Azure Application Gateway Ingress Controller (AGIC) and Cloudflare
HTML-код
- Опубликовано: 14 окт 2024
- In this video, I take a look at the configuration of Application Gateway, Application Gateway Ingress Controller and Cloudflare, to publish applications running on Azure Kubernetes Service (AKS).
Link to Kubernetes YAML used in the video: gist.github.co...
Related blog post: blog.baeke.inf...
If I could like this video 100 times I would. Thanks for the excellent walkthrough
Thank you! Very nice to read that and glad you liked it.
This is what I am looking for .Very useful and well explained .Thank you very much,
Thanks, a lot for explaining in detail.
This was fantastic!
Nicely explained with examples.
Thanks , nice explanation
Is AGIC support HPA scaling for pods. Most of the examples I see with single pods even AGIC has direct traffic to individual pod.
There is a way to scale with an HPA based on the request count in App Gateway. We did that in the past with github.com/Azure/azure-k8s-metrics-adapter but that project has been archived in favor of KEDA. I am not sure KEDA has a scaler for AG however. With AGIC, traffic always goes directly to the pod or pods. When pods are scaled with an HPA, AGIC notifies AG of the new IPs and adds them to the "back-end".
@@GeertBaeke How quickly does agic updates app gateway about the hpa? with in a minute?
Thank you for sharing this!
Hi Geert, awesome video! How would that work in a hub and spoke model. Meaning I don't want the AKS to bypass the hub where the firewalls are deployed. Would something like this work hub (public IP -> Azure App Gateway --> Palo Alto) spoke (internal Azure LB -> ingress --> AKS subnet)? Plus AKS in userDefinedRouting mode so that egress is routed via hub as well.
For full egress control with Azure Firewall or your own, via UDR is indeed the way to go. In general, we tend to avoid it and use a load balancer or managed gateway (preferred) for egress + Network Policy.
For ingress, we tend to use AG or Front Door (or a combination) directly, without a central firewall in between. That being said, in theory, what you state above would work although I find there are too many moving bits and pieces.
I understand that, in an enterprise context, it is often difficult to convince traditional networking/security teams of excluding their solutions.
@@GeertBaeke thank you for taking time to replay! Indeed, Azure policy enforcement prohibiting public IPs in spokes doesn’t simplify this as well.
@@edemfromeden5432 Indeed. The thing is that even some very large organizations I know do not use that policy. The allow AG in product team subscriptions with strong governance at other levels.
What if I want to use “traefik ingress controller”? I could not find any documentation for that. There is something called “traefik gateway api” but i am not sure if it even works. Can you help with this?
You are on your own in that case. It needs to be installed on AKS and linked to either an internal or external load balancer depending on your use case. I have some posts on blog.baeke.info but they are quite old already.
Is possible to deploy with let's encrypt for certificates? In a scenario with a k8s with many projects,domains and certificates.
This is supported... take a look at docs.microsoft.com/en-us/azure/application-gateway/ingress-controller-letsencrypt-certificate-application-gateway
@@GeertBaeke thank's.
Sorry for one more question, but, do you known if is a good Idea to use one agic in front of many aks clusters? Off course If Is possible too.
@@madbpt I would think that would work as long as they are in the same vnet
hi
Thanks for sharing the video. it is very useful.
I tried to replicate it in my lab. for some reason the Pod's IP address is not added to the default backendAddressPool. It does create the rest of the config on app gateway
Are you using kubenet or Azure CNI? Did you create a service with a selector that adds the pod IP addresses to the endpoint object? To be sure, run kubectl get ep. You should see an endpoint with the same name as the service and the IP addresses of the pods. If the IP addresses are not listed, there is something wrong with the selector in the service. Also check that your ingress is using the service and that the ingress object is properly annotated for AGIC. You probably did that but just to be sure...
How does this work when you have APIM in between AGW and AKS?
In that case, we usually do AGW --> APIM --> Open Source Ingress (nginx, ...); we want the AGW dedicated to APIM mostly; we could use a second AGW for internal ingress of course