Networking
AKS
Utilizes virtual networks and Kubernetes networking concepts.
It requires just one subnet for ingress and egress traffic, eliminating the need for Private Links and Private Endpoints. This will significantly simplify the virtual network topology and configuration, reducing the effort required from the NetOps team.
Azure App Services
It significantly complicates Virtual Network topology and configuration. Because of its constant dependency on the NetOps team, this can negatively impact development team productivity.
This will require manually slicing the VNet and providing specific address spaces (separate subnets) for each service plan.
Azure App Service Environment
Offers complete VNet integration to isolate networks and assign dedicated IP addresses for improved security.
Creates a private environment that is accessible solely through VPN or ExpressRoute gateways.
Deployment and Administrations
AKS
Deploying with AKS is encapsulated yet distributed. This means all workloads remain within the cluster, and the workspace enjoys excellent grain separation through Namespaces.
We can create distinct namespaces within the same Kubernetes cluster or utilize separate clusters to form different environments. Moreover, creating new environments is straightforward because Kubernetes simplifies namespace creation. Employing different node pools also achieves workload isolation.
AKS facilitates a 'zero-downtime' deployment with features such as rolling deployments, readiness, and liveness probes.
Azure App Services
App services run on the app service plan.
Creating various environments in AppService requires multiple AppServicePlans. Sharing computing resources between environments is impossible because each AppServicePlan runs on its own hardware.
Azure App Service Environment
The Azure App Service Environment (ASE) provides a dedicated instance of Azure App Services within a customer’s Azure Virtual Network (VNet). To deploy an ASE, you must create and configure the ASE instance, define the VNet and subnet configuration, and establish connectivity with the customer’s network. You can deploy web applications to the ASE just like Azure App Services.
ASE administration involves managing the dedicated environment's underlying infrastructure. This includes provisioning and maintaining the ASE instances, controlling the ASE scale settings, configuring network security, and monitoring the environment's health. ASE administration requires advanced knowledge of networking and infrastructure concepts.
Scalability
AKS
By using the horizontal pod autoscaler to increase the number of pod replicas and the cluster autoscaler to add more cluster nodes, Kubernetes can adjust resources up or down for each pod by examining CPU and memory usage with the vertical pod autoscaler.
Azure App Services
VM instances running inside of the AppService Plan can be scaled. (Scale-Out).
Upgrade to a higher tier of the app service plan.
If multiple applications use the same App Service Plan, their performance can be adversely affected because they will compete for the same resources.
Azure App Service Environment
Scalability is included with the service, requiring additional configuration.
Maintainability
AKS
The cluster can be configured once, allowing quick onboarding of new applications without adding extra NetOps complexity.
Cloud-to-cloud migration would be much easier with AKS because Kubernetes is cloud-agnostic.
Azure App Services
Transitioning from environment to environment and onboarding will require NetOps effort.
Azure App Service Environment
It can be configured once, allowing for quick onboarding of new applications without requiring additional net ops complexity.
Cost
The provided costs are preliminary and based on a simplified infrastructure setup. Please remember that prices may have changed since then, and these calculations are approximate only.
Examples / Reference diagrams
In this section, I’ve outlined a possible infrastructure setup that could serve as a reference architecture.
App Services
Key Highlights:
- Ingress should be maintained to secure App Services.
- Applications should reside in their subnet to isolate them. To connect to/from an app service, private links must be our links must be created.
App Service Environment
Key Highlights: Common Subnet is for all app services. Applications can be deployed within a single service plan and operated independently.
AKS
Key Highlights:
- Subnet provisioned alongside AKS.
- Fully managed, excluding updates.
NOTE: This analysis was conducted without proof of concepts and relied on documentation, publicly available information, my colleagues' experience, and collective knowledge.
Azure Kubernetes Services (AKS) requires managing Kubernetes clusters and dynamic container workloads as a runtime for application components (e.g., SPA and web apps, REST APIs, Azure Functions, workers, etc.). Azure App Service Plans provide a PaaS runtime that requires less effort to support VM infrastructure but more effort and maintenance overhead for VNet integration and the necessary level of security isolation. Azure App Service Environment (ASE) delivers a dedicated and PaaS-isolated environment with advanced administrative tasks to simplify infrastructure management.
