什么是应用程序网关入口控制器?What is Application Gateway Ingress Controller?

应用程序网关入口控制器 (AGIC) 是一个 Kubernetes 应用程序。有了它,Azure Kubernetes 服务 (AKS) 客户就可以利用 Azure 的本机应用程序网关 L7 负载均衡器向 Internet 公开云软件。The Application Gateway Ingress Controller (AGIC) is a Kubernetes application, which makes it possible for Azure Kubernetes Service (AKS) customers to leverage Azure's native Application Gateway L7 load-balancer to expose cloud software to the Internet. AGIC 监视托管时所在的 Kubernetes 群集并持续更新应用程序网关,以便向 Internet 公开所选服务。AGIC monitors the Kubernetes cluster it is hosted on and continuously updates an Application Gateway, so that selected services are exposed to the Internet.

在客户的 AKS 上,入口控制器在其自己的 Pod 中运行。The Ingress Controller runs in its own pod on the customer’s AKS. AGIC 监视部分 Kubernetes 资源中的更改。AGIC monitors a subset of Kubernetes Resources for changes. AKS 群集的状态会转换为特定于应用程序网关的配置并应用到 Azure 资源管理器 (ARM)The state of the AKS cluster is translated to Application Gateway specific configuration and applied to the Azure Resource Manager (ARM).

应用程序网关入口控制器的好处Benefits of Application Gateway Ingress Controller

有了 AGIC,就不需在 AKS 群集前面设置另一个负载均衡器/公共 IP,避免在请求到达 AKS 群集之前在数据路径中设置多个跃点。AGIC helps eliminate the need to have another load balancer/public IP in front of the AKS cluster and avoids multiple hops in your datapath before requests reach the AKS cluster. 应用程序网关直接使用其专用 IP 与 Pod 通信,不需要 NodePort 或 KubeProxy 服务。Application Gateway talks to pods using their private IP directly and does not require NodePort or KubeProxy services. 这也会改进部署性能。This also brings better performance to your deployments.

入口控制器完全由 Standard_v2 和 WAF_v2 SKU 提供支持,这也会带来自动缩放的好处。Ingress Controller is supported exclusively by Standard_v2 and WAF_v2 SKUs, which also brings you autoscaling benefits. 应用程序网关可以响应流量负载的增减并相应地进行缩放,不消耗 AKS 群集中的任何资源。Application Gateway can react in response to an increase or decrease in traffic load and scale accordingly, without consuming any resources from your AKS cluster.

在 AGIC 基础上使用应用程序网关还可以提供 TLS 策略和 Web 应用程序防火墙 (WAF) 功能,这有助于保护 AKS 群集。Using Application Gateway in addition to AGIC also helps protect your AKS cluster by providing TLS policy and Web Application Firewall (WAF) functionality.

Azure 应用程序网关 + AKS

AGIC 通过 Kubernetes 入口资源以及服务和部署/Pod 进行配置。AGIC is configured via the Kubernetes Ingress resource, along with Service and Deployments/Pods. 它提供许多功能,利用 Azure 的本机应用程序网关 L7 负载均衡器。It provides a number of features, leveraging Azure’s native Application Gateway L7 load balancer. 例如:To name a few:

  • URL 路由URL routing
  • 基于 Cookie 的相关性Cookie-based affinity
  • TLS 终止TLS termination
  • 端到端 TLSEnd-to-end TLS
  • 支持公共、专用和混合网站Support for public, private, and hybrid web sites
  • 集成式 Web 应用程序防火墙Integrated web application firewall

Helm 部署与 AKS 加载项之间的差异Difference between Helm deployment and AKS Add-On

可通过两种方式为 AKS 群集部署 AGIC。There are two ways to deploy AGIC for your AKS cluster. 第一种方法是通过 Helm;第二种方式是通过 AKS 作为加载项部署。The first way is through Helm; the second is through AKS as an add-on. 将 AGIC 部署为 AKS 加载项的主要好处是,它比通过 Helm 部署要简单得多。The primary benefit of deploying AGIC as an AKS add-on is that it's much simpler than deploying through Helm. 若要进行新的设置,在 Azure CLI 中通过一行内容即可部署新应用程序网关和将 AGIC 作为加载项启用的新 AKS 群集。For a new setup, you can deploy a new Application Gateway and a new AKS cluster with AGIC enabled as an add-on in one line in Azure CLI. 该加载项也是一项完全托管的服务,这提供了一些额外的优势,例如自动更新和更多的支持。The add-on is also a fully managed service, which provides added benefits such as automatic updates and increased support. AKS 不支持通过 Helm 部署的 AGIC,但是 AKS 支持将 AGIC 作为 AKS 的加载项部署。AGIC deployed through Helm is not supported by AKS, however, the AGIC deployed as an AKS add-on is supported by AKS.

AGIC 加载项在客户的 AKS 群集中仍作为 pod 部署,但是 Helm 部署版本与加载项版本的 AGIC 之间存在一些差异。The AGIC add-on is still deployed as a pod in the customer's AKS cluster, however, there are a few differences between the Helm deployment version and the add-on version of AGIC. 下面列出了两个版本之间的差异:Below is a list of differences between the two versions:

  • 无法在 AKS 加载项上修改 Helm 部署值:Helm deployment values cannot be modified on the AKS add-on:
    • verbosityLevel 默认设置为 5verbosityLevel will be set to 5 by default
    • usePrivateIp 默认设置为 false,但可由 use-private-ip annotation 重写此项usePrivateIp will be set to be false by default; this can be overwritten by the use-private-ip annotation
    • 加载项不支持 sharedshared is not supported on add-on
    • 加载项不支持 reconcilePeriodSecondsreconcilePeriodSeconds is not supported on add-on
    • 加载项不支持 armAuth.typearmAuth.type is not supported on add-on
  • 通过 Helm 部署的 AGIC 支持 ProhibitedTargets,这意味着 AGIC 可以专为 AKS 群集配置应用程序网关,不影响其他现有的后端。AGIC deployed via Helm supports ProhibitedTargets, which means AGIC can configure the Application Gateway specifically for AKS clusters without affecting other existing backends. AGIC 加载项目前不支持此项。AGIC add-on doesn't currently support this.
  • 由于 AGIC 加载项是一种托管服务,因此客户的 AGIC 加载项将自动更新为最新版本,不像通过 Helm 部署的 AGIC,客户必须手动更新 AGIC。Since AGIC add-on is a managed service, customers will automatically be updated to the latest version of AGIC add-on, unlike AGIC deployed through Helm where the customer must manually update AGIC.


AGIC AKS 加载项部署方法目前处于预览状态。The AGIC AKS add-on method of deployment is currently in preview. 不建议在仍处于预览状态的功能上运行生产工作负载,如果需要试用,建议设置新的群集并使用这些功能进行测试。We don't recommend running production workloads on features still in preview, so if you're curious to try it out, we'd recommend setting up a new cluster to test it out with.

下表按 AGIC 的 Helm 部署版本和 AKS 加载项版本当前支持的方案进行分类。The following tables sort which scenarios are currently supported with the Helm deployment version and the AKS add-on version of AGIC.

AKS 加载项 AGIC(单一 AKS 群集)AKS add-on AGIC (single AKS cluster)

1 个应用程序网关1 Application Gateway 2+ 个应用程序网关2+ Application Gateways
1 个 AGIC1 AGIC 是,支持Yes, this is supported 否,这还在我们的积压工作 (backlog) 中No, this is in our backlog
2+ 个 AGIC2+ AGICs 否,每个群集仅支持 1 个 AGICNo, only 1 AGIC supported/cluster 否,每个群集仅支持 1 个 AGICNo, only 1 AGIC supported/cluster

通过 Helm 部署的 AGIC(单一 AKS 群集)Helm deployed AGIC (single AKS cluster)

1 个应用程序网关1 Application Gateway 2+ 个应用程序网关2+ Application Gateways
1 个 AGIC1 AGIC 是,支持Yes, this is supported 否,这还在我们的积压工作 (backlog) 中No, this is in our backlog
2+ 个 AGIC2+ AGICs 必须使用共享的 ProhibitedTarget 功能,并监视各单独的命名空间Must use shared ProhibitedTarget functionality and watch separate namespaces 是,支持Yes, this is supported

通过 Helm 部署的 AGIC(2+ 个 AKS 群集)Helm deployed AGIC (2+ AKS clusters)

1 个应用程序网关1 Application Gateway 2+ 个应用程序网关2+ Application Gateways
1 个 AGIC1 AGIC 空值N/A 空值N/A
2+ 个 AGIC2+ AGICs 必须使用共享的 ProhibitedTarget 功能Must use shared ProhibitedTarget functionality 空值N/A

后续步骤Next steps