Expose an AKS service over HTTP or HTTPS by using Application Gateway

This article illustrates the usage of Kubernetes ingress resources to expose an example Azure Kubernetes Service (AKS) service through Azure Application Gateway over HTTP or HTTPS.

Prerequisites

  • An installed ingress-azure Helm chart:
    • Greenfield deployment: If you're starting from scratch, refer to these installation instructions, which outline steps to deploy an AKS cluster with Application Gateway and install the Application Gateway Ingress Controller (AGIC) on the AKS cluster.
    • Brownfield deployment: If you have an existing AKS cluster and Application Gateway deployment, refer to these instructions to install AGIC on the AKS cluster.
  • An x509 certificate and its private key, if you want to use HTTPS on this application.

Deploy the guestbook application

The guestbook application is a canonical Kubernetes application that consists of a web UI frontend, a backend, and a Redis database.

By default, guestbook exposes its application through a service with the name frontend on port 80. Without a Kubernetes ingress resource, the service isn't accessible from outside the AKS cluster. You use the application, and set up ingress resources to access the application, through HTTP and HTTPS.

To deploy the guestbook application:

  1. Download guestbook-all-in-one.yaml from this GitHub page.

  2. Deploy guestbook-all-in-one.yaml into your AKS cluster by running this command:

    kubectl apply -f guestbook-all-in-one.yaml
    

Expose services over HTTP

To expose the guestbook application, use the following ingress resource:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: frontend
          servicePort: 80

This ingress exposes the frontend service of the guestbook-all-in-one deployment as a default backend of the Application Gateway deployment.

Save the preceding ingress resource as ing-guestbook.yaml:

  1. Deploy ing-guestbook.yaml by running this command:

    kubectl apply -f ing-guestbook.yaml
    
  2. Check the log of the ingress controller for the deployment status.

Now the guestbook application should be available. You can check the availability by visiting the public address of the Application Gateway deployment.

Expose services over HTTPS

Without a specified host name

If you don't specify a host name, the guestbook service is available on all the host names that point to the Application Gateway deployment.

  1. Before you deploy the ingress resource, create a Kubernetes secret to host the certificate and private key:

    kubectl create secret tls <guestbook-secret-name> --key <path-to-key> --cert <path-to-cert>
    
  2. Define the following ingress resource. In the secretName section, replace <guestbook-secret-name> with the name of your secret.

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: guestbook
      annotations:
        kubernetes.io/ingress.class: azure/application-gateway
    spec:
      tls:
        - secretName: <guestbook-secret-name>
      rules:
      - http:
          paths:
          - backend:
              serviceName: frontend
              servicePort: 80
    
  3. Store the ingress resource in a file named ing-guestbook-tls.yaml.

  4. Deploy ing-guestbook-tls.yaml by running this command:

    kubectl apply -f ing-guestbook-tls.yaml
    
  5. Check the log of the ingress controller for the deployment status.

Now the guestbook application is available on both HTTP and HTTPS.

With a specified host name

You can also specify the host name on the ingress resource to multiplex TLS configurations and services. When you specify a host name, the guestbook service is available only on the specified host.

  1. Define the following ingress resource. In the secretName section, replace <guestbook-secret-name> with the name of your secret. In the hosts and host sections, replace <guestbook.contoso.com> with your host name.

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: guestbook
      annotations:
        kubernetes.io/ingress.class: azure/application-gateway
    spec:
      tls:
        - hosts:
          - <guestbook.contoso.com>
          secretName: <guestbook-secret-name>
      rules:
      - host: <guestbook.contoso.com>
        http:
          paths:
          - backend:
              serviceName: frontend
              servicePort: 80
    
  2. Deploy ing-guestbook-tls-sni.yaml by running this command:

    kubectl apply -f ing-guestbook-tls-sni.yaml
    
  3. Check the log of the ingress controller for the deployment status.

Now the guestbook application is available on both HTTP and HTTPS, only on the specified host.

Integrate with other services

Use the following ingress resource to add paths and redirect those paths to other services:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
spec:
  rules:
  - http:
      paths:
      - path: </other/*>
        backend:
          serviceName: <other-service>
          servicePort: 80
       - backend:
          serviceName: frontend
          servicePort: 80