SB Saurabh Bhargav
← Back to projects
Featured

AKS Security Modernization & Platform Engineering

Transformed a traditionally deployed application into a secure, observable, cloud-native AKS platform — private networking, Istio service mesh, Key Vault secret auto-rotation, GitOps with ArgoCD, and centralized observability.

Role
Cloud Security / Platform Engineer (Lead)
Duration
May 26 – Jun 26
AzureAKSKubernetesAzure Front DoorAzure WAFAzure Key VaultWorkload IdentitySecrets Store CSI DriverIstioArgoCDACRPrometheusGrafanaAlertmanagerApplication InsightsLog Analytics
AKS Security Modernization & Platform Engineering cover

Key highlights

  • Led the security & platform modernization of a production AKS app into a secure, observable, cloud-native platform.
  • Eliminated manual secret handling with Key Vault, AKS Workload Identity, and the Secrets Store CSI Driver — automatic rotation, no redeployments.
  • Designed a private networking model behind Azure Front Door Premium + WAF, removing direct workload exposure.
  • Introduced an Istio service mesh for centralized traffic control, secure service-to-service communication, and routing flexibility.
  • Standardized delivery with GitOps (ArgoCD) across Dev, QA, and Prod, making Git the single source of truth and reducing configuration drift.
  • Built centralized observability (Prometheus, Grafana, Alertmanager, Application Insights, Log Analytics) with proactive alerting.

Overview

Led the security and platform modernization of a production application running on Azure Kubernetes Service (AKS), transforming a traditionally deployed application into a secure, observable, and scalable Kubernetes-based platform.

The project focused on strengthening security controls, standardizing application deployment, improving operational visibility, and implementing GitOps-based delivery practices while ensuring the platform remained scalable and maintainable for future growth.

The resulting architecture introduced service mesh capabilities, automated secret management, centralized monitoring, GitOps deployments, and a secure private networking model aligned with modern cloud-native best practices.

Business challenge

As the application and engineering team grew, several operational and security challenges emerged:

  • Inconsistent deployment processes across environments.
  • Limited visibility into application and infrastructure health.
  • Manual secret management and credential rotation.
  • Increasing complexity of service-to-service communication.
  • Lack of standardized deployment practices.
  • Growing operational overhead managing Kubernetes workloads.
  • Security controls that did not scale with platform growth.

The objective was to create a secure and repeatable platform capable of supporting multiple services while improving deployment reliability, operational visibility, and security posture.

Architecture

Azure AKS platform: Front Door Premium + WAF at the edge, an internal load balancer into an Istio service mesh on a private AKS cluster organized into frontend/business/platform service domains, Key Vault secret auto-rotation via the Secrets Store CSI Driver, GitOps delivery with ArgoCD, and a Prometheus/Grafana/Alertmanager observability stack.
Private AKS fronted by Front Door Premium + WAF, with Istio managing traffic, Key Vault driving zero-touch secret rotation, ArgoCD reconciling deployments from Git, and full-stack observability.

Designed a private AKS-based architecture fronted by Azure Front Door Premium and Azure WAF to provide secure ingress and global traffic management. The platform was built around Kubernetes-native principles, with workloads deployed inside a private virtual network and traffic managed through an Istio service mesh.

Application workloads were organized into distinct service domains — frontend, business, and platform services — allowing for better scalability, isolation, and operational management. GitOps practices were introduced using ArgoCD, enabling declarative deployments and environment standardization across development, QA, and production.

Security improvements

Secrets management & auto-rotation

One of the primary security initiatives involved eliminating traditional secret management practices. Implemented Azure Key Vault integration, AKS Workload Identity, the Secrets Store CSI Driver, and automated secret rotation. Applications retrieve secrets dynamically from Key Vault without requiring application redeployment or manual intervention — significantly reducing operational overhead while improving credential security and compliance readiness.

Network security

Designed a private networking architecture using an Azure Virtual Network (VNet), internal load balancers, private AKS networking, Azure Front Door Premium, and Azure WAF protection. This reduced direct exposure of workloads while ensuring secure ingress into the platform.

Service-to-service security

Implemented the Istio service mesh to improve traffic management and service communication — centralized traffic control, secure service communication, improved routing flexibility, enhanced operational visibility, and better platform standardization. The mesh also provided a foundation for future security enhancements and advanced traffic-management patterns.

Platform engineering

GitOps deployment model

Implemented GitOps workflows using ArgoCD to standardize deployments across environments:

Git Repository → ArgoCD → AKS

This delivered declarative infrastructure management, consistent deployments, environment standardization, improved deployment traceability, and reduced configuration drift. Git became the single source of truth for platform configuration and application deployment.

CI/CD automation

Built automated application delivery pipelines responsible for source validation, application build processes, container image generation, and image publication to Azure Container Registry (ACR) — reducing manual deployment effort while improving release consistency and reliability.

Observability & monitoring

A major objective was improving platform visibility and operational awareness. Implemented a centralized observability stack of Prometheus, Grafana, Alertmanager, Azure Application Insights, and Azure Log Analytics, providing visibility into Kubernetes cluster health, application performance, infrastructure metrics, service availability, traffic patterns, error rates, and platform alerts — significantly improving incident detection and troubleshooting efficiency.

Alerting & operational visibility

Implemented proactive monitoring and alerting workflows so operational issues were identified before impacting end users. Dashboards provided real-time visibility into cluster utilization, service performance, application health, platform reliability, and alert status — improving both operational response times and platform reliability.

What I led

  • Platform architecture — AKS application architecture, networking and ingress patterns, environment standardization.
  • Security engineering — Key Vault-based secret management, automated secret rotation, stronger network controls, improved workload authentication.
  • Kubernetes platform operations — Istio service mesh, standardized deployment workflows, improved scalability and maintainability.
  • GitOps & automation — ArgoCD deployment workflows, automated application delivery, reduced manual operational tasks.
  • Observability — monitoring, logging, and alerting solutions, operational dashboards, improved incident response.

Outcome

Delivered a secure, scalable, and operationally mature AKS platform capable of supporting modern cloud-native workloads. Key outcomes:

  • Automated secret management and rotation through Azure Key Vault.
  • Standardized GitOps-based deployments using ArgoCD.
  • Improved platform security through private networking and workload identities.
  • Enhanced service communication and traffic management through Istio.
  • Centralized monitoring and alerting across applications and infrastructure.
  • Reduced deployment complexity and configuration drift.
  • Improved operational visibility and troubleshooting capabilities.
  • A scalable Kubernetes platform capable of supporting future application growth and modernization.

The project transformed the environment from a traditionally managed application platform into a secure, observable, and cloud-native Kubernetes ecosystem built around automation, security, and operational excellence.

← Back to all projects