# HIE Migration to AKS --- ## Goals - [ ] migrage HIE infrastructure for FMC from ACI to AKS - [ ] integrate new infrastructure with current CI/CD process - [ ] work estimation and delivery date - [ ] involve other relevant parties at required capacity - [ ] prepare presentation with plan to solve the problem --- ## Implementation Phases 1. Create AKS cluster with IaC 2. Installation of additonal tools 3. Cluster configuration and hardening 4. Parallel - create K8s manifest files for existing services - update pipelines to deploy to AKS instead of ACI 5. Define and implement operations processes and procedures --- ## Infrastructure as Code - use terraform cloud - create k8s manifest files for existing components, consider resource limits - integrate with existing VNETs from DTI, NetCare, PH (one tunner for prod, one for non-prod) - check if is's possible to use correct peering method with existing VNETs - preference would be to use HUB&Spoke architecture ---- ### Guidelines - use [AKS Base cluster guidelines](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks#deploy-ingress-resources) - [base repo to use as started pack](https://dev.azure.com/GRD-EMEA/Cloud%20Native%20Platform/_git/iac-aks-exp) ---- #### AKS setup - AKS as terraform module - networking - identity management - security - compute - after cluster is up wa want to install and configure additional components - use [Atrifact Hub](https://artifacthub.io/packages/search?page=1) to deploy well known components ---- #### Modules ```plantuml skinparam LineType ortho rectangle "AKS" as aks { component "Networking Module" as net component "AAD Module" as aad } actor "DevOps" as devops devops --> aks : build ``` --- ## Performance - define performance metrics for HIE - include performance capabilities in pod manifests --- ### Traffic --- #### Ingress - from outside to FHIR server (HTTPS) - terminated on gateway - another service @Oldrich to cofirm - use load balancer instead of ingress controller --- #### Egress - DTI MS SQL server via VPN (TCP) - push results to server 2 also DTI (TCP) --- #### Workloads Networking - HTTP, HTTPS terminated on load balancer - pods need to use KeyValut for configuration and secrets management - pods communicate with ActiveMQ server runing on VM --- ## CI/CD Applciations Pipelines - make sure that services follow 12 factro app model - create k8s manifest files for existing components, consider resource limits - HIE uses ActiveMQ, for first pass we will not move it to AKS - HIE containers are stateless - images are already stored in ACR per env (dev, qa, val, prod) - use `kubeclt` in pipeline --- ## Roles and Access - use Azure RBAC integrated with K8s roles to manage access to cluster - access to cluser via roles/etc --- ## Security - enable [Azure Defender for AKS](https://docs.microsoft.com/en-us/azure/security-center/defender-for-kubernetes-introduction) - use [Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction) for security monitoring - use service accounts mapped to K8s service accounts to manage access for workloads - use [App pod identity](https://github.com/Azure/aad-pod-identity), *this might not be needed* - ask about OPA Gatekeeper/Azure Policies implementaiotn for OPA --- ## Scalability - HPA enough for now - cluser autscaler is needed for now --- ## Observability - use Azure native tools (Azure Monitor) - need to involve L2 support and other to define observability requirements ---- ### Logging - enable VM logging - log analytics workspace ---- ### Distributed Tracing - enable VM tracing - no need for distributed tracking for workloads ---- ### Monitoring - use Azure native tools (Azure Monitor) --- ## Disaster Recovery - abiltiy to recreate cluster - could check Valero (cluter snapshotter) --- ## Cost Management - vm level cost management from Azure - check out [Kubecost](https://github.com/kubecost) - use spot instances for DEV - use reserved instances for PROD --- ## Operations - GitOPS maybe, probably not - need to involve L2 support and other to define operations requirements --- ### Questions?