Expose an AKS service over HTTP or HTTPS using Application Gateway
These tutorials help illustrate the usage of Kubernetes Ingress Resources to expose an example Kubernetes service through the Azure Application Gateway over HTTP or HTTPS.
Prerequisites
- Installed
ingress-azure
helm chart.- Greenfield Deployment: If you're starting from scratch, refer to these installation instructions, which outlines steps to deploy an AKS cluster with Application Gateway and install application gateway ingress controller on the AKS cluster.
- Brownfield Deployment: If you have an existing AKS cluster and Application Gateway, refer to these instructions to install application gateway ingress controller on the AKS cluster.
- If you want to use HTTPS on this application, you need an x509 certificate and its private key.
Deploy guestbook
application
The guestbook application is a canonical Kubernetes application that composes of a Web UI frontend, a backend and a Redis database. By default, guestbook
exposes its application through a service with name frontend
on port 80
. Without a Kubernetes Ingress Resource, the service isn't accessible from outside the AKS cluster. We use the application and set up Ingress Resources to access the application through HTTP and HTTPS.
Use the following instructions to deploy the guestbook application.
- Download
guestbook-all-in-one.yaml
from here - Deploy
guestbook-all-in-one.yaml
into your AKS cluster by running
kubectl apply -f guestbook-all-in-one.yaml
Now, the guestbook
application has been deployed.
Expose services over HTTP
To expose the guestbook application, use the following ingress resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: guestbook
annotations:
kubernetes.io/ingress.class: azure/application-gateway
spec:
rules:
- http:
paths:
- backend:
serviceName: frontend
servicePort: 80
This ingress exposes the frontend
service of the guestbook-all-in-one
deployment
as a default backend of the Application Gateway.
Save the above ingress resource as ing-guestbook.yaml
.
Deploy
ing-guestbook.yaml
by running:kubectl apply -f ing-guestbook.yaml
Check the log of the ingress controller for deployment status.
Now the guestbook
application should be available. You can check availability by visiting the public address of the Application Gateway.
Expose services over HTTPS
Without specified hostname
Without specifying hostname, the guestbook service is available on all the host-names pointing to the application gateway.
Before deploying ingress, you need to create a kubernetes secret to host the certificate and private key. You can create a kubernetes secret by running
kubectl create secret tls <guestbook-secret-name> --key <path-to-key> --cert <path-to-cert>
Define the following ingress. In the ingress, specify the name of the secret in the
secretName
section.apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: guestbook annotations: kubernetes.io/ingress.class: azure/application-gateway spec: tls: - secretName: <guestbook-secret-name> rules: - http: paths: - backend: serviceName: frontend servicePort: 80
Note
Replace
<guestbook-secret-name>
in the above Ingress Resource with the name of your secret. Store the above Ingress Resource in a file nameing-guestbook-tls.yaml
.Deploy ing-guestbook-tls.yaml by running
kubectl apply -f ing-guestbook-tls.yaml
Check the log of the ingress controller for deployment status.
Now the guestbook
application is available on both HTTP and HTTPS.
With specified hostname
You can also specify the hostname on the ingress in order to multiplex TLS configurations and services. By specifying hostname, the guestbook service is only available on the specified host.
Define the following ingress. In the ingress, specify the name of the secret in the
secretName
section and replace the hostname in thehosts
section accordingly.apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: guestbook annotations: kubernetes.io/ingress.class: azure/application-gateway spec: tls: - hosts: - <guestbook.contoso.com> secretName: <guestbook-secret-name> rules: - host: <guestbook.contoso.com> http: paths: - backend: serviceName: frontend servicePort: 80
Deploy
ing-guestbook-tls-sni.yaml
by runningkubectl apply -f ing-guestbook-tls-sni.yaml
Check the log of the ingress controller for deployment status.
Now the guestbook
application is available on both HTTP and HTTPS only on the specified host (<guestbook.contoso.com>
in this example).
Integrate with other services
The following ingress allows you to add other paths into this ingress and redirect those paths to other services:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: guestbook
annotations:
kubernetes.io/ingress.class: azure/application-gateway
spec:
rules:
- http:
paths:
- path: </other/*>
backend:
serviceName: <other-service>
servicePort: 80
- backend:
serviceName: frontend
servicePort: 80