Author : HASSAN MD TAREQ | Updated : 2021/05/05

What Is Application Gateway Ingress Controller?

How Does AGIC Work?

Enabling AGIC

Prerequisites

Enable AGIC in Azure portal (AKS Add-on)

Enable AGIC in Azure portal (AKS Add-on)

Gateway Transit

Gateway transit allows traffic coming to Hub via VNet gateway (i.e. VPN gateway) to flow to Spoke VNet. By default, “Gateway Transit” is disabled that means traffic from Hub (where application gateway exists) would not go to Spoke

Creating A Basic Ingress

Check K8s api versions (to use in manifest files)

kubectl api-versions

Create Ingress:

Ingress For Multiple APIs

Create 2 API Projects - API.Foo and API.Bar

‘API.Foo’ project (Foo microservice): Controllers/FooController.cs

using Microsoft.AspNetCore.Mvc;

namespace API.Foo.Controllers
{
    [ApiController]
    [Route("api/foo")]
    public class FooController : ControllerBase
    {
        [HttpGet("")]
        public string Index()
        {
            return "FooController.Index()";
        }

        [HttpGet("test")]
        public string Test()
        {
            return "FooController.Test()";
        }

        [HttpGet("bax")]
        public string Bax()
        {
            return "FooController.Bax()";
        }
    }
}

‘API.Bar’ project (Bar microservice): Controllers/BarController.cs

using Microsoft.AspNetCore.Mvc;

namespace API.Bar.Controllers
{
    [ApiController]
    [Route("api/bar")]
    public class BarController : ControllerBase
    {
        [HttpGet("")]
        public string Index()
        {
            return "BarController.Index()";
        }

        [HttpGet("test")]
        public string Test()
        {
            return "BarController.Test()";
        }

        [HttpGet("bax")]
        public string Bax()
        {
            return "BarController.Bax()";
        }
    }
}

Publish API Projects To ACR

Deploy APIs to AKS

foo-api-deployment.yaml

apiVersion: v1
kind: Service
metadata:
  name: foo-api 
  namespace: transient
spec:
  type: ClusterIP
  ports:
  - port: 80
  selector:
    app: foo-api
---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: foo-api
  namespace: transient
spec:
  replicas: 1
  selector:
    matchLabels:
      app: foo-api
  template:
    metadata:
      labels:
        app: foo-api
    spec:
      containers:
      - name: foo-api
        image: myacr.azurecr.io/apifoo:n1
        ports:
        - containerPort: 80

bar-api-deployment.yaml

apiVersion: v1
kind: Service
metadata:
  name: bar-api
  namespace: transient
spec:
  type: ClusterIP
  ports:
  - port: 80
  selector:
    app: bar-api
---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: bar-api
  namespace: transient
spec:
  replicas: 1
  selector:
    matchLabels:
      app: bar-api
  template:
    metadata:
      labels:
        app: bar-api
    spec:
      containers:
      - name: bar-api
        image: myacr.azurecr.io/apibar:20210623001
        ports:
        - containerPort: 80

Create Ingresses

foo-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: foo-ingress
  namespace: transient
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/ssl-redirect: "false"
    appgw.ingress.kubernetes.io/backend-path-prefix: "/api/foo/"
spec:
  rules:
  - host: agic-gateway-pip.japaneast.cloudapp.azure.com
    http:
      paths:
      - path: /api/foo/*
        pathType: Prefix
        backend:
          service:
            name: foo-api
            port:
              number: 80

bar-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bar-ingress
  namespace: transient
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/ssl-redirect: "false"
    appgw.ingress.kubernetes.io/backend-path-prefix: "/api/bar/"
spec:
  rules:
  - host: agic-gateway-pip.japaneast.cloudapp.azure.com
    http:
      paths:
      - path: /api/bar/*
        pathType: Prefix
        backend:
          service:
            name: bar-api
            port:
              number: 80

Testing

Using custom domain

See: using custom domain with Azure App Service Domain

TLS/SSL with lets encrypt

See: TLS/SSL (https) with lets encrypt for AGIC