Preparing the Azure Kubernetes Service

Preparation of the Azure Kubernetes Service (AKS) includes these sub-steps. Each is explained in the following sections.

• Creating the Service Principal ID for Kubernetes
• Preparing the Virtual Network and AKS Subnet
• Creating the Azure Kubernetes Service (AKS)

 

Creating the Service Principal ID for Kubernetes

Required permissions: create service principal

To create the service principal ID:

In the Azure Cloud Shell, run the command:

# az ad sp create-for-rbac -n "PRINCIPAL ID NAME" --skip-assignment

For example:
# az ad sp create-for-rbac -n srgdemo-service-principal --skip-assignment

Example results:

{
   "appId":"52f25b66-2700-474d-a2a0-016f0b149e22",
   "displayName":"srgdemo-service-principal",
   "name":"http://srgdemo-service-principal",
   "password":"bf47aa85-9578-4d61-a8e9-ffafe5a1e22b",
   "tenant":"6002e264-31f7-43d3-a51e-9ed1ba9ca689"
}

Note the values for password and appID. These values will be used in the next step.

 

Preparing the Virtual Network and AKS Subnet

Now you can prepare a virtual network with custom ranges and subnet for AKS. If you already have an existing virtual network with a subnet for AKS, you can skip this procedure.

All the created resources must be placed in the same virtual network to prevent performance issues caused by network latency; these resources include resource group, AKS cluster, jump host, and Azure NetApp Files (NFS).

To create the virtual network:

Run the following command:

# az network vnet create \
-g <RESOURCE_GROUP> \
-n <VNET_NAME> \
--address-prefix <VNET_CIDR> \
--subnet-name <SUBNET_NAME> \
--subnet-prefix <SUBNET_CIDR>

Parameters:

<RESOURCE_GROUP>: the name of the resource group already created

<VNET_NAME>: The assigned name of this virtual network.

<VNET_CIDR>: The CIDR notation for this virtual network. For example, 10.1.0.0/16.

<SUBNET_NAME>: Name for this subnet for AKS.

<SUBNET_CIDR>: The CIDR notation for this subnet. For example, 10.1.1.0/24.

For example, this would create a virtual network demo-vnet, in resource group srg-demo, with range 10.1.0.0/16 and subnet aks-subnet with subnet range 10.1.1.0/24 :

# az network vnet create \
-g srg-demo \
-n demo-vnet \
--address-prefix 10.1.0.0/16 \
--subnet-name aks-subnet \
--subnet-prefix 10.1.1.0/24

 

Creating the Azure Kubernetes Service (AKS)

Required permissions: create Azure Kubernetes service; the user must be the OWNER of the resource group

To create the AKS:

1. Get the subnet ID which you want to use for AKS and store it to an environment variable:

   # SUBNET_ID=$(az network vnet subnet show \
   --resource-group <RESOURCE_GROUP> \
   --vnet-name <VNET_NAME> \
   --name <SUBNET_NAME> \
   --query id -o tsv)

   For example, to use the virtual network demo-vnet from the resource group srg-demo and subnet aks-subnet, you would run the following command:
   
   # SUBNET_ID=$(az network vnet subnet show --resource-group srg-demo --vnet-name demo-vnet --name aks-subnet --query id -o tsv)
   

2. Create the AKS in this subnet by running the command:
   

   # az aks create \
   -g <RESOURCE GROUP> \
   -n <AKS NAME> \
   -c <NUMBER OF NODES> \
   --kubernetes-version <Kubernetes version> \
   --generate-ssh-keys \
   --node-vm-size <VM SIZE> \
   --vm-set-type VirtualMachineScaleSet \
   --service-principal "<SP APP ID>" \
   --client-secret "<SP PASSWORD>" \
   --load-balancer-sku basic \
   --vnet-subnet-id $SUBNET_ID

   where:

   <RESOURCE GROUP> is your main resource group

   <AKS NAME> is your AKS resource name

   <NUMBER OF NODES> is the number of worker nodes

   <KUBERNETES VERSION> is the version of the Kubernetes cluster we want to create, which must be supported by your OMT version. You must be OWNER (or be OWNER of resource group) to be able to assign the virtual network to the AKS.

   To determine the Kubernetes version to use when deploying the ArcSight Platform to Azure, check the Hybrid Cloud Support page of the Technical Requirements for ArcSight Platform.

   <VM SIZE> for example, Standard_D4s_v3.

   For a production cluster, do not use a size less than Standard_D8s_v3 with less than 32 GB of RAM.

   For a list of possible VMs, run the command:
   

   # az vm list-sizes -l <LOCATION> | jq ".[] | .name"

   <SP APP ID> and <SP_PASSWORD> is the appID and password from the creation of the service principal ID.

   Example command:

   # az aks create \
   -g "srg-demo" \
   -n "srg-demo-aks" \
   -c "3" \
   --kubernetes-version 1.22 \
   --generate-ssh-keys \
   --node-vm-size "Standard_D4s_v3" \
   --vm-set-type VirtualMachineScaleSets \
   --service-principal "52f25b66-2700-474d-a2a0-016f0b149e22" \
   --client-secret "bf47aa85-9578-4d61-a8e9-ffafe5a1e22b" \
   --load-balancer-sku basic \
   --vnet-subnet-id $SUBNET_ID

   The az aks create command will generate private and public keys, which are stored in the ~/.ssh directory. Download id_rsa to a secure network location. Later, this will be uploaded to the jump host and used to connect to AKS nodes from the jump host.

Next Step: Preparing the Subnet for the NFS Server and Jump Host