The integration of AGIC with AKS simplifies the management of ingress traffic and enhances security and performance. By following the steps outlined in the tutorial, users can efficiently deploy and manage a robust ingress solution that leverages the full capabilities of Azure Application Gateway within their AKS clusters.
This setup is particularly beneficial for applications requiring advanced routing, SSL termination, and security features like WAF.
This post provides a clear and concise pathway for users to secure their AKS clusters using AGIC, making it an essential read for those looking to implement a secure and scalable cloud-native application infrastructure.
Overview:
In this post, we will create an AKS cluster with the AGIC add-on enabled. Creating the cluster will automatically create an Azure application gateway instance to use. You’ll then deploy a sample application that will use the add-on to expose the application through application gateway.
The add-on provides a much faster way to deploy AGIC for your AKS cluster than previously through Helm. It also offers a fully managed experience.
What is App Gateway Ingress Controller?
What is Azure Application Gateway Ingress Controller? | Microsoft Learn
The Application Gateway Ingress Controller (AGIC) is a Kubernetes application, which makes it possible for Azure Kubernetes Service (AKS) customers to leverage Azure’s native Application Gateway L7 load-balancer to expose cloud software to the Internet. AGIC monitors the Kubernetes cluster it’s hosted on and continuously updates an Application Gateway, so that selected services are exposed to the Internet.
The Ingress Controller runs in its own pod on the customer’s AKS. AGIC monitors a subset of Kubernetes Resources for changes.
Why do we need AGIC?
AGIC helps eliminate the need to have another load balancer/public IP address in front of the AKS cluster and avoids multiple hops in your datapath before requests reach the AKS cluster.
Application Gateway talks to pods using their private IP address directly and doesn’t require NodePort or KubeProxy services. This capability also brings better performance to your deployments.
AGIC is configured via the Kubernetes Ingress resource, along with Service and Deployments/Pods. It provides many features, using Azure’s native Application Gateway L7 load balancer. To name a few:
- URL routing
- Cookie-based affinity
- TLS termination
- End-to-end TLS
- Support for public, private, and hybrid web sites
- Integrated web application firewall
The add-on provides a much faster way to deploy AGIC for your AKS cluster than previously through Helm. It also offers a fully managed experience.
Architecture:
Difference between Helm deployment and AKS Add-On
There are two ways to deploy AGIC for your AKS cluster. The first way is through Helm; the second is through AKS as an add-on. The primary benefit of deploying AGIC as an AKS add-on is that it’s simpler than deploying through Helm. For a new setup, you can deploy a new Application Gateway and a new AKS cluster with AGIC enabled as an add-on in one line in Azure CLI. The add-on is also a fully managed service, which provides added benefits such as automatic updates and increased support. Both ways of deploying AGIC (Helm and AKS add-on) are fully supported by Microsoft. Additionally, the add-on allows for better integration with AKS as a first class add-on.
The AGIC add-on is still deployed as a pod in the customer’s AKS cluster, however, there are a few differences between the Helm deployment version and the add-on version of AGIC. The following is a list of differences between the two versions:
- Helm deployment values can’t be modified on the AKS add-on:
verbosityLevelis set to 5 by default
usePrivateIpis set to be false by default; this setting can be overwritten by the use-private-ip annotation
sharedisn’t supported on add-on
reconcilePeriodSecondsisn’t supported on add-on
armAuth.typeisn’t supported on add-on
- AGIC deployed via Helm supports ProhibitedTargets, which means AGIC can configure the Application Gateway specifically for AKS clusters without affecting other existing backends. AGIC add-on doesn’t currently support this capability.
- Since AGIC add-on is a managed service, customers are automatically updated to the latest version of AGIC add-on, unlike AGIC deployed through Helm where the customer must manually update AGIC.
AKS Add-On Greenfield Deployment:
Below are the options available for AGIC
- AKS Add-On Greenfield Deployment: Instructions on installing AGIC add-on, AKS, and Application Gateway on blank-slate infrastructure.
- AKS Add-On Brownfield Deployment: Install AGIC add-on on an AKS cluster with an existing Application Gateway.
- Helm Greenfield Deployment: Install AGIC through Helm, new AKS cluster, and new Application Gateway on blank-slate infrastructure.
- Helm Brownfield Deployment: Deploy AGIC through Helm on an existing AKS cluster and Application Gateway.
Instructions on installing AGIC add-on, AKS, and Application Gateway on blank-slate infrastructure.
Steps (Summary)
- Create a Resource Group: A resource group is a collection of resources sharing the same lifecycle, permissions, and policies.
- Create AKS Cluster: Deploy a new AKS cluster within the resource group using Azure CLI or the Azure portal.
- Deploy Application Gateway: Set up a new Application Gateway in the same resource group as the AKS cluster.
- Enable AGIC Add-on: Activate the AGIC add-on in the AKS cluster to allow the Application Gateway to manage ingress traffic.
- Configure Networking: Ensure proper networking setup, including subnet configurations and DNS settings for the Application Gateway and AKS cluster.
- Deploy Sample Application: Deploy a sample application to the AKS cluster to test the ingress configuration.
- Validate Deployment: Confirm that the sample application is accessible through the Application Gateway using the AGIC add-on.
Demo(step-by-step)
1. Create a resource group.
az group create --name myResourceGroup --location eastus2. Create a new AKS cluster with the AGIC add-on enabled.
az aks create -n myCluster -g myResourceGroup --network-plugin azure --enable-managed-identity -a ingress-appgw --appgw-name myApplicationGateway --appgw-subnet-cidr "10.225.0.0/16" --generate-ssh-keys
Below resources were provisioned:
3. Deploy a sample application by using AGIC for ingress on the AKS cluster.
az aks get-credentials -n myCluster -g myResourceGroup
kubectl apply -f https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/aspnetapp.yaml
4. Check that the application is reachable through application gateway.
Check that the application is reachable through application gateway.
kubectl get ingress Check that the sample application that you created is running by either:
- Visiting the IP address of the application gateway instance that you got from running the preceding command.
- Using curl.
Application gateway might take a minute to get the update. If application gateway is still in an Updating state on the portal, let it finish before you try to reach the IP address.
Clean up resources
When you no longer need them, delete all resources created in this tutorial by deleting myResourceGroup and MC_myResourceGroup_myCluster_eastus resource groups:
az group delete --name myResourceGroup
az group delete --name MC_myResourceGroup_myCluster_eastusConclusion
Integrating AGIC with AKS is a crucial step in securing and optimizing your cloud-native application infrastructure. By following the steps outlined in this tutorial, users can benefit from advanced routing, SSL termination, security features, and simplified management.
Whether you are developing applications that require advanced routing, SSL termination, or enhanced security, AGIC and AKS are the perfect combination. Don’t miss out on this opportunity to secure your AKS clusters and leverage the full power of Azure Application Gateway. Happy coding!
References:
https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview
https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-ingress-controller-add-on-new