使用入口终结点的专用 IP 进行内部路由Use private IP for internal routing for an Ingress endpoint

此功能允许使用专用 IP 在 Virtual Network 中公开入口终结点。This feature allows to expose the ingress endpoint within the Virtual Network using a private IP.

先决条件Pre-requisites

使用专用 IP 配置的应用程序网关Application Gateway with a Private IP configuration

可通过两种方法配置控制器以使用入口专用 IPThere are two ways to configure the controller to use Private IP for ingress,

分配到特定入口Assign to a particular ingress

若要通过专用 IP 公开特定的入口,请在入口中使用注释 appgw.ingress.kubernetes.io/use-private-ipTo expose a particular ingress over Private IP, use annotation appgw.ingress.kubernetes.io/use-private-ip in Ingress.

使用情况Usage

appgw.ingress.kubernetes.io/use-private-ip: "true"

对于没有专用 IP 的应用程序网关,将忽略使用 appgw.ingress.kubernetes.io/use-private-ip: "true" 进行注释的入口。For Application Gateways without a Private IP, Ingresses annotated with appgw.ingress.kubernetes.io/use-private-ip: "true" will be ignored. 这会在入口事件和 AGIC Pod 日志中指示。This will be indicated in the ingress event and AGIC pod log.

  • 错误,如入口事件中指示的那样Error as indicated in the Ingress Event

    Events:
Type     Reason       Age               From                                                                     Message
----     ------       ----              ----                                                                     -------
Warning  NoPrivateIP  2m (x17 over 2m)  azure/application-gateway, prod-ingress-azure-5c9b6fcd4-bctcb  Ingress default/hello-world-ingress requires Application Gateway 
applicationgateway3026 has a private IP address

  • 错误,如 AGIC 日志中指示的那样Error as indicated in AGIC Logs

    E0730 18:57:37.914749       1 prune.go:65] Ingress default/hello-world-ingress requires Application Gateway applicationgateway3026 has a private IP address

全局分配Assign Globally

如果要求是限制所有入口通过专用 IP 进行公开,请在 helm 配置中使用 appgw.usePrivateIP: trueIn case, requirement is to restrict all Ingresses to be exposed over Private IP, use appgw.usePrivateIP: true in helm config.

使用情况Usage

appgw:
    subscriptionId: <subscriptionId>
    resourceGroup: <resourceGroupName>
    name: <applicationGatewayName>
    usePrivateIP: true

在应用程序网关上配置前端侦听器时,这会使得入口控制器筛选专用 IP 的 IP 地址配置。This will make the ingress controller filter the IP address configurations for a Private IP when configuring the frontend listeners on the Application Gateway. 如果 usePrivateIP: true 且没有分配任何专用 IP,则 AGIC 会死机并崩溃。AGIC will panic and crash if usePrivateIP: true and no Private IP is assigned.

备注

应用程序网关 v2 SKU 要求公共 IP。Application Gateway v2 SKU requires a Public IP. 如果要求应用程序网关专用,请附加一个 Network Security Group 到应用程序网关的子网来限制流量。Should you require Application Gateway to be private, Attach a Network Security Group to the Application Gateway's subnet to restrict traffic.