Comprehensive Guide to Kubernetes Ingress Controllers in Azure: Detailed Setup, Best Practices, and Practical Examples

Kubernetes Ingress Controllers are a fundamental component for managing external access to services in a Kubernetes cluster. When running Kubernetes on Azure, leveraging Azure Application Gateway as an Ingress Controller provides robust, scalable, and secure traffic management capabilities.

In this comprehensive guide, we’ll explore how to deploy and configure Kubernetes Ingress Controllers in Azure, using Azure Application Gateway, with practical examples and best practices. This post targets intermediate to advanced Kubernetes users who want to deepen their knowledge of ingress management on Azure Kubernetes Service (AKS).

Table of Contents

• Understanding Kubernetes Ingress and Azure Application Gateway
• Prerequisites and Setup
• Deploying the Guestbook Application on AKS
• Exposing Services Over HTTP Using Ingress
• Securing Services with HTTPS
  • Without a Specified Hostname
  • With a Specified Hostname
• Best Practices and Tips
• Conclusion

Understanding Kubernetes Ingress and Azure Application Gateway

What is Kubernetes Ingress?

Kubernetes Ingress is an API object that manages external access to services in a cluster, typically HTTP/HTTPS routes. It defines rules for routing traffic to backend services based on hostnames and paths.

An Ingress Controller implements these rules by provisioning a load balancer or proxy to handle traffic. Popular controllers include NGINX, Traefik, and cloud-specific solutions like Azure Application Gateway Ingress Controller.

Azure Application Gateway as an Ingress Controller

Azure Application Gateway (AGW) is a Layer 7 load balancer that supports SSL termination, URL-based routing, and WAF capabilities. The Azure Application Gateway Ingress Controller (AGIC) integrates AGW with AKS, allowing Kubernetes Ingress resources to configure AGW dynamically.

This integration offers:

• Native Azure load balancing and security features
• Seamless SSL/TLS termination
• Path-based routing and host-based routing
• Automated provisioning and updates

Note: Azure has introduced Application Gateway for Containers, which offers enhanced performance and features. For new deployments, consider using it.

Prerequisites and Setup

Before proceeding, ensure the following:

• An AKS cluster is deployed and accessible.
• The Azure Application Gateway is provisioned and associated with the AKS cluster.
• The Azure Application Gateway Ingress Controller (AGIC) is installed in your AKS cluster. This can be done via Helm charts or Azure CLI.

Refer to the AGIC installation guide for detailed instructions.

If you plan to expose services over HTTPS, prepare your x509 TLS certificate and private key files.

Deploying the Guestbook Application on AKS

To illustrate ingress concepts, we’ll deploy the classic Kubernetes “guestbook” sample application. This app consists of a frontend web UI, a backend, and a Redis database.

Steps:

1. Download the guestbook manifest:

curl -O https://raw.githubusercontent.com/kubernetes/examples/master/guestbook/all-in-one/guestbook-all-in-one.yaml

2. Deploy the application to your AKS cluster:

kubectl apply -f guestbook-all-in-one.yaml

3. Confirm all pods are running:

kubectl get pods

By default, the frontend service exposes port 80 but is not accessible externally without an ingress.

Exposing Services Over HTTP Using Ingress

To expose the frontend service through the Application Gateway, define a Kubernetes Ingress resource that AGIC will interpret.

Sample Ingress YAML (ing-guestbook.yaml):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: frontend
            port:
              number: 80

Deploy the Ingress:

kubectl apply -f ing-guestbook.yaml

Validate:

• Check the AGIC logs for any errors:

kubectl logs -l app=ingress-azure -n kube-system

• Retrieve the public IP of the Application Gateway and access it via browser:

az network public-ip show --resource-group <resource-group> --name <public-ip-name> --query ipAddress -o tsv

This should bring up the guestbook frontend UI.

Securing Services with HTTPS

Enabling HTTPS ensures encrypted communication and improved security for your applications.

Step 1: Create Kubernetes TLS Secret

Upload your TLS certificate and key as a Kubernetes secret:

kubectl create secret tls guestbook-tls-secret --cert=path/to/cert.pem --key=path/to/key.pem

Option 1: HTTPS Without Specified Hostname

This configuration allows HTTPS on all hostnames resolving to your Application Gateway.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/ssl-redirect: "true" # Redirect HTTP to HTTPS
spec:
  tls:
  - secretName: guestbook-tls-secret
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: frontend
            port:
              number: 80

Save this as ing-guestbook-tls.yaml and apply:

kubectl apply -f ing-guestbook-tls.yaml

The annotation appgw.ingress.kubernetes.io/ssl-redirect: "true" configures Application Gateway to redirect HTTP traffic to HTTPS.

Option 2: HTTPS With Specified Hostname (SNI)

When hosting multiple domains on the same Application Gateway, specify hostnames to route traffic appropriately.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
spec:
  tls:
  - hosts:
    - guestbook.yourdomain.com
    secretName: guestbook-tls-secret
  rules:
  - host: guestbook.yourdomain.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: frontend
            port:
              number: 80

Save as ing-guestbook-tls-sni.yaml and deploy:

kubectl apply -f ing-guestbook-tls-sni.yaml

Traffic to guestbook.yourdomain.com will now be routed accordingly with TLS termination.

Best Practices and Tips

1. Use Managed Certificates or Automate Renewal

For production workloads, leverage Azure Key Vault or managed certificates with automated renewal to avoid downtime due to expired certificates.

2. Monitor Ingress Controller Logs

Monitor AGIC logs (kubectl logs) for deployment issues. Use Azure Monitor and Application Insights to track Application Gateway health.

3. Leverage Path and Host-Based Routing

Use Ingress rules to route different paths or hosts to various backend services, enabling microservice architectures.

4. Enable Web Application Firewall (WAF)

Enable WAF on your Application Gateway for enhanced security against common web attacks.

5. Automate Deployments with CI/CD

Incorporate your Ingress resource deployments into CI/CD pipelines to maintain consistent and repeatable infrastructure.

6. Validate DNS Settings

Ensure DNS records for your hostnames point to the Application Gateway public IP.

Conclusion

Integrating Kubernetes Ingress Controllers with Azure Application Gateway enables robust, scalable, and secure ingress management for AKS clusters. Through this detailed guide, you should now be able to deploy applications, expose them over HTTP and HTTPS, and leverage host-based routing with best practices in mind.

As Azure evolves, keep an eye on new features like Application Gateway for Containers for enhanced performance and capabilities.

Deploying ingress resources effectively empowers you to build resilient cloud-native applications with seamless external access.

For further reading, visit the official Azure docs and GitHub repository for the Application Gateway Kubernetes Ingress Controller.

Written by Joseph Perez