Use a private IP for internal routing for an ingress endpoint

  • Article
  • 01/06/2025

You can use a private IP address for internal routing to expose an ingress endpoint within a cluster to the rest of a virtual network.

There are two ways to configure a controller to use a private IP for ingress: assigning the private IP to a particular ingress or assigning it globally.

Prerequisites

To complete the tasks in this article, you need Azure Application Gateway with a private IP configuration.

Assign to a particular ingress

To expose a particular ingress over private IP, use the annotation appgw.ingress.kubernetes.io/use-private-ip in the ingress:

appgw.ingress.kubernetes.io/use-private-ip: "true"

For Application Gateway deployments without a private IP, ingresses annotated with appgw.ingress.kubernetes.io/use-private-ip: "true" are ignored. The ingress event and the Application Gateway Ingress Controller (AGIC) pod log indicate this problem:

  • Here's the error as indicated in the ingress event:

    Events:
Type     Reason       Age               From                                                                     Message
----     ------       ----              ----                                                                     -------
Warning  NoPrivateIP  2m (x17 over 2m)  azure/application-gateway, prod-ingress-azure-5c9b6fcd4-bctcb  Ingress default/hello-world-ingress requires Application Gateway
applicationgateway3026 has a private IP address

  • Here's the error as indicated in AGIC logs:

    E0730 18:57:37.914749       1 prune.go:65] Ingress default/hello-world-ingress requires Application Gateway applicationgateway3026 has a private IP address

Assign globally

If you need to restrict all ingresses to be exposed over private IP, use appgw.usePrivateIP: true in the helm configuration:

appgw:
    subscriptionId: <subscriptionId>
    resourceGroup: <resourceGroupName>
    name: <applicationGatewayName>
    usePrivateIP: true

This code makes the ingress controller filter the IP address configurations for a private IP when it's configuring the frontend listeners on the Application Gateway deployment. AGIC can stop working if the value of usePrivateIP is true and no private IP is assigned.

Note

Application Gateway v2 requires a public IP. If you require Application Gateway to be private, attach a network security group to the Application Gateway deployment's subnet to restrict traffic.