Azure Application Gateway Ingress Controller (AGIC) is a Kubernetes ingress controller that allows you to route external traffic to Kubernetes services using an Azure Application Gateway. This guide will walk you through the steps needed to set up AGIC and troubleshoot any issues that may arise.
- A Kubernetes cluster running on Azure
- An Azure Application Gateway
- Azure CLI and kubectl installed on your local machine
Step 1: Install AGIC
To install AGIC, you will first need to create an Azure AD service principal and assign the necessary roles to it. Run the following command to create the service principal:
az ad sp create-for-rbac --name myAGICServicePrincipal --skip-assignment
Next, assign the
Network Contributor role to the service principal on the resource group containing your Application Gateway:
az role assignment create --role "Network Contributor" --assignee <appId> --resource-group myResourceGroup
Then, you can deploy it using a helm chart. Run the following command to install it in the
helm install ingress-basic stable/azure-application-gateway-ingress-controller -n ingress-basic --set appgw.name=myAppGateway --set appgw.resourceGroup=myResourceGroup --set appgw.subscriptionId=mySubscriptionId --set appgw.shared=false --set appgw.subnetName=mySubnet --set servicePrincipal.clientId=<appId> --set servicePrincipal.clientSecret=<password>
Step 2: Create a Kubernetes service
Create a Kubernetes service that will be used as the backend for your ingress. The service should have the
appgw-backend-pool annotation set to the name of the backend pool in your Application Gateway.
Step 3: Create an ingress resource
Create an ingress resource that routes external traffic to the backend service created in step 2. The ingress should have the
appgw-ingress annotation set to the name of the Application Gateway.
Step 4: Verify AGIC is working
To verify AGIC is working properly, you can check the status of the its pod in the Kubernetes cluster. You can use the following command to check the status of the AGIC pod:
kubectl get pods -n ingress-basic
You should see the AGIC pod in the running state.
Another way to verify it is working properly is to check the backend pool of the application gateway. You can use the Azure Portal or Azure CLI to check the backend pool. In the Azure Portal, navigate to the application gateway, select the backend pool, and then check the number of active instances. The number of active instances should match the number of pods in the Kubernetes cluster.
In addition to checking the status of the AGIC pod and the backend pool, you can also check the access logs of the application gateway. The access logs will show the requests coming from the ingress controller and the responses from the backend service. You can use the Azure Portal or Azure CLI to check the access logs.
- Make sure to have a valid SSL certificate for your domain
- Use the latest version of AGIC
- Verify AGIC is working properly by checking the status of the AGIC pod, backend pool and access logs
- Don’t use a self-signed SSL certificate
- Don’t use an old version , as it may have known issues
- Don’t ignore checking the status of the AGIC pod, backend pool and access logs, as it may lead to potential issues with your ingress controller.
If you’re facing issues with AGIC, check out AGIC Not Working: Common Things to Check.
In conclusion, Azure Application Gateway Ingress Controller is a powerful tool for managing ingress traffic in a Kubernetes cluster on Azure. By following the steps outlined in this guide and adhering to the Dos and Don’ts, you can set up and troubleshoot AGIC with ease. It provides a lot of features for managing ingress traffic such as SSL offloading, Web Application Firewall, and URL-based routing. It allows you to easily scale your Kubernetes cluster and manage ingress traffic in a more efficient way.