In this video, we take a look at the Azure Application Gateway Ingress Controller, and learn how to use it to securely publish AKS Services.
Here is the script I’ve used to create the Application Gateway:
# creating the resource group
az group create -n <resourcegroupname> -l <location>
#create public ip
az network public-ip create -n <publicipname> -g <resourcegroupname> --allocation-method Static --sku Standard
# create application gateway with WAF enabled.
az network application-gateway create -n <appgwname> -l <location> -g <resourcegroupname> --sku WAF_v2 --public-ip-address <publicipname> --subnet /subscriptions/<subscriptionid>/resourceGroups/<aksvnetresourcegroupname>/providers/Microsoft.Network/virtualNetworks/<vnetname>/Subnets/<subnetname>
Note: The Subnet ID must point to an empty subnet within a vnet which has access (either by being the same vnet or via VPN or Peering) to the AKS Subnet.
Then we enable the addon:
# enable AGIC on an existing AKS cluster
appgwId=$(az network application-gateway show -n <appgwname> -g <resourcegroupname> -o tsv --query "id")
az aks enable-addons -n <aksclustername> -g <aksresourcegroupname> -a ingress-appgw --appgw-id $appgwId
For reference, this was a Brownfield deployment of AGIC. There is also a greenfield deployment where enabling the addon with the cluster creation should deploy everything for you automatically, including the application gateway itself. The official docs can be found here.
Here is the Yaml file used for the ingress:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- secretName: nginx-cert
hosts:
- sampleapp.com
rules:
- host: sampleapp.com
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: nginx-service
servicePort: 80
You can learn more about proper configuration for AGIC via the annotation from this documentation.
Enjoy :)
Comments