Akuity Platform for Multi-Cloud and On-Premise Hybrid Environments

So, you want to run Kubernetes clusters across multiple cloud providers (e.g. AWS, Azure, GCP) and possibly even on-premise to create a hybrid environment that allows you to run your applications both on your own infrastructure and across multiple cloud providers for reliability, regulatory compliance, optimal placement based on costs and SLAs, or what have you.

Plus, for this hybrid environment, you want to have a single Argo CD instance that can deploy applications to all of these clusters and act as an observability tool to interact with and monitor the state of your Kubernetes resources.

Of course, running Argo CD in each cluster is a possibility and can reduce the complexity required in multi-cloud and hybrid-cloud environments, but it comes at a cost. For the sake of this post, I’ll assume you are sold on a central Argo CD instance for its benefits. However, if you want a breakdown of the different architectures, check out our blog post How Many Do You Need?.

Traditionally, with open-source Argo CD, you need to have direct access from the Argo CD control plane to the Kubernetes API server of the clusters it will manage. This becomes exceptionally difficult when you're dealing with Argo CD hosted by one cloud provider, and you need direct access from that provider to your other cloud environments and your on-premise environment.

Open-Source Argo CD connecting to multiple environments.

This requires maintaining multiple VPN connections, VPC peerings, or costly direct connections between the cloud providers. You could also use port-forwarding to the cluster API server, which will cause the destination clusters to be exposed publicly, likely with an IP allow list to allow traffic only from the central Argo CD control plane.

All these solutions are cumbersome, require regular maintenance, and frankly, they're fragile. If the external IP address of the central Argo CD instance changes, or if the VPN tunnel goes down, or if you can no longer justify the costs of a direct connection between Cloud providers, you will need to find an alternative.

This is where the Akuity platform comes in. Thanks to the unique agent-based architecture of the Akuity Platform, you can host a central Argo CD instance that operates outside of any of your cloud accounts or on-premise environments. Once the Akuity Agent is deployed to your Kubernetes clusters, it will connect back to that central Argo CD instance using only an outbound connection. So, thanks to the agent-based design, the various clusters running your applications only need outbound internet access, removing any need to maintain and pay for sophisticated networking and firewall solutions.

Akuity Platform and Agent connecting to multiple environments.

Once all of the agents are deployed, the pods come up healthy and establish their outbound connection to the Argo CD instance hosted on the Akuity platform, you are left with a central interface that can be used by your platform engineers and your application developers to visualize and interact with the state of their Kubernetes resources across all of your cloud provider and on-premise environments. Without the additional cost and complexity of maintaining network connectivity between your cloud and on-premise environments.

In addition to the simplified networking requirements, the agent-based approach provides a significantly improved security model. In the open-source Argo CD, for each cluster that it manages, there will be a secret on the central Kubernetes cluster with cluster-admin access. With admin credentials and direct access to every other cluster managed by Argo CD, this central cluster creates a significant security risk. If it becomes compromised, all other clusters will also be compromised.

Open-Source Argo CD compromising connected cluster.

With the agent-based approach of the Akuity Platform, the components run locally on each cluster and connect to the Kubernetes API server from within the local cluster network. This means that the central control plane does not contain admin credentials for all of the clusters, and the only connection is outbound from the agent. Threat actors will not have credentials and direct access to your clusters if the control plane is compromised.

Akuity Platform protecting connected cluster.

Try it Out

To try the Akuity Platform, start your free trial today and have a fully managed instance of Argo CD in minutes without any concern for the underlying infrastructure.

If you want to learn how to manage the deployment of the Helm charts in a declarative fashion using Argo CD and Github, take a look at our hands-on tutorial.

Help and Support

If you want any insights on where to start with Akuity or Argo CD, please reach out to me (Nicholas Morey) on the the CNCF Slack. You can find me on the #argo-* channels, and don't hesitate to send me a direct message.

You can also schedule a technical demo with our team or go through the “Getting started” manual on the Akuity Documentation website.