0% found this document useful (0 votes)

73 views161 pages

Azure Aks Agic v2

Uploaded by

sameerpinjari2401

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

73 views161 pages

Azure Aks Agic v2

Uploaded by

sameerpinjari2401

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 161

Azure Kubernetes Service AGIC Ingress -

30 Real-World Demos

Kalyan Reddy Daida

StackSimplify
AWS EKS Jenkins Azure Kubernetes Service
AGIC Ingress
Kubernetes Ansible 30+ Real-World Demos
Azure AKS HELM Masterclass Azure Certs
Kubernetes
AWS ECS
DevOps & 40+ Concept AZ-900, 104,
Demos 204, 400
Docker on AWS
AWS
SRE Kubernetes Google Cloud
Associate &
CloudFormatio Roadmap Certifications
Professional
CKAD, CKA, CKS
n Certs
HashiCorp Certified Terraform Associate on AWS with 50 Practical Demos
Terraform on AWS with SRE and IaC DevOps with 20 Real-World Demos
HashiCorp Certified Terraform Associate on Azure with 75 Practical
Demos
Terraform on Azure with IaC DevOps SRE with 25 Real-World Demos
Terraform on AWS EKS Elastic Kubernetes Service with 50+ Real-World Demos
Google Kubernetes Engine with DevOps - 75+ Real-World Demos
© Kalyan Reddy Daida StackSimplify
Google Cloud Certifications Google Cloud Real-World
Road Map Courses Road Map

Digital Cloud Leader GKE Google Kubernetes Engine with

DevOps - 75+ Real-World Demos
Associate Cloud Engineer Terraform on Google Cloud
with DevOps SRE - 50+ Real-World
Professional Cloud Architect Demos
Professional Cloud Developer AWS EKS Kubernetes
Professional Cloud DevOps Azure AKS Kubernetes
Engineer
Professional Cloud Network AWS ECS Docker on AWS
Engineer
Professional Cloud Security
Terraform on AWS Cloud
Engineer Terraform on Azure Cloud
Professional Cloud Data Engineer
Terraform on AWS EKS
© Kalyan Reddy Daida StackSimplify
Azure Kubernetes Service AGIC Ingress -
30 Real-World Demos

Kalyan Reddy Daida

StackSimplify
Azure Kubernetes Service + Application Gateway Ingress Controller
Azure
Install AGIC as Application Ingress Override
1 8
AKS Add-On Frontend Port
Gateway
Ingress Default Backend 2 Ingress 9 Ingress Rewrite Rule Set
Controller
Ingress HTTP Paths and Ingress Default and HTTP
3 AGIC 10
Rules Probes
Ingress URL Routing Ingress Readiness
4 11
(Path based Routing) Liveness Health Probes
Ingress Backend Path Ingress Health Probe
5 30 12
Prefix Annotations
Real-World
Ingress Backend Host
Name
6 AGIC Ingress 13 Delegate DNS Domain
Demos
Ingress Cookie Based Install External DNS
7 14
Affinity Controller

© Kalyan Reddy Daida StackSimplify

Azure Kubernetes Service + Application Gateway Ingress Controller
Ingress spec.rules.host +
External DNS
15 Azure 23 Ingress with WAF and OWASP
Application
Ingress Domain Name Ingress with WAF Custom
Routing
16 Gateway 24
Policy
Ingress
Ingress TLS SSL 17 Ingress with Application
Controller 25
Gateway Private IP
AGIC Multiple Ingress Controllers
Ingress TLS SSL Redirect 18 26
(Nginx and AGIC)
Ingress SSL:Reference AppGw
19 27 AGIC Install using Helm CLI
Certs in Ingress Service
30
Ingress End to End SSL Share Application Gateway
(Build Backend SSL)
20 Real-World 28
with other Azure Resources
Ingress End to End SSL
AGIC Ingress AGIC - Watch specified
21 29
(Frontend + Backend SSL) Demos Namespaces Only
Ingress SSL with Cert
22
Manager and Lets Encrypt
© Kalyan Reddy Daida StackSimplify
Azure Kubernetes Service + Application Gateway Ingress Controller

Step by Step
Documentation
On
GitHub
for each
Demo

© Kalyan Reddy Daida StackSimplify

GitHub Repositories
Repository Used For Repository URL
Course Main Repository with step-by-step https://github.com/stacksimplify/azure-kubernetes-service-agic
documentation
Course Presentation https://github.com/stacksimplify/azure-kubernetes-service-agic/course-
presentation

100+ presentation slides outlining various

AGIC Architectural Diagrams we have
implemented

© Kalyan Reddy Daida StackSimplify

Azure Application Gateway Ingress
Azure
Controller
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

AKS Cluster

1 AGIC monitors the k8s API Server for Ingress Resources

AppGW
Public IP AGIC converts ingress resource to AppGw specific
2 configuration and applies to Azure Resource Manager
Azure Resource Manager applies the changes to AppGw
3
(Continuous Reconfiguration of AppGw)
Application
3 Gateway

2 1

Azure Resource
AGIC Ingress Controller k8s API Server
Manager

Demo-01

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Default Backend
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
defaultBackend
Ingress Service
AppGW
Public IP

Application MyApp
3 Gateway

2 1

Azure Resource
AGIC Ingress Controller k8s API Server
Manager

Demo-02

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress HTTP Rules & Paths
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
HTTP Rules & Paths
Ingress Service
AppGW
Public IP

/app1

Application App1
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-03

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress URL Routing
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

App1
AppGW
Public IP
/app1

/app2 App2

default or
Application
“/”
Gateway
MyApp

2 AGIC Ingress Controller 1 k8s API Server

Azure Resource
Manager
Demo-04

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Backend Path Prefix
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
http://<IP>/myapps/app1 AKS Cluster

AppGW
Public IP
/myapps/app1 appgw.ingress.kubernetes.io/backend-path-prefix: "/app1/"

Serves content using /app1 from Pod

/app1
Application
Gateway App1

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-05

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Backend Hostname
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

appgw.ingress.kubernetes.io/backend-hostname: "internal.stacksimplify.com"
AppGW
Public IP

/
EchoServer
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-06

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Cookie based Affinity
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

appgw.ingress.kubernetes.io/cookie-based-affinity: "true"
AppGW
Public IP

Requests will be persisted to pod

Application Echo Server

Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-07-01

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Distinct Cookie
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

appgw.ingress.kubernetes.io/cookie-based-affinity: "true"
AppGW appgw.ingress.kubernetes.io/cookie-based-affinity-distinct-name: "true"
Public IP

Requests will be persisted to pod

Application
Gateway
Echo Server

3
1

2 AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-07-02

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Override Frontend
Azure
Port
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
http://PUBLIC-IP:8080 AKS Cluster

appgw.ingress.kubernetes.io/override-frontend-port: "8080"
AppGW
Public IP

/
MyApp
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-08

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Rewrite Rule Set
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

appgw.ingress.kubernetes.io/rewrite-rule-set: my-headers-
AppGW rewrite-ruleset
Public IP
/

Rewritten data sent to Pod

Header Name: mydomain
Rewrite
Header Value: stacksimplify.com
Set Echo Server
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-09

© Kalyan Reddy Daida StackSimplify

Health Probes
HIGH
AGIC Health Probe Annotations Health probes can determine if the configured
P backend target can serve requests.
defined in Ingress Resource R
I
Readiness Probe defined in O
R
Kubernetes Workloads (Pod, AppGw won’t send incoming requests to the
I
Deployment, StatefulSet) T backend target if a configured health probe fails.
Y Instead, it will respond to the request with an
Liveness Probe defined in Kubernetes HTTP 502 Error.
Workloads (Pod, Deployment, O
StatefulSet) R
D
AGIC defined fallback Health Probe E If the health probe is successful, incoming requests
R will be forwarded to the backend target
(default HTTP probe, LOW
HTTP Path Probes)

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Health Probes
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
Usecase-1

AppGW Default Ingress

Public IP HTTP Probe Default Backend

/
MyApp
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-10-01

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Health Probes
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
Usecase-2

AppGW Custom Ingress

Public IP HTTP Probe HTTP Path /app1

/app1
App1
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-10-02

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Readiness Probe
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
Usecase-1

AppGW
Custom
Public IP Readiness Probe
HTTP Probe
/
App1
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-11-01

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Liveness Probe
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
Usecase-2

AppGW Custom
Public IP Liveness Probe
HTTP Probe

/
App2
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-11-02

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Readiness &
Azure Liveness Probes
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster When both probes
Usecase-3
are present which,
one takes priority ?
Readiness Probe
AppGW Custom
Public IP
HTTP Probe Liveness Probe

/
App1
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-11-03

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Health Probe
Azure
Annotations
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

Azure AGIC Health Probe Annotations

AppGW Custom
Public IP
HTTP Probe

/
App1
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager
Demo-12

© Kalyan Reddy Daida StackSimplify

Delegate Domain to Azure DNS
AWS Cloud
Domain Registrar Azure Cloud DNZ Zones

kubeoncloud.com kubeoncloud.com

AWS Route53 Azure DNS Zones

Demo-13

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - External DNS Install
Azure Cloud
Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster

External DNS allows us to add / update / delete DNS Records in
Azure DNS Zones declaratively from Ingress Service
AppGW Public IP Application
Gateway Azure Config File
DNS
Zones
(azure.json)
External DNS

Managed
Service
Identity
AKS NodePool VMSS

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-14

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - External DNS Basic
Azure Cloud
Virtual Network (10.224.0.0/12)
myapp1.kubeoncloud.com

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster

myapp1.kube
oncloud.com
AppGW Public IP Application App1
Gateway
DNS
Zones HOST
(spec.rules.host)
Ingress Service
Managed
Service
Identity
AKS NodePool VMSS
External DNS

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-15

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Domain Name
Azure Cloud Routing
Virtual Network (10.224.0.0/12)
eapp1.kubeoncloud.com
eapp2.kubeoncloud.com Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16
eapp3.kubeoncloud.com

Users AKS Cluster

eapp1.kubeoncloud.com

eapp2.kubeoncloud.com App1
AppGW Public IP Application
Gateway eapp3.kubeoncloud.com
DNS
Zones
App2

Managed
Service
Identity
AKS NodePool VMSS External DNS App3

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-16

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress SSL TLS
Azure Cloud
Virtual Network (10.224.0.0/12)
https://app1.kubeoncloud.com

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster App1

app1.kubeonc
loud.com
AppGW Public IP Application
Gateway
TLS Certificate
DNS SSL Cert
Zones
SSL Key
K8s Secret

Managed TLS
Service (spec.tls.secretName)
Identity External DNS
AKS NodePool VMSS Ingress Service

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-17

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress SSL TLS Redirect
Azure Cloud
Virtual Network (10.224.0.0/12) appgw.ingress.kubernetes.io/ssl-redirect: "true"
http://app1.kubeoncloud.com

HTTP -> HTTPS Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster App1

app1.kubeonc
loud.com
AppGW Public IP Application
Gateway
TLS Certificate
DNS SSL Cert
Zones
SSL Key
K8s Secret

Managed TLS
Service (spec.tls.secretName)
Identity External DNS
AKS NodePool VMSS Ingress Service

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-18

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress SSL + SSL Upload to
Azure Cloud AppGw
Virtual Network (10.224.0.0/12)
https://app2.kubeoncloud.com

HTTP -> HTTPS Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster App2

app2.kubeonc
loud.com

AppGW Public IP Application TLS Certificate

Gateway appgw.ingress.kubernetes.io/appgw-ssl-certificate: "app2sslcert"
DNS
Zones SSL Manual Upload to AppGw appgw.ingress.kubernetes.io/ssl-redirect: "true"

SSL PFX
SSL Cert
Managed
Service SSL Key
Identity
AKS NodePool VMSS
External DNS

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-19

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress E2E SSL - Build
Azure Cloud Backend SSL App
Virtual Network (10.224.0.0/12)
https://PUBLIC-IP

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster

HTTPS

LB Public IP HTTPS
Backend SSL

SSL Cert
SSL Key Backend
K8s Secret
MyApp

Azure
Load Balancer

Demo-20

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress E2E SSL
Azure Cloud
Virtual Network (10.224.0.0/12)
https://frontend.kubeoncloud.com

HTTP -> HTTPS Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster

frontend.kubeo
ncloud.com

Frontend Cert and Key

AppGW Public IP HTTPS
Application
Backend SSL Frontend SSL
Gateway Backend Cert or Root Cert
DNS SSL Cert
Zones SSL Cert
SSL Key Backend Frontend SSL Key
K8s Secret K8s Secret
MyApp
Managed
Service
Identity
AKS NodePool VMSS

External DNS

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-21

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress SSL with Let's
Azure Cloud Encrypt
https://sapp1.kubeoncloud.com
Virtual Network (10.224.0.0/12) cert-manager.io/cluster-issuer: letsencrypt
https://sapp2.kubeoncloud.com
Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS
HTTP -> HTTPS
sapp1.kubeoncloud.com Cluster SSL Cert

sapp2.kubeoncloud.com SSL Key

sapp1 SSL cert App1 sapp1

AppGW Public IP Application Auto-Generated
Gateway sapp2 SSL cert
L DNS SSL Cert
Zones
E SSL Key
App2 sapp2
T
S
Managed
Service
E Identity
AKS NodePool VMSS
N External DNS Cert-Manager
C
R
y AGIC Ingress Controller k8s API Server
P Azure Resource
T Manager
Demo-22

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress + Enable WAF on
Azure Cloud AppGw
Virtual Network (10.224.0.0/12)
http://myapp1.kubeoncloud.com

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users Application Gateway AKS Cluster MyApp

myapp1.kubeonc
loud.com
AppGW Public IP

Default
OWASP
Policies
WAF

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-23

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress + WAF Custom Policy
Azure Cloud
Virtual Network (10.224.0.0/12)
http://myapp1.kubeoncloud.com

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users Application Gateway AKS Cluster MyApp

myapp1.kubeonc
loud.com
AppGW Public IP

Default appgw.ingress.kubernetes.io/waf-policy-for-path: WAF-RESOURCE-ID

OWASP
Policies
WAF

WAF Custom Policy

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-24

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Private IP
Azure Cloud
Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

AKS Cluster
Test User
curl http://private-ip
curl pod

Application Gateway
appgw.ingress.kubernetes.io/use-private-ip: "true"

Private IP /

AppGW Public IP
Echo Server

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-25

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Multiple Ingress Controllers
Azure Cloud
Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

AKS Cluster

Azure Load Balancer

LB Public IP
NGINX Ingress Controller App1

Application Gateway
Users
/

App2
AppGW Public IP

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-26

© Kalyan Reddy Daida StackSimplify

Azure Application Gateway Ingress Controller
Azure
install using Helm
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

AKS Cluster

AppGW
Public IP

Application
3 Gateway

2 1

Azure Resource
AGIC Ingress Controller k8s API Server
Manager

Demo-27

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Shared Application Gateway
Azure Cloud
Virtual Network (10.224.0.0/12)
shared: true
Subnet: 10.225.0.0/16
AzureIngressProhibitedTargets CRD
myaciapp1
myaciapp1.kubeoncloud.com

myaciapp2.kubeoncloud.com
Users
myaciapp2

AppGW Public IP / Subnet: 10.224.0.0/16

Application
Gateway
AKS Cluster

App1

AGIC Ingress Controller k8s API Server

Azure Resource
Manager
Demo-28

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Watch Namespaces
Azure
Cloud Virtual Network (10.224.0.0/12) Watch All Namespaces
Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16
Users
AKS Cluster Namespace: Staging

AppGW App1
Public IP
/app1
Namespace: Production
/app2

Application
Gateway App2

2 AGIC Ingress Controller 1 k8s API Server

Azure Resource
Manager
Demo-29-01

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Watch Namespaces
Azure
Cloud Virtual Network (10.224.0.0/12) Watch Prod Namespace
Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16
Users
AKS Cluster Namespace: Staging

AppGW App1
Public IP

Namespace: Production
/app2

Application
Gateway App2

2 AGIC Ingress Controller 1 k8s API Server

Azure Resource
Manager
Demo-29-02

© Kalyan Reddy Daida StackSimplify

Azure AKS
AGIC
Greenfield Deployment
AGIC AKS Add On

Demo-01

© Kalyan Reddy Daida StackSimplify

What is AGIC ?
Azure Application Gateway Ingress Controller

Azure Cloud
Application
Gateway

AKS Cluster
With AGIC we can expose
Azure AGIC is a k8s applications deployed
Kubernetes Application on AKS Cluster using
deployed on Azure AKS Azure Application
Cluster Gateway L7 Load Balancer
AGIC Ingress Controller

© Kalyan Reddy Daida StackSimplify

Azure Application Gateway Ingress
Azure
Controller
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

AKS Cluster

1 AGIC monitors the k8s API Server for Ingress Resources

2 1

Azure Resource
AGIC Ingress Controller k8s API Server
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC vs Other In-Cluster Ingress
Controllers
Image Reference: Microsoft Blog Image Reference: Microsoft Blog

NGINXIC AGIC

Traffic flows via Ingress Controller k8s Service and Pods Traffic flows from Application Gateway directly to k8s
(Additional Network Hops) Pods

Uses AKS cluster compute resources for traffic flow AKS Compute resources are not used for traffic flow
AGIC uses AKS compute resources just to transform Ingress
Service manifest to AppGW config and submit to Azure
Resource Manager (Only during Ingress resource
create/update/delete actions)
Additional Reference: https://azure.microsoft.com/en-us/blog/application-gateway-ingress-controller-for-azure-kubernetes-service/

© Kalyan Reddy Daida StackSimplify

Azure AGIC Deployment Options
Azure AGIC
Deployment
Azure
Recommended
As AKS Add-On Using Helm

Greenfield Brownfield Greenfield Brownfield

New Existing New Existing

AKS Cluster AKS Cluster AKS Cluster AKS Cluster
New Existing New Existing
Application GW Application GW Application GW Application GW

With AKS AGIC AddOn Deployment is super simple Supports additional features (verbose levels, auth type)

Fully managed service provided by Microsoft Shared: Same AppGW can be shared with other Azure Services
ProhibitedTargets: Configure AppGw without affecting other
Automatic Updates and increased support backends
Manually upgrade AGIC using HELM (No Automatic), Use latest
First-class Add On or desired versions
© Kalyan Reddy Daida StackSimplify
Azure Application Gateway Ingress
Azure
Controller
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

AKS Cluster

AppGW
Public IP

AGIC Managed
Identity
Application
Gateway

Azure Resource
AGIC Ingress Controller k8s API Server
Manager

© Kalyan Reddy Daida StackSimplify

Demo-02

Azure AKS
AGIC
Ingress Default Backend

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Default Backend
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
defaultBackend
Ingress Service
AppGW
Public IP

Application MyApp
3 Gateway

2 1

Azure Resource
AGIC Ingress Controller k8s API Server
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Default
Backend

Ingress
Default
Backend

© Kalyan Reddy Daida StackSimplify

Demo-03

Azure AKS
AGIC
Ingress HTTP Rules & Paths

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress HTTP Rules & Paths
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
HTTP Rules & Paths
Ingress Service
AppGW
Public IP

/app1

Application App1
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress HTTP Rules
& Paths
Ingress
Class
Name

Ingress
HTTP
Rules & Paths

© Kalyan Reddy Daida StackSimplify

Demo-04

Azure AKS
AGIC
Ingress URL Routing

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress URL Routing
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

App1
AppGW
Public IP
/app1

/app2 App2

default or
Application
“/”
Gateway
MyApp

2 AGIC Ingress Controller 1 k8s API Server

Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress URL
Routing
For Root
Context we can
use Default
Backend or
HTTP Paths

With Default Backend

With HTTP Paths

© Kalyan Reddy Daida StackSimplify

Demo-05

Azure AKS
AGIC
Annotations
Backend Path Prefix

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Backend Path Prefix
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
http://<IP>/myapps/app1 AKS Cluster

AppGW
Public IP
/myapps/app1 appgw.ingress.kubernetes.io/backend-path-prefix: "/app1/"

Serves content using /app1 from Pod

/app1
Application
Gateway App1

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Backend
Path Prefix
Backend Path
Prefix
Annotation

HTTP Path from

browser
/myapps/app1

Data serves
from k8s Pod
at context
/app1
© Kalyan Reddy Daida StackSimplify
Azure AGIC - Ingress Backend
Path Prefix
Application Backend
Application Gateway Rules
Settings

© Kalyan Reddy Daida StackSimplify

Demo-06

Azure AKS
AGIC
Annotations
Backend Hostname

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Backend Hostname
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

appgw.ingress.kubernetes.io/backend-hostname: "internal.stacksimplify.com"
AppGW
Public IP

/
EchoServer
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Backend
Hostname

Backend
Hostname
Annotation

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Backend
Hostname

Host name override

And
Host name
Backend Settings will
be updated

© Kalyan Reddy Daida StackSimplify

Demo-07

Azure AKS
AGIC
Annotations
Cookie based Affinity

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Cookie based Affinity
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

appgw.ingress.kubernetes.io/cookie-based-affinity: "true"
AppGW
Public IP

Requests will be persisted to pod

Application Echo Server

Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Cookie
based Affinity

Cookie
Based
Affinity
Annotation

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Cookie
based Affinity

Cookie-based Affinity
Backend Setting will
be enabled

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Cookie
Echo Server Application
based Affinity
Developer Tools Output
Output

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Distinct Cookie
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

appgw.ingress.kubernetes.io/cookie-based-affinity: "true"
AppGW appgw.ingress.kubernetes.io/cookie-based-affinity-distinct-name: "true"
Public IP

Requests will be persisted to pod

Application
Gateway
Echo Server

3
1

2 AGIC Ingress Controller k8s API Server

Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Distinct
Cookie

Distinct
Cookie
Annotation

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Distinct
Cookie

Cookie-based Affinity
and
Affinity cookie name
Backend Settings will
be enabled

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Distinct Cookie

Echo Server
Application
Output

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Distinct Cookie

Browser
Developer
Tools
Output

© Kalyan Reddy Daida StackSimplify

Demo-08

Azure AKS
AGIC
Annotations
Override Frontend Port

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Override Frontend
Azure
Port
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
http://PUBLIC-IP:8080 AKS Cluster

appgw.ingress.kubernetes.io/override-frontend-port: "8080"
AppGW
Public IP

/
MyApp
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Override
Frontend Port

Override
Frontend Port
Annotation

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Override
Frontend Port

Port 8080
will be
updated in
Listeners
Settings

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Override
Frontend Port

Access in browser with

http://PUBLIC-IP:8080

© Kalyan Reddy Daida StackSimplify

Demo-09

Azure AKS
AGIC
Annotations
Rewrite Rule Set

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Rewrite Rule Set
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

appgw.ingress.kubernetes.io/rewrite-rule-set: my-headers-
AppGW rewrite-ruleset
Public IP
/

Rewritten data sent to Pod

Header Name: mydomain
Rewrite
Header Value: stacksimplify.com
Set Echo Server
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Rewrite
Rule Set

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Rewrite
Rule Set

Rewrite
Rule Set
Annotation

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Rewrite
Rule Set

Routing Rule
will be selected
when Ingress
service with
rewrite-rule-set
Annotation
deployed

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Rewrite
Rule Set

Echo Server
Application
Output

© Kalyan Reddy Daida StackSimplify

Demo-10

Azure AKS
AGIC
Annotations
Health Probes - Default and HTTP

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Health Probes
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
Usecase-1

AppGW Default Ingress

Public IP HTTP Probe Default Backend

/
MyApp
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Health Probes
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
Usecase-2

AppGW Custom Ingress

Public IP HTTP Probe HTTP Path /app1

/app1
App1
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Health
Usecase-1
Probes Usecase-2

Uses default HTTP probe Uses Custom HTTP Probe

© Kalyan Reddy Daida StackSimplify

Azure AGIC - Ingress Health
Probes
Usecase-1 Usecase-2

© Kalyan Reddy Daida StackSimplify

Demo-11

Azure AKS
AGIC
Annotations
Health Probes
Readiness and Liveness Probes

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Readiness Probe
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
Usecase-1

AppGW
Custom
Public IP Readiness Probe
HTTP Probe
/
App1
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Readiness
Probe Usecase-1:
Readiness Probe

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Liveness Probe
Azure
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster
Usecase-2

AppGW Custom
Public IP Liveness Probe
HTTP Probe

/
App2
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Liveness
Probe Usecase-2:
Liveness Probe

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Readiness &
Azure Liveness Probes
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster When both probes
Usecase-3
are present which,
one takes priority ?
Readiness Probe
AppGW Custom
Public IP
HTTP Probe Liveness Probe

/
App1
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Readiness &
Liveness Probes Usecase-3:
Readiness and Liveness Probe

When both
probes are
used which,
one takes
priority ?

© Kalyan Reddy Daida StackSimplify

Demo-12

Azure AKS
AGIC
Annotations
Health Probe Ingress Annotations

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Health Probe
Azure
Annotations
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users
AKS Cluster

Azure AGIC Health Probe Annotations

AppGW Custom
Public IP
HTTP Probe

/
App1
Application
Gateway

3 1

2
AGIC Ingress Controller k8s API Server
Azure Resource
Manager

© Kalyan Reddy Daida StackSimplify

Azure AGIC Ingress - Health Probe
Annotations

Values defined in Annotations match with Health Probe created

on Application Gateway

Demo-13

Azure AKS
AGIC
Delegate DNS Domain
AWS Route53 to Azure DNS Zones

Delegate Domain to Azure DNS
AWS Cloud
Domain Registrar Azure Cloud DNZ Zones

kubeoncloud.com kubeoncloud.com

AWS Route53 Azure DNS Zones

Demo-14

Azure AKS
AGIC
External DNS Install

Azure AGIC Ingress - External DNS Install
Azure Cloud
Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster

Managed
Service
Identity
AKS NodePool VMSS

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Demo-15

Azure AKS
AGIC
Ingress + External DNS
Basic Demo

Azure AGIC Ingress - External DNS Basic
Azure Cloud
Virtual Network (10.224.0.0/12)
myapp1.kubeoncloud.com

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster

myapp1.kube
oncloud.com
AppGW Public IP Application App1
Gateway
DNS
Zones HOST
(spec.rules.host)
Ingress Service
Managed
Service
Identity
AKS NodePool VMSS
External DNS

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Azure AGIC Ingress - External
DNS Basic Application Gateway Listeners

This (spec.rules.host) adds DNS Record Set in Azure DNS Zones using k8s External DNS
© Kalyan Reddy Daida StackSimplify
Demo-16

Azure AKS
AGIC
Ingress + External DNS
Domain Name Routing

Azure AGIC - Ingress Domain Name
Azure Cloud Routing
Virtual Network (10.224.0.0/12)
eapp1.kubeoncloud.com
eapp2.kubeoncloud.com Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16
eapp3.kubeoncloud.com

Users AKS Cluster

eapp1.kubeoncloud.com

eapp2.kubeoncloud.com App1
AppGW Public IP Application
Gateway eapp3.kubeoncloud.com
DNS
Zones
App2

Managed
Service
Identity
AKS NodePool VMSS External DNS App3

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Azure AGIC - Ingress Domain
Name Routing
In Application Gateway,
3 Listeners created based
on 3 Domain Names
defined in Ingress Service

Demo-17

Azure AKS
AGIC
Ingress + External DNS + SSL
Ingress TLS

Azure AGIC - Ingress SSL TLS
Azure Cloud
Virtual Network (10.224.0.0/12)
https://app1.kubeoncloud.com

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster App1

app1.kubeonc
loud.com
AppGW Public IP Application
Gateway
TLS Certificate
DNS SSL Cert
Zones
SSL Key
K8s Secret

Managed TLS
Service (spec.tls.secretName)
Identity External DNS
AKS NodePool VMSS Ingress Service

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Azure AGIC - Ingress SSL TLS
As soon as Ingress Service is deployed,
automatically SSL Certificate and Key
present in k8s secret will be uploaded to
Application Gateway

Azure AGIC - Ingress SSL TLS
When TLS
enabled in
Ingress
Service

In AppGW,
these
Listener
settings
will be
applied

Demo-18

Azure AKS
AGIC
Ingress + External DNS + SSL
Ingress TLS + SSL Redirect (HTTP to HTTPS)

Azure AGIC - Ingress SSL TLS
Azure Cloud
Virtual Network (10.224.0.0/12) appgw.ingress.kubernetes.io/ssl-redirect: "true"
http://app1.kubeoncloud.com

HTTP -> HTTPS Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster App1

app1.kubeonc
loud.com
AppGW Public IP Application
Gateway
TLS Certificate
DNS SSL Cert
Zones
SSL Key
K8s Secret

Managed TLS
Service (spec.tls.secretName)
Identity External DNS
AKS NodePool VMSS Ingress Service

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Azure AGIC - Ingress SSL TLS +
SSL Redirect
When ssl-redirect Annotation
enabled in Ingress Service,
Listener with Port 80 will be
created in Application Gateway

Azure AGIC - Ingress SSL TLS +
SSL Redirect

Rule will be
created for Port 80
Listener where
Permanent
Redirection is
enabled

Demo-19

Azure AKS
AGIC
Ingress + External DNS + SSL
Upload SSL Certs to Application Gateway
Reference AppGw Certs in Ingress Service

Azure AGIC - Ingress SSL + SSL Upload to
Azure Cloud AppGw
Virtual Network (10.224.0.0/12)
https://app2.kubeoncloud.com

HTTP -> HTTPS Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster App2

app2.kubeonc
loud.com

AppGW Public IP Application TLS Certificate

Gateway appgw.ingress.kubernetes.io/appgw-ssl-certificate: "app2sslcert"
DNS
Zones SSL Manual Upload to AppGw appgw.ingress.kubernetes.io/ssl-redirect: "true"

SSL PFX
SSL Cert
Managed
Service SSL Key
Identity
AKS NodePool VMSS
External DNS

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Azure AGIC - Ingress SSL + SSL Upload to
AppGw

Reference SSL
Certificate uploaded
to AppGw using
appgw-ssl-certificate
Annotation

Azure AGIC - Ingress SSL + SSL Upload to
AppGw

Demo-20

Azure AKS
AGIC
Ingress + External DNS + E2E SSL
Build Backend SSL Application

Azure AGIC Ingress E2E SSL - Build
Azure Cloud Backend SSL App
Virtual Network (10.224.0.0/12)
https://PUBLIC-IP

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster

HTTPS

LB Public IP HTTPS
Backend SSL

SSL Cert
SSL Key Backend
K8s Secret
MyApp

Azure
Load Balancer

Azure AGIC Ingress E2E SSL - Build
Backend SSL App

Nginx Config File

using Kubernetes
ConfigMap

Azure AGIC Ingress E2E SSL - Build
Backend SSL App
Kubernetes Deployment

Demo-21

Azure AKS
AGIC
Ingress + External DNS + E2E SSL
Implement E2E SSL

Azure AGIC - Ingress E2E SSL
Azure Cloud
Virtual Network (10.224.0.0/12)
https://frontend.kubeoncloud.com

HTTP -> HTTPS Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS Cluster

frontend.kubeo
ncloud.com

Frontend Cert and Key

External DNS

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Azure AGIC
Ingress E2E SSL

Backend Annotations for

E2E SSL

Frontend SSL Certificate

using Ingress TLS

Backend Application
Port is 443

Azure AGIC - Ingress E2E SSL
Backend Settings

Azure AGIC - Ingress E2E SSL
Frontend Listeners

Demo-22

Azure AKS
AGIC
Ingress + External DNS + SSL
Cert Manager + Lets Encrypt
Automatic Generation of Real and
Free SSL Certs
© Kalyan Reddy Daida StackSimplify
Azure AGIC - Ingress SSL with Let's
Azure Cloud Encrypt
https://sapp1.kubeoncloud.com
Virtual Network (10.224.0.0/12) cert-manager.io/cluster-issuer: letsencrypt
https://sapp2.kubeoncloud.com
Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users AKS
HTTP -> HTTPS
sapp1.kubeoncloud.com Cluster SSL Cert

sapp2.kubeoncloud.com SSL Key

sapp1 SSL cert App1 sapp1

Azure AGIC - Ingress SSL
with Let's Encrypt

Lets Encrypt SSL

certificates
created and
uploaded to
AppGw

Demo-24

Azure AKS
AGIC
Ingress + WAF
Enable WAF on Application Gateway
WAF Default OWASP Policies

Azure AGIC - Ingress + Enable WAF on
Azure Cloud AppGw
Virtual Network (10.224.0.0/12)
http://myapp1.kubeoncloud.com

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users Application Gateway AKS Cluster MyApp

myapp1.kubeonc
loud.com
AppGW Public IP

Default
OWASP
Policies
WAF

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Demo-24

Azure AKS
AGIC
Ingress + WAF
Enable WAF on Application Gateway
WAF Custom Policy

Azure AGIC - Ingress + WAF Custom Policy
Azure Cloud
Virtual Network (10.224.0.0/12)
http://myapp1.kubeoncloud.com

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

Users Application Gateway AKS Cluster MyApp

myapp1.kubeonc
loud.com
AppGW Public IP

Default appgw.ingress.kubernetes.io/waf-policy-for-path: WAF-RESOURCE-ID

OWASP
Policies
WAF

WAF Custom Policy

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Azure AGIC - Ingress + WAF
Custom Policy

WAF Custom Rule

that will be block
the traffic from
specific IP or IP
Range

Azure AGIC - Ingress + WAF
Custom Policy
Usecase-1: Scope is Route Path (/app1)
to which WAF Policy is enabled

Azure AGIC - Ingress + WAF
Custom Policy
Usecase-2: Scope is Listener (/) to
which WAF Policy is enabled

Demo-25

Azure AKS
AGIC
Ingress
Private IP Annotation

Azure AGIC - Ingress Private IP
Azure Cloud
Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

AKS Cluster
Test User
curl http://private-ip
curl pod

Application Gateway
appgw.ingress.kubernetes.io/use-private-ip: "true"

Private IP /

AppGW Public IP
Echo Server

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Azure AGIC
Ingress Private IP

In the Ingress Service,

when Private IP enabled,
Listener will be associated
to Private IP in Application
Gateway

Demo-26

Azure AKS
AGIC
Multiple Ingress Controllers
AGIC + Nginx
Ingress Class

Azure AGIC - Multiple Ingress Controllers
Azure Cloud
Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

AKS Cluster

Azure Load Balancer

LB Public IP
NGINX Ingress Controller App1

Application Gateway
Users
/

App2
AppGW Public IP

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Azure AGIC - Multiple Ingress
Controllers
Ingress Class Names

NGINXIC AGIC

Demo-27

Azure AKS
AGIC
Install AGIC using Helm

Azure Application Gateway Ingress Controller
Azure
install using Helm
Cloud Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16

AKS Cluster

AppGW
Public IP

Application
3 Gateway

2 1

Azure Resource
AGIC Ingress Controller k8s API Server
Manager

Demo-28

Azure AKS
AGIC
Shared Application Gateway

Azure AGIC - Shared Application Gateway
Azure Cloud
Virtual Network (10.224.0.0/12)

Subnet: 10.225.0.0/16

myaciapp1
myaciapp1.kubeoncloud.com

myaciapp2.kubeoncloud.com
Users
myaciapp2

AppGW Public IP / Subnet: 10.224.0.0/16

Application
Gateway
AKS Cluster

App1

AGIC Ingress Controller k8s API Server

Azure Resource
Manager

Demo-29

Azure AKS
AGIC
Watch Namespaces

Azure AGIC - Watch Namespaces
Azure
Cloud Virtual Network (10.224.0.0/12) Watch All Namespaces
Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16
Users
AKS Cluster Namespace: Staging

AppGW App1
Public IP
/app1
Namespace: Production
/app2

Application
Gateway App2

2 AGIC Ingress Controller 1 k8s API Server

Azure Resource
Manager

Azure AGIC - Watch Namespaces
Azure
Cloud Virtual Network (10.224.0.0/12) Watch Prod Namespace
Subnet: 10.225.0.0/16 Subnet: 10.224.0.0/16
Users
AKS Cluster Namespace: Staging

AppGW App1
Public IP

Namespace: Production
/app2

Application
Gateway App2

2 AGIC Ingress Controller 1 k8s API Server

Azure Resource
Manager

Azure AGIC - Watch Namespaces

THANK YOU

Cka 2025
No ratings yet
Cka 2025
36 pages
Kubernetes Ingress Mastery
No ratings yet
Kubernetes Ingress Mastery
35 pages
AWS EKS Kubernetes
No ratings yet
AWS EKS Kubernetes
193 pages
Slides
No ratings yet
Slides
224 pages
Ingress Controller 1750411438
No ratings yet
Ingress Controller 1750411438
9 pages
Devops Shack 1729938369
No ratings yet
Devops Shack 1729938369
10 pages
k8s Merged
No ratings yet
k8s Merged
51 pages
Kubernetes 035 Gateway+API
No ratings yet
Kubernetes 035 Gateway+API
19 pages
56 Why Services Are Not The Best Fit For External Access
No ratings yet
56 Why Services Are Not The Best Fit For External Access
6 pages
Network Policy
No ratings yet
Network Policy
3 pages
? 100 Kubernetes Real-Time Use Cases ?
No ratings yet
? 100 Kubernetes Real-Time Use Cases ?
12 pages
Azure AKS Ingress
No ratings yet
Azure AKS Ingress
35 pages
Kubernetes Zero To Zero
No ratings yet
Kubernetes Zero To Zero
53 pages
Kubernetes Ingress
No ratings yet
Kubernetes Ingress
16 pages
K21-CKA Exam Questions Guide
100% (1)
K21-CKA Exam Questions Guide
14 pages
Ingress Kubernetes
No ratings yet
Ingress Kubernetes
14 pages
AWS Eks
No ratings yet
AWS Eks
31 pages
MY-k8s-Day2-Chapter-3 - (NGINX-KIC-Lab Guide-Partner)
No ratings yet
MY-k8s-Day2-Chapter-3 - (NGINX-KIC-Lab Guide-Partner)
23 pages
Team 3 Kubernetes MinIO WS2021
No ratings yet
Team 3 Kubernetes MinIO WS2021
34 pages
Kubernetes
No ratings yet
Kubernetes
42 pages
CH 10
No ratings yet
CH 10
16 pages
Kubernetes Ingress Controller
No ratings yet
Kubernetes Ingress Controller
6 pages
Kubernetes Must Know Features
No ratings yet
Kubernetes Must Know Features
17 pages
Simplifying Kubernetes Day 2
No ratings yet
Simplifying Kubernetes Day 2
29 pages
1750022699019
No ratings yet
1750022699019
8 pages
Www-Solo-Io-Topics
No ratings yet
Www-Solo-Io-Topics
9 pages
Networking
No ratings yet
Networking
53 pages
Eks - Elastic Kubernetes Service
No ratings yet
Eks - Elastic Kubernetes Service
3 pages
60 Creating Ingress Resources Based On Domains
No ratings yet
60 Creating Ingress Resources Based On Domains
3 pages
CH 09
No ratings yet
CH 09
10 pages
Tutorials
No ratings yet
Tutorials
175 pages
Assignment 8: Submitted by
No ratings yet
Assignment 8: Submitted by
11 pages
BGP Questions and Answers Vol 1.0
100% (1)
BGP Questions and Answers Vol 1.0
25 pages
Lab 10.1
No ratings yet
Lab 10.1
6 pages
Lab: Kubernetes Ingress: Student Material - Do Not Re-Distribute. For Any Queries Contact: or
No ratings yet
Lab: Kubernetes Ingress: Student Material - Do Not Re-Distribute. For Any Queries Contact: or
8 pages
Day4 Translated
No ratings yet
Day4 Translated
13 pages
06 - Spring Into Kubernetes - Paul Czarkowski
No ratings yet
06 - Spring Into Kubernetes - Paul Czarkowski
66 pages
58 Creating Ingress Resources Based On Paths
No ratings yet
58 Creating Ingress Resources Based On Paths
5 pages
59 Sequential Breakdown of The Process
No ratings yet
59 Sequential Breakdown of The Process
5 pages
One of The Most Unpolished Kubernetes Introduction Presentations Ever Given On A Thursday Afternoon From Freiburg, Germany, Ever
No ratings yet
One of The Most Unpolished Kubernetes Introduction Presentations Ever Given On A Thursday Afternoon From Freiburg, Germany, Ever
22 pages
Ingress
No ratings yet
Ingress
4 pages
Ingress
No ratings yet
Ingress
4 pages
K8S Service&Ingress
No ratings yet
K8S Service&Ingress
5 pages
Operational Best Practices For Azure Kubernetes Service
No ratings yet
Operational Best Practices For Azure Kubernetes Service
74 pages
Hand Written Kubernetes Notes On: Ingress Controller & Ingress Resource (A Strong Student Guide To K8s Networking)
No ratings yet
Hand Written Kubernetes Notes On: Ingress Controller & Ingress Resource (A Strong Student Guide To K8s Networking)
7 pages
Traefik Labs - White Paper - Kubernetes For Cloud-Native Application Networks
No ratings yet
Traefik Labs - White Paper - Kubernetes For Cloud-Native Application Networks
23 pages
Kubernets Command Ckad
No ratings yet
Kubernets Command Ckad
19 pages
MY k8s Day1 Chapter 3 (NGINX KIC Partner)
No ratings yet
MY k8s Day1 Chapter 3 (NGINX KIC Partner)
62 pages
Kubernetes Tutorials
No ratings yet
Kubernetes Tutorials
151 pages
Https Bestdotnettraining - Azureedge.net Documents Kubernetes 5 Kubernetes Services 5 Kubernetes Services and Ingress
No ratings yet
Https Bestdotnettraining - Azureedge.net Documents Kubernetes 5 Kubernetes Services 5 Kubernetes Services and Ingress
13 pages
Whitepaper Get Me To The Cluster
No ratings yet
Whitepaper Get Me To The Cluster
31 pages
CCNP Route-Notes
100% (1)
CCNP Route-Notes
50 pages
Kubernets Command Ckad
No ratings yet
Kubernets Command Ckad
14 pages
Production Ready Checklists For Kubernetes v3
No ratings yet
Production Ready Checklists For Kubernetes v3
7 pages
02 AKS SF AzureStack
No ratings yet
02 AKS SF AzureStack
45 pages
Kubernetes and Spinnaker
No ratings yet
Kubernetes and Spinnaker
71 pages
Orchestrating The Cloud With Kubernetes
No ratings yet
Orchestrating The Cloud With Kubernetes
26 pages
Kubernetesnetworking Sreenivasmakam Cc18 180804050024
No ratings yet
Kubernetesnetworking Sreenivasmakam Cc18 180804050024
30 pages
Troubleshooting Kubernetes
No ratings yet
Troubleshooting Kubernetes
22 pages
Explore Kubernetes Environment
No ratings yet
Explore Kubernetes Environment
5 pages
IPRAN Deployment Guide V210-20090303
No ratings yet
IPRAN Deployment Guide V210-20090303
132 pages
Lab 9
No ratings yet
Lab 9
2 pages
IZO Private Network - ADC - Services Delivery and Assurance Guidelines For Azure v3.0 PDF
No ratings yet
IZO Private Network - ADC - Services Delivery and Assurance Guidelines For Azure v3.0 PDF
33 pages
Unit V Application Layer Protocols (DNS, SMTP, POP, FTP, HTTP) Study Notes
No ratings yet
Unit V Application Layer Protocols (DNS, SMTP, POP, FTP, HTTP) Study Notes
5 pages
Load Balancer & Autoscaling
No ratings yet
Load Balancer & Autoscaling
24 pages
CCNA 1 v60 ITN Practice Skills Assessment Packet Tracer Exam Answers
No ratings yet
CCNA 1 v60 ITN Practice Skills Assessment Packet Tracer Exam Answers
15 pages
Quality of Service
No ratings yet
Quality of Service
22 pages
Top 20 CCNA Interview Questions and Answers
No ratings yet
Top 20 CCNA Interview Questions and Answers
4 pages
Brksec 3383
No ratings yet
Brksec 3383
93 pages
Dumps - HCIA R&S - 284-2
No ratings yet
Dumps - HCIA R&S - 284-2
47 pages
CSW Lab Manual - 2-42
No ratings yet
CSW Lab Manual - 2-42
41 pages
Cisco CCIE CCNP RS Study Flashcards Ver 49
No ratings yet
Cisco CCIE CCNP RS Study Flashcards Ver 49
102 pages
17 Voice QoS
No ratings yet
17 Voice QoS
20 pages
How To Change IP in APG40 and IOG20
100% (1)
How To Change IP in APG40 and IOG20
4 pages
Mpls Layer 3 VPN Pe-Ce Ospf
No ratings yet
Mpls Layer 3 VPN Pe-Ce Ospf
11 pages
UTStarCom TechDiscuss
No ratings yet
UTStarCom TechDiscuss
19 pages
8.2.3.6 Lab - Troubleshooting Basic EIGRP For IPv4 and IPv6 (10m)
No ratings yet
8.2.3.6 Lab - Troubleshooting Basic EIGRP For IPv4 and IPv6 (10m)
3 pages
Controllogix Ethernet/Ip Bridge Module: Release Notes
No ratings yet
Controllogix Ethernet/Ip Bridge Module: Release Notes
16 pages
Amazon AWS Certified Advanced Networkingv4
No ratings yet
Amazon AWS Certified Advanced Networkingv4
1 page
Ping Assignment
No ratings yet
Ping Assignment
2 pages
RDP Dfir Ad
No ratings yet
RDP Dfir Ad
1 page
Hillstone A-Series V5.5R10 EN
No ratings yet
Hillstone A-Series V5.5R10 EN
10 pages
Chapter 9: Transport Layer: CCNA Routing and Switching Introduction To Networks v6.0
No ratings yet
Chapter 9: Transport Layer: CCNA Routing and Switching Introduction To Networks v6.0
35 pages
Unit - 3 Data Link Layer
No ratings yet
Unit - 3 Data Link Layer
6 pages
Tutorial - Tutorial of How To Make EHI
No ratings yet
Tutorial - Tutorial of How To Make EHI
12 pages
(4551050130) (Le Thi Su Na) (7.3.7)
No ratings yet
(4551050130) (Le Thi Su Na) (7.3.7)
4 pages
4.4 Electronic Mail in The Internet
No ratings yet
4.4 Electronic Mail in The Internet
4 pages
11 12 0346 00 0isd Wlan and Cellular Interworking and Discovery Use Case
No ratings yet
11 12 0346 00 0isd Wlan and Cellular Interworking and Discovery Use Case
10 pages
PRB DL
No ratings yet
PRB DL
3 pages
Hands-On Multi-Cloud Kubernetes: Multi-cluster kubernetes deployment and scaling with FluxCD, Virtual Kubelet, Submariner and KubeFed
From Everand
Hands-On Multi-Cloud Kubernetes: Multi-cluster kubernetes deployment and scaling with FluxCD, Virtual Kubelet, Submariner and KubeFed
Joe Brian
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.