You are designing a microservices architecture that will be hosted in an Azure Kubernetes Service (AKS) cluster. Apps that will consume the microservices will be hosted on Azure virtual machines. The virtual machines and the AKS cluster will reside on the same virtual network.
You need to design a solution to expose the microservices to the consumer apps. The solution must meet the following requirements:
-> Ingress access to the microservices must be restricted to a single private IP address and protected by using mutual TLS authentication.
-> The number of incoming microservice calls must be rate-limited.
-> Costs must be minimized.
What should you include in the solution?
Click on the arrows to vote for the correct answer
A. B. C. D.D
One option is to deploy APIM (API Management) inside the cluster VNet.
The AKS cluster and the applications that consume the microservices might reside within the same VNet, hence there is no reason to expose the cluster publicly as all API traffic will remain within the VNet. For these scenarios, you can deploy API Management into the cluster VNet. API Management Premium tier supports
VNet deployment.
https://docs.microsoft.com/en-us/azure/api-management/api-management-kubernetesTo meet the requirements of restricting ingress access to the microservices to a single private IP address, using mutual TLS authentication, and rate-limiting incoming microservice calls, you can use Azure API Management (APIM) and configure it to integrate with the AKS cluster.
Azure API Management provides a managed solution for publishing APIs to external and internal consumers. It allows you to control access to APIs, rate-limit requests, and apply policies to APIs. APIM can be used to expose microservices hosted in an AKS cluster to external consumers securely.
Therefore, the best option to include in the solution would be option B, Azure API Management Standard tier with a service endpoint.
Explanation of options: A. Azure App Gateway with Azure Web Application Firewall (WAF) - Azure App Gateway provides layer 7 load balancing for web applications. However, it is not the best fit for exposing microservices. Moreover, the WAF cannot restrict ingress access to a single private IP address or perform mutual TLS authentication. C. Azure Front Door with Azure Web Application Firewall (WAF) - Azure Front Door is a global load balancer that can be used to route traffic to backend services. However, it is not designed to expose microservices. Moreover, the WAF cannot restrict ingress access to a single private IP address or perform mutual TLS authentication. D. Azure API Management Premium tier with virtual network connection - The Premium tier of Azure API Management allows for a virtual network connection, which provides private access to the APIM instance. However, it is a more expensive option compared to the Standard tier, which meets the requirements of the solution. Additionally, the virtual network connection does not provide rate-limiting capabilities, which is a requirement of the solution.