Mastering Azure Kubernetes Service (AKS): A Complete Beginner-to-Expert Guide Part 3

Introduction

As Kubernetes adoption matures, managing ingress at scale requires more than just routing traffic; it demands resilience, security, real-time updates, and native cloud integration.
Azure’s Application Gateway for Containers (AGC) delivers this by combining Layer 7 load balancing, Kubernetes-native APIs, and tight Azure integration with Web Application Firewall (WAF) support.

It’s the next evolution of the Application Gateway Ingress Controller (AGIC), offering deeper integration with Kubernetes and enhanced traffic management capabilities.

In this guide, we go beyond the basics, exploring AGC components, architecture, deployment patterns, networking, security policies, request handling, and best practices.

🚀 Key Features

• Layer 7 Load Balancing: Handles HTTP/HTTPS traffic with advanced routing based on hostname, path, headers, query strings, and methods.

• Ingress & Gateway API Support: Fully supports Kubernetes Ingress and Gateway APIs for declarative traffic management.

• Traffic Splitting: Enables weighted round-robin routing for canary deployments and A/B testing.

• Mutual TLS Authentication: Supports mTLS between frontend, backend, or end-to-end.

• Autoscaling & Zone Resiliency: Automatically scales based on traffic and supports availability zones for high resilience.

• Custom Health Probes: Monitors backend health with configurable probes.

• SSL Termination & End-to-End SSL: Manages HTTPS traffic securely with flexible certificate options (ECDSA, RSA).

• Header & URL Rewrite: Modify request headers and URLs dynamically.

🧩 Architecture Overview

Application Gateway for Containers consists of:

• Application Gateway Resource: The core load balancer.

• Frontends: Entry points for traffic.

• Associations: Bind Kubernetes services to gateway frontends.

• ALB Controller: Runs inside the AKS cluster and manages the gateway using Kubernetes APIs.

It operates outside the AKS data plane, providing a decoupled and scalable ingress solution.

⚙️ Deployment Strategies

🌐 Frontends: Entry Points for Traffic

A Frontend is an Azure child resource of the Application Gateway for Containers. It defines how and where incoming traffic is received.

🔹 Key Characteristics

• Each frontend provides a unique Fully Qualified Domain Name (FQDN) managed by Azure.

• You can mask the FQDN using a CNAME record to use a custom domain.

• Private IPs are not supported for public endpoints only.

• A single Application Gateway for Containers can support multiple frontends, allowing for multi-domain or multi-service setups.

• Frontends are exclusive to their parent gateway and cannot be shared across gateways.

🔹 Use Cases

• Hosting multiple apps with different domains.

• Separating traffic types (e.g., HTTP vs HTTPS).

• Routing based on hostname or path.

🔗 Associations: Connecting to Your Network

An Association is another child resource that defines the connection between the gateway and your virtual network.

🔹 Key Characteristics

• It maps 1:1 to a delegated subnet in your Azure Virtual Network.

• This subnet must be at least /24 (256 IPs) to ensure sufficient address space.

• The subnet must be delegated specifically for Application Gateway for Containers.

• All associations must be in the same region as the parent gateway.

• While the architecture supports multiple associations, currently only one association is allowed per gateway.

🔹 Deployment Notes

• You can reuse an existing subnet or create a new one.

• Ensure network peering between the gateway subnet and your AKS node pool subnet for pod communication.

🧭 Visual Summary

🌐 Frontend Example

A Frontend defines how traffic enters the gateway. Here's a Kubernetes manifest that sets up a frontend with HTTPS and mutual TLS (mTLS):

yaml

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway-01
  namespace: test-infra
  annotations:
    alb.networking.azure.io/alb-namespace: alb-test-infra
    alb.networking.azure.io/alb-name: alb-test
spec:
  gatewayClassName: azure-alb-external
  listeners:
    - name: mtls-listener
      port: 443
      protocol: HTTPS
      tls:
        mode: Terminate
        certificateRefs:
          - kind: Secret
            name: listener-tls-secret
      allowedRoutes:
        namespaces:
          from: Same

This configuration:

• Creates a frontend listener on port 443.

• Uses a TLS certificate stored in a Kubernetes secret.

• Enables mTLS for secure client authentication.

🔗 Source: Microsoft Learn - Frontend mTLS Example

🔗 Association Example

An Association connects the gateway to a subnet in your virtual network. Here's a manifest for an ApplicationLoadBalancer resource that includes an association:

yaml

apiVersion: alb.networking.azure.io/v1
kind: ApplicationLoadBalancer
metadata:
  name: alb-test
  namespace: alb-test-infra
spec:
  associations:
    - /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>

This configuration:

• Links the gateway to a specific subnet.

• Ensures traffic can flow between the gateway and backend pods.

🌐 Integration with AKS

• Works seamlessly with Azure CNI Overlay networking.

• Supports Azure Network Policies, Calico, and Cilium for fine-grained traffic control.

• Enables near real-time updates to routes and probes as pods scale or change.

🛠️ 1. Bring Your Own (BYO) Deployment

In this strategy, you manually provision and manage the Application Gateway for Containers and its components using tools like:

• Azure CLI

• Terraform

• Bicep

• ARM templates

• Azure Portal

🔧 What You Control:

• The lifecycle of the gateway resource

• Frontends, associations, and configuration

• Integration with Kubernetes via annotations or Gateway API

✅ Benefits:

• Full control over infrastructure

• Ideal for complex or customized environments

• Easier to integrate with existing IaC pipelines

📘 Example:

You might use a Bicep module to define:

bicep

resource appGateway 'Microsoft.Network/applicationGateways@2023-05-01' = {
  name: 'myAppGateway'
  location: resourceGroup().location
  properties: {
    ...
  }
}

⚙️ 2. Managed by ALB Controller

This strategy leverages the Application Load Balancer (ALB) Controller running inside your AKS cluster to automatically manage the gateway and its sub-resources.

🔄 What It Does:

• Monitors Kubernetes resources (Ingress, Gateway API)

• Automatically updates gateway configuration

• Handles frontend and backend associations dynamically

✅ Benefits:

• Simplified management

• Near real-time updates as pods scale or change

• Great for teams focused on app delivery rather than infrastructure

📘 Example:

You define a Gateway API resource in Kubernetes:

yaml

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
spec:
  gatewayClassName: azure-alb
  listeners:
    - name: https
      protocol: HTTPS
      port: 443

🧠 Which Should You Choose?

🛠️ Bring Your Own (BYO) Deployment Examples

In BYO, you manually create and manage the gateway resources using tools like Azure CLI, Bicep, or Terraform.

🔹 Example 1: Azure CLI

bash

# Create the Application Gateway for Containers
az network alb create \
  --resource-group myResourceGroup \
  --name myAppGateway

# Create a frontend
az network alb frontend create \
  --resource-group myResourceGroup \
  --alb-name myAppGateway \
  --name myFrontend \
  --port 80 \
  --protocol Http

# Create an association
az network alb association create \
  --resource-group myResourceGroup \
  --alb-name myAppGateway \
  --frontend-name myFrontend \
  --subnet mySubnet \
  --vnet-name myVnet

⚙️ Managed by ALB Controller Examples

In this strategy, the ALB Controller inside AKS automatically provisions and manages the gateway resources based on Kubernetes manifests.

🔹 Example 1: Gateway API Manifest

yaml

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: default
spec:
  gatewayClassName: azure-alb
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      routes:
        kind: HTTPRoute
        name: my-route

🔹 Example 2: ApplicationLoadBalancer Custom Resource

yaml

apiVersion: alb.networking.azure.io/v1
kind: ApplicationLoadBalancer
metadata:
  name: alb-test
  namespace: alb-test-infra
spec:
  associations:
    - /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Network/virtualNetworks/<vnet>/subnets/<subnet>

You can follow the full walkthrough for installing the ALB Controller and deploying these resources in Microsoft’s official quickstart guide

🚀 Performance Optimization Strategies

1. Autoscaling Configuration

• Enable autoscaling to dynamically adjust capacity based on traffic.

• Ensure your backend pods are labeled correctly and health probes are configured to avoid false negatives.

2. Custom Health Probes

• Use custom probes to monitor backend health more accurately.

• Example:

  yaml

    apiVersion: networking.k8s.io/v1
    kind: HTTPRoute
    spec:
      rules:
        - matches:
            - path:
                type: PathPrefix
                value: /healthz
  

3. Traffic Splitting

• Use weighted round-robin to distribute traffic across multiple versions of your app.

• Great for canary deployments or A/B testing.

4. Header and URL Rewrite

• Rewrite headers or URLs to optimize routing and reduce backend load.

• Example:

  yaml

    filters:
      - type: RequestHeaderModifier
        requestHeaderModifier:
          add:
            x-custom-header: "optimized"
  

5. SSL Offloading

• Terminate SSL at the gateway to reduce compute load on backend pods.

• Combine with end-to-end SSL if security is a concern.

6. Session Affinity

• Enable cookie-based affinity to keep user sessions consistent.

• Helps reduce latency for stateful applications.

7. Timeout Tuning

• Adjust timeout settings to balance responsiveness and resource usage.

• Too short: requests may fail prematurely.

• Too long: resources may be tied up unnecessarily.

8. Use Availability Zones

• Deploy across multiple zones for resiliency and load distribution.

9. Optimize Listener Configuration

• Use HTTP/2 for better performance with modern clients.

• Enable gRPC support if your services use it.

❌ Common Mistakes with Frontends

1. Not Using a Custom Domain

• Relying solely on the autogenerated Azure FQDN instead of masking it with a CNAME.

• 🔧 Fix: Use a custom domain for better branding and user trust.

2. Incorrect TLS Configuration

• Misconfigured TLS secrets or missing certificate references.

• 🔧 Fix: Ensure the TLS certificate is correctly stored in a Kubernetes secret and referenced in the Gateway manifest.

3. Listener Port Conflicts

• Defining multiple listeners on the same port without proper routing rules.

• 🔧 Fix: Use unique listener names and clearly defined route matching rules.

4. Missing Route Permissions

• Forgetting to allow routes from the correct namespaces.

• 🔧 Fix: Use allowedRoutes.namespaces.from: Same or All depending on your setup.

❌ Common Mistakes with Associations

1. Using a Subnet Smaller Than /24

• Associations require a subnet with at least 256 IPs.

• 🔧 Fix: Always use a /24 subnet or larger.

2. Subnet Not Delegated Properly

• The subnet must be explicitly delegated to Application Gateway for Containers.

• 🔧 Fix: Use Azure CLI or Bicep to delegate the subnet correctly.

3. Region Mismatch

• The subnet and gateway must be in the same Azure region.

• 🔧 Fix: Double-check that all resources are deployed in the same region.

4. Multiple Associations Not Supported Yet

• While the architecture supports multiple associations, only one is currently allowed.

• 🔧 Fix: Plan your network architecture accordingly and avoid trying to attach multiple associations.

5. DNS Resolution Issues

• If the gateway can't resolve backend FQDNs, traffic fails.

• 🔧 Fix: Ensure proper DNS configuration, especially when using private DNS zones2.

🧠 Pro Tip

Always validate your configuration using:

• Azure CLI (az network alb show)

• Kubernetes logs (kubectl logs)

• Network Watcher for DNS and connectivity diagnostics

📘 Helpful Resources

• Microsoft Learn: Application Gateway for Containers Overview