question

MathewJames-8093 avatar image
1 Vote"
MathewJames-8093 asked MathewJames-8093 action

Is it a must that I have to use aad Pod Identity to connect from AKS to Cosmos db ?

Is it a must that I have to use aad Pod Identity to connect from AKS to Cosmos db ?

Here is my Situation :-

React SPA --calls-- Azure APIM --calls-- AKS --calling-- Cosmos DB.

My React SPA calls .Net Core Microservice (through APIM which validates the token against Azure AD) and microservice need to talks to Cosmos DB.

I have created an AKS Cluster which created the Virtual Network by default.
I have created a Subnet in the above VNet to map my Cosmos db.

In cosmos db I have created Private endpoint and mapped to the Subnet of AKS VNet.

The question is - If I have this set up, will I be able to retrieve data from database ? Or Do I still need to have aad Pod identity set up to access PaaS resources like Cosmos db or Azure Key Vault ?

Appreciate your response.

Thanks!
-Mathew

azure-kubernetes-service
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

singhh-msft avatar image
1 Vote"
singhh-msft answered singhh-msft edited

@MathewJames-8093 , thank you for reaching out to us. Happy to help. Pod Identity is generally used when one wants to avoid using Connection Strings and keys in k8s, secrets, etc. (additionally, note that, PI is a stable feature). If that is not the case for you, you need not use it. Also note that it might be expected in GA by end of this year (though it is not confirmed).

Alternatively, you can go ahead and use ASO (Azure Service Operator) as it is currently in GA. Let me know if this answer helps.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



· 7
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MathewJames-8093 avatar image MathewJames-8093 ·

Thank you Harshita for the prompt response.

I remember seeing that video a while back. I believe OSBA is slightly older - right ? Are people still using it ? I saw a post from PramodValavala

here - https://docs.microsoft.com/en-us/answers/questions/238530/how-to-connect-azure-service-bus-to-pods-in-aks.html

where he talks about Azure Service Operator (alternative to Azure OSBA).

Not sure why Miccrosoft does not have a Simple solution to connect Azure AKS to other Azure PaaS Services ?

I believe the current best option is to use aad pod identity (which is again not in GA and cannot be recommended to a client as we cannot go for production).

Any other comments and thoughts anyone ?

Thanks in Advance!
-Mathew



0 Votes 0 ·
singhh-msft avatar image singhh-msft MathewJames-8093 ·

@MathewJames-8093 , pls check out my updated comment above.

0 Votes 0 ·
MathewJames-8093 avatar image MathewJames-8093 ·

thanks a lot Harshitha for the reply. That make sense now.

Thanks for confirming that Azure Service operator is in GA.

I will look into Azure Service Operator first and then as a second step on PI.

Thanks!
-Mathew

0 Votes 0 ·
singhh-msft avatar image singhh-msft MathewJames-8093 ·

@MathewJames-8093 , just checking in to see if you got a chance to look at my previous response.

1 Vote 1 ·
singhh-msft avatar image singhh-msft MathewJames-8093 ·

@MathewJames-8093 , just checking in to see if you got a chance to look at my previous response.

0 Votes 0 ·
MathewJames-5273 avatar image MathewJames-5273 singhh-msft ·

Yes Harshita.

Thanks

0 Votes 0 ·
MathewJames-5273 avatar image MathewJames-5273 ·

Thanks a lot Harshita for the prompt response. I will look into ASO soon and also the pod identity. Once again thanks a ton for all the help.

Regards
-Mathew

0 Votes 0 ·