, the barista immediately serves your favorite coffee from a large coffee pot. I’d call that efficient service.

Creating a new connection for each HTTP request (similar to grinding new coffee beans for every cup) can put additional load on your web servers, aka cloud compute nodes. This can quickly overwhelm a node in a cloud architecture, causing autoscaling to kick in. Modern HTTP client libraries use connection pooling, similar to a coffee shop having a large pot of coffee ready to serve multiple customers quickly. This approach minimizes the overhead of establishing new connections for every request, similar to avoiding the time-consuming process of grinding beans and brewing coffee for every single cup of coffee.

Singleton Pattern: One Coffee Machine to Serve Them All

The singleton pattern in software development is like having a single, highly efficient coffee machine in a shop that all baristas share. This pattern ensures that only one instance of a resource (e.g., an HttpClient in .NET) is created and reused across the application, optimizing resource cloud hosting cost and avoiding runaway autoscaling of cloud compute nodes.

Dependency Injection (DI)

Use dependency injection to implement the singleton pattern - it is like a coffee shop where the manager ensures that all baristas use the same coffee machine, maintaining efficiency and consistency. It allows for flexible configuration and easy sharing of the coffee machine (or HttpClient) across different parts of the application.

In a .NET Core or .NET 5/6/7/8 application, you can use the built-in DI container to manage HttpClient instances efficiently. This approach ensures that HttpClient instances are reused properly, which is crucial for managing connections and resources effectively.

Step 1: Define Typed Client

First, create a class that will serve as your typed client. This class will encapsulate all logic for making HTTP requests to a specific external service.

using System.Net.Http;
using System.Threading.Tasks;

public class CoffeeServiceClient
{
    private readonly HttpClient _httpClient;

    public CoffeeServiceClient(HttpClient httpClient)
    {
        _httpClient = httpClient;
        // Assuming the external service requires an API key in the header
        _httpClient.DefaultRequestHeaders.Add("ApiKey", "YourApiKeyHere");
	// Other configuration goes here
    }

    public async Task<string> GetCoffeeAsync(string typeOfRoast)
    {
        var response = await _httpClient.GetAsync($"coffee/{typeOfRoast}");
        response.EnsureSuccessStatusCode();
        return await response.Content.ReadAsStringAsync();
    }
}

Step 2: Configure the Typed Client in Program.cs:

In your Program.cs, register the typed client with the dependency injection (DI) container using AddHttpClient. This method allows you to configure the HttpClient that will be injected into your typed client.

using Microsoft.AspNetCore.Builder;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;

var builder = WebApplication.CreateBuilder(args);

// Register the typed client with HttpClient configured
builder.Services.AddHttpClient<CoffeeServiceClient>(client =>
{
    client.BaseAddress = new Uri("https://api.coffeeapi.com/v1/");
    // Set other default configurations here
});

var app = builder.Build();

// Map controllers and run app (assuming you're using controllers)
app.MapControllers();

app.Run();

Step 3: Use the Typed Client in a Controller

Inject the typed client into your controllers or services where you need to make HTTP requests.

using Microsoft.AspNetCore.Mvc;
using System.Threading.Tasks;

[ApiController]
[Route("[controller]")]
public class CoffeeController : ControllerBase
{
    private readonly CoffeeServiceClient _coffeeServiceClient;

    public CoffeeController(CoffeeServiceClient coffeeServiceClient)
    {
        _coffeeServiceClient = coffeeServiceClient;
    }

    [HttpGet("{typeOfRoast}")]
    public async Task<IActionResult> Get(string typeOfRoast)
    {
        try
        {
            var data = await _coffeeServiceClient.GetCoffeeAsync(typeOfRoast);
            return Ok(data);
        }
        catch (HttpRequestException e)
        {
            return StatusCode(500, e.Message);
        }
    }
}

Thread-Safe Programming: The Coordination of Multiple Baristas

In a busy coffee shop, multiple baristas (threads) work in parallel to serve customers efficiently. However, without proper coordination, they might bump into each other or duplicate efforts, leading to wasted resources and time. Similarly, in software applications, thread-safe programming ensures that multiple threads access shared resources (like a shared coffee machine) in a manner that prevents conflicts and ensures consistency.

Key Concepts

First, some key concepts, simplified:

• Synchronization Context: Imagine the coffee shop has a rule: When your coffee is ready, it must be handed to you personally, and you must receive it where you placed the order. This “personal handover” rule is like the synchronization context in programming, ensuring some tasks are completed in a specific “place” or thread.
• Asynchronous Task (async/await): An asynchronous task is like ordering a coffee at a busy coffee shop. You place your order (async) and then wait (await) for your name to be called when the coffee is ready. While waiting, you can do other things instead of standing still and blocking the line of other people wanting to order.
• Blocking Calls (.Result or .Wait()): This is like insisting on standing at the counter, staring at the barista uncomfortably until your coffee is ready, not doing anything else, and not letting anyone else order.

Deadlock Scenario: The Uncomfortable Stare

This example demonstrates how using .Result or .Wait() in a context where the synchronization context is captured can lead to a deadlock:

[HttpGet("{typeOfRoast}")]
public IActionResult Get(string typeOfRoast)
{
    try
    {
        // Incorrectly using .Result can lead to a deadlock
        var data = _coffeeServiceClient.GetCoffeeAsync(typeOfRoast).Result;
        return Ok(data);
    }
    catch (HttpRequestException e)
    {
        return StatusCode(500, e.Message);
    }
}

1. Placing the Order (Calling the Async Method): You go to the coffee shop and order a coffee (call an asynchronous method, GetCoffeeAsync). The coffee shop is busy (the system is doing work), so you’re told to wait for your name to be called (the async operation will complete in the future).

2. Waiting for the Coffee (Awaiting the Async Task): Instead of waiting normally, you decide to stand at the counter, not move and stare at the barista uncomfortably until you get your coffee (using .Result or .Wait()), effectively blocking anyone else from ordering (blocking the main thread).

3. The Coffee Shop Rule (Synchronization Context): The coffee shop has a rule: Coffee must be handed to you personally at the counter (the continuation after an await must happen on the original synchronization context, or thread). But, because you’re blocking the counter (the main thread), the barista can’t serve anyone else, nor can they complete your order, because they need you to step aside to finish it (the async operation needs the blocked thread to continue).

4. The Deadlock: You’re waiting for your coffee to be ready before you move (waiting for the async operation to complete), but the coffee shop can’t finish making your coffee until you stop blocking the counter and stop making the barista uncomfortable with your stare (the system can’t complete the async operation because it’s waiting for the blocked thread to become available). As a result, everything stops. You’re not moving. The barista can’t serve your coffee. No one else can order. This standstill is the deadlock.

Avoiding Deadlocks

To avoid the deadlock, you can ensure that the asynchronous method is allowed to complete without blocking the main thread. Here’s how you can do it:

[HttpGet("{typeOfRoast}")]
public async Task<IActionResult> Get(string typeOfRoast)
{
    try
    {
        // Properly awaiting the asynchronous operation
        var data = await _coffeeServiceClient.GetCoffeeAsync(typeOfRoast);
        return Ok(data);
    }
    catch (HttpRequestException e)
    {
        return StatusCode(500, e.Message);
    }
}

Just like in the coffee shop, where you could wait for your coffee without blocking the counter (maybe sit down or step aside), programming has a way to avoid deadlocks.

1. Use await properly: This is like waiting for your coffee without blocking the counter. You allow other customers to order, and the barista to serve other orders while yours is being prepared.
2. ConfigureAwait(false): This tells the system, “I don’t need to receive my coffee exactly at the counter where I ordered. You can call my name, and I’ll pick it up wherever I am.” This means the continuation of your task doesn’t need to be on the original thread, avoiding the need for you to block any “place” or thread.

Conclusion

Just as the goal of a coffee shop is to serve its customers efficiently and effectively, the goal of software development is to create applications that handle tasks and requests with optimal performance. By drawing lessons from the operation of a coffee shop—reusing resources like HTTP connections, ensuring thread-safe programming, avoiding deadlocks, and efficiently managing shared resources through the singleton pattern—we can brew applications that stand out for their performance and reliability, much like a cup of finely crafted coffee.

What if I told you, we could improve developer exprience and security with DevOps pipelines? Enter OpenID Connect (OIDC) to the rescue! Read on for more info!

Traditional Secrets Management

Traditionally teams have used Entra ID (formerly Azure AD, RIP) service principals to allow Azure DevOps and GitHub Workflows to deploy resources using Azure Resource Manager to Azure. This included setting up App Registrations, which are service principals with appropriate role-based access controls (RBAC). This is still documented in Microsoft’s documentation here.

The problem with this approach is that now we are creating a client secret, basically a password, which has to be stored, managed and secured somewhere, just like any other password. This could be Azure KeyVault or HashiCorp Vault. This creates a security risk, in case this client secret (password) gets exposed. This also presents a developer experience that is not ideal.

A Better Approach with OIDC

A solution that is becoming increasingly popular involves using token exchange with OpenID Connect (OIDC). Microsoft even recommends this in their latest and greatest documentation:

However, using hardcoded secrets requires you to create credentials in the cloud provider and then duplicate them in GitHub as a secret. With OpenID Connect (OIDC), you can take a different approach by configuring your workflow to request a short-lived access token directly from the cloud provider. Your cloud provider also needs to support OIDC on their end, and you must configure a trust relationship that controls which workflows are able to request the access tokens. Providers that currently support OIDC include Amazon Web Services, Azure, Google Cloud Platform, and HashiCorp Vault, among others.

A step-by-step guide to configure OIDC using Workload Identity Federation can be found here.

Azure DevOps, Entra ID OIDC Authentication

A picture is worth a thousand words. I’ve laid out the authentication flow in the diagram below for Azue DevOps. No more secrets management!

Azure DevOps, Entra ID, Azure Flow

Microsoft’s John Savill Explains

Microsoft’s John Savill explains OIDC authentication with Workload Identity Federation in his awesome YouTube videos that I have linked below.

GitHub, Entra ID OIDC Authentication

How does this flow look for GitHub and GitHub Actions Workflows? Well pretty similar to Azure DevOps and Azure Pipelines. Check it out, gone are secrets!

GitHub, Entra ID, Azure Flow

Microsoft’s John Savill Explains

Once again, also check out how John Savill explains this OIDC flow for GitHub.

Overview

This project demonstrates the deployment of an Azure Function App using Terraform, Terraform Cloud and GitHub Actions for CI/CD. The full code can be found in my GitHub repo here.

Prerequisites

Before you begin, you’ll need to have the following:

• An Azure subscription.
• A GitHub account.
• A Terraform Cloud account, with a workspace configured and mapped to this repository.
• Azure CLI installed locally (for development and testing).
• Your favorite IDE - I prefer Visual Studio Code with the below extensions installed
  • GitHub Actions
  • HashiCorp HCL
  • HashiCorp Terraform

Configuration

Azure Subscription

1. Azure Service Principal: Create a service principal with Contributor access and configure it as a variable in Terraform Cloud. You can accomplish this in Azure Portal or via Azure CLI. There are many guides out there for this. A Contributor access is only appropriate for this tutorial. You will want to adhere to the Principle of Least Privilege and only assign the necessary role-based access controls (RBAC) to deploy code to the appropriate scope.

Terraform Cloud

1. Workspace Setup: Ensure your Terraform Cloud workspace is set up and linked to your GitHub repository containing the Terraform configuration.
2. Variables: Configure the necessary environment variables and Terraform variables in your Terraform Cloud workspace. This includes Azure credentials, resource naming, and any other configurations specific to your deployment.
3. State Storage: Terraform Cloud will automatically manage the state of your infrastructure, providing a secure and collaborative environment for your team.

GitHub Actions

1. Workflow Configuration: The .github/workflows directory contains the YAML files for GitHub Actions. These define the CI/CD pipeline. Changes are currently configured to only be manually deployed. This is accomplished with a workflow_dispatch trigger in the GitHub actions workflows plan-apply.yml and destroy.yml.
2. Secrets: Set up the required secrets in your GitHub repository variable and secrets settings. This should include access tokens for Terraform Cloud TF_API_TOKEN.

Continuous Integration (CI) involves developers merging their tested code into a common branch. Depending on the branching strategy used, this can be as often as multiple times a day, or a few times a week. The next phase is Continuous Delivery (CD). Here, we need to make sure to package the code in an artifact and store it somewhere - this is our release artifact. Finally, there is Continuous Deployment (CD). This takes Continuous Delivery (CD) a step further by sending our finished release artifact out into the real world for people to use. It’s all about making things smoother and faster!