使用入口终结点的专用 IP 进行内部路由Use private IP for internal routing for an Ingress endpoint
此功能允许使用专用 IP 在 Virtual Network
中公开入口终结点。This feature allows to expose the ingress endpoint within the Virtual Network
using a private IP.
先决条件Pre-requisites
使用专用 IP 配置的应用程序网关Application Gateway with a Private IP configuration
可通过两种方法配置控制器以使用入口专用 IPThere are two ways to configure the controller to use Private IP for ingress,
分配到特定入口Assign to a particular ingress
若要通过专用 IP 公开特定的入口,请在入口中使用注释 appgw.ingress.kubernetes.io/use-private-ip
。To expose a particular ingress over Private IP, use annotation appgw.ingress.kubernetes.io/use-private-ip
in Ingress.
使用情况Usage
appgw.ingress.kubernetes.io/use-private-ip: "true"
对于没有专用 IP 的应用程序网关,将忽略使用 appgw.ingress.kubernetes.io/use-private-ip: "true"
进行注释的入口。For Application Gateways without a Private IP, Ingresses annotated with appgw.ingress.kubernetes.io/use-private-ip: "true"
will be ignored. 这会在入口事件和 AGIC Pod 日志中指示。This will be indicated in the ingress event and AGIC pod log.
错误,如入口事件中指示的那样Error as indicated in the Ingress Event
Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning NoPrivateIP 2m (x17 over 2m) azure/application-gateway, prod-ingress-azure-5c9b6fcd4-bctcb Ingress default/hello-world-ingress requires Application Gateway applicationgateway3026 has a private IP address
错误,如 AGIC 日志中指示的那样Error as indicated in AGIC Logs
E0730 18:57:37.914749 1 prune.go:65] Ingress default/hello-world-ingress requires Application Gateway applicationgateway3026 has a private IP address
全局分配Assign Globally
如果要求是限制所有入口通过专用 IP 进行公开,请在 helm
配置中使用 appgw.usePrivateIP: true
。In case, requirement is to restrict all Ingresses to be exposed over Private IP, use appgw.usePrivateIP: true
in helm
config.
使用情况Usage
appgw:
subscriptionId: <subscriptionId>
resourceGroup: <resourceGroupName>
name: <applicationGatewayName>
usePrivateIP: true
在应用程序网关上配置前端侦听器时,这会使得入口控制器筛选专用 IP 的 IP 地址配置。This will make the ingress controller filter the IP address configurations for a Private IP when configuring the frontend listeners on the Application Gateway.
如果 usePrivateIP: true
且没有分配任何专用 IP,则 AGIC 会死机并崩溃。AGIC will panic and crash if usePrivateIP: true
and no Private IP is assigned.
备注
应用程序网关 v2 SKU 要求公共 IP。Application Gateway v2 SKU requires a Public IP. 如果要求应用程序网关专用,请附加一个 Network Security Group
到应用程序网关的子网来限制流量。Should you require Application Gateway to be private, Attach a Network Security Group
to the Application Gateway's subnet to restrict traffic.