In this video, we take a look at the Azure Application Gateway Ingress Controller, and learn how to use it to securely publish AKS Services.

Here is the script I’ve used to create the Application Gateway:

# creating the resource group
az group create -n <resourcegroupname> -l <location>
#create public ip
az network public-ip create -n <publicipname> -g <resourcegroupname> --allocation-method Static --sku Standard
# create application gateway with WAF enabled.
az network application-gateway create -n <appgwname> -l <location> -g <resourcegroupname> --sku WAF_v2 --public-ip-address <publicipname> --subnet /subscriptions/<subscriptionid>/resourceGroups/<aksvnetresourcegroupname>/providers/Microsoft.Network/virtualNetworks/<vnetname>/Subnets/<subnetname>

Note: The Subnet ID must point to an empty subnet within a vnet which has access (either by being the same vnet or via VPN or Peering) to the AKS Subnet.

Then we enable the addon:

# enable AGIC on an existing AKS cluster
appgwId=$(az network application-gateway show -n <appgwname> -g <resourcegroupname> -o tsv --query "id") 
az aks enable-addons -n <aksclustername> -g <aksresourcegroupname> -a ingress-appgw --appgw-id $appgwId

For reference, this was a Brownfield deployment of AGIC. There is also a greenfield deployment where enabling the addon with the cluster creation should deploy everything for you automatically, including the application gateway itself. The official docs can be found here.

Here is the Yaml file used for the ingress:

kind: Ingress
  name: nginx-ingress
  annotations: azure/application-gateway "true"
    - secretName: nginx-cert
  - host:
      - path: /
        pathType: Prefix
          serviceName: nginx-service
          servicePort: 80

You can learn more about proper configuration for AGIC via the annotation from this documentation.

Enjoy :)