Storage account connectivity method for AKS

1/22/2020

I'm setting up a Storage Account so I can Dynamically create and use a persistent volume with Azure Files in Azure Kubernetes Service (AKS). Doing this to:

  1. Have a PV and PVC for the database
  2. A place to store the application files

AKS does create a storage account in the MC_<resource-group>_<aks-name>_<region> resource group that is automatically created. However, that storage account is destroyed if the node size/VM is changed (not node count), so it shouldn't be used since you'll lose your files and database if you need a node size/VM with more resources.

This documentation, nor any other I've really come across, says what the best practice is for the Connectivity method:

  • Public endpoint (all networks)
  • Public endpoint (selected networks)
  • Private endpoint

The first option sounds like a bad idea.

The second option allows me to select a virtual network, and there are two choices:

  1. MC_<resource-group>_<aks-name>_<region>... again, doesn't seem like a good idea because if the node size/VM is changed, the connection will be broke.
  2. aks-vnet-<number>... not sure what this is, but looks like it is part of the previous resource group so will also be destroyed in the previously mentioned scenario.

The third option contains a number of options some of which are included the second option.

So how should I securely set this up for AKS to share files with the application and persist database files?

EDIT

Looking at the both the "Firewalls and virtual networks" and "Private endpoint connections" for the storage account that comes with the AKS node, it looks like it is just setup for "All networks"... so maybe having that were my actual PV and PVC will be stored isn't such an issue...? Could use some clarity on the topic.

-- eox.dev
azure
azure-aks
azure-kubernetes
azure-storage

1 Answer

1/23/2020

not sure where the problem lies. all the assets generated by AKS are tied to AKS lifecycle. if you delete AKS it will delete the MC_* resource group (and that it 100% right). Not sure what do you mean about storage account being destroyed, it wouldn't get destroyed unless you remove the pvc and set the delete action to reclaim.

Reading: https://docs.microsoft.com/en-us/azure/aks/azure-files-dynamic-pv

As for the networking part, selected networks with selecting the AKS nodes network should be the way to go. you can figure that network out by looking at the AKS nodes or the AKS agent pool definition(s). I dont think this is configurable only using kubernetes primitives, so that would be a manual\scripted action after storage account is created.

-- 4c74356b41
Source: StackOverflow