Configuring an AKS load balancer for HTTPS access
up vote
2
down vote
favorite
I'm porting an application that was originally developed for the AWS Fargate container service to AKS under Azure. In the AWS implementation an application load balancer is created and placed in front of the UI microservice. This load balancer is configured to use a signed certificate, allowing https access to our back-end.
I've done some searches on this subject and how something similar could be configured in AKS. I've found a lot of different answers to this for a variety of similar questions but none that are exactly what I'm looking for. From what I gather, there is no exact equivalent to the AWS approach in Azure. One thing that's different in the AWS solution is that you create an application load balancer upfront and configure it to use a certificate and then configure an https listener for the back-end UI microservice.
In the Azure case, when you issue the "az aks create" command the load balancer is created automatically. There doesn't seem be be a way to do much configuration, especially as it relates to certificates. My impression is that the default load balancer that is created by AKS is ultimately not the mechanism to use for this. Another option might be an application gateway, as described here. I'm not sure how to adapt this discussion to AKS. The UI pod needs to be the ultimate target of any traffic coming through the application gateway but the gateway uses a different subnet than what is used for the pods in the AKS cluster.
So I'm not sure how to proceed. My question is: Is the application gateway the correct solution to providing https access to a UI running in an AKS cluster or is there another approach I need to use?
azure azure-aks edited Nov 21 at 5:14
Jean-Philippe Bond
7,37622853
asked Nov 19 at 22:34
user3280383
7518
add a comment |
up vote
2
down vote
favorite
I'm porting an application that was originally developed for the AWS Fargate container service to AKS under Azure. In the AWS implementation an application load balancer is created and placed in front of the UI microservice. This load balancer is configured to use a signed certificate, allowing https access to our back-end.
I've done some searches on this subject and how something similar could be configured in AKS. I've found a lot of different answers to this for a variety of similar questions but none that are exactly what I'm looking for. From what I gather, there is no exact equivalent to the AWS approach in Azure. One thing that's different in the AWS solution is that you create an application load balancer upfront and configure it to use a certificate and then configure an https listener for the back-end UI microservice.
In the Azure case, when you issue the "az aks create" command the load balancer is created automatically. There doesn't seem be be a way to do much configuration, especially as it relates to certificates. My impression is that the default load balancer that is created by AKS is ultimately not the mechanism to use for this. Another option might be an application gateway, as described here. I'm not sure how to adapt this discussion to AKS. The UI pod needs to be the ultimate target of any traffic coming through the application gateway but the gateway uses a different subnet than what is used for the pods in the AKS cluster.
So I'm not sure how to proceed. My question is: Is the application gateway the correct solution to providing https access to a UI running in an AKS cluster or is there another approach I need to use?
azure azure-aks edited Nov 21 at 5:14
Jean-Philippe Bond
7,37622853
asked Nov 19 at 22:34
user3280383
7518
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I'm porting an application that was originally developed for the AWS Fargate container service to AKS under Azure. In the AWS implementation an application load balancer is created and placed in front of the UI microservice. This load balancer is configured to use a signed certificate, allowing https access to our back-end.
I've done some searches on this subject and how something similar could be configured in AKS. I've found a lot of different answers to this for a variety of similar questions but none that are exactly what I'm looking for. From what I gather, there is no exact equivalent to the AWS approach in Azure. One thing that's different in the AWS solution is that you create an application load balancer upfront and configure it to use a certificate and then configure an https listener for the back-end UI microservice.
In the Azure case, when you issue the "az aks create" command the load balancer is created automatically. There doesn't seem be be a way to do much configuration, especially as it relates to certificates. My impression is that the default load balancer that is created by AKS is ultimately not the mechanism to use for this. Another option might be an application gateway, as described here. I'm not sure how to adapt this discussion to AKS. The UI pod needs to be the ultimate target of any traffic coming through the application gateway but the gateway uses a different subnet than what is used for the pods in the AKS cluster.
So I'm not sure how to proceed. My question is: Is the application gateway the correct solution to providing https access to a UI running in an AKS cluster or is there another approach I need to use?
azure azure-aks edited Nov 21 at 5:14
Jean-Philippe Bond
7,37622853
asked Nov 19 at 22:34
user3280383
7518
I'm porting an application that was originally developed for the AWS Fargate container service to AKS under Azure. In the AWS implementation an application load balancer is created and placed in front of the UI microservice. This load balancer is configured to use a signed certificate, allowing https access to our back-end.
I've done some searches on this subject and how something similar could be configured in AKS. I've found a lot of different answers to this for a variety of similar questions but none that are exactly what I'm looking for. From what I gather, there is no exact equivalent to the AWS approach in Azure. One thing that's different in the AWS solution is that you create an application load balancer upfront and configure it to use a certificate and then configure an https listener for the back-end UI microservice.
In the Azure case, when you issue the "az aks create" command the load balancer is created automatically. There doesn't seem be be a way to do much configuration, especially as it relates to certificates. My impression is that the default load balancer that is created by AKS is ultimately not the mechanism to use for this. Another option might be an application gateway, as described here. I'm not sure how to adapt this discussion to AKS. The UI pod needs to be the ultimate target of any traffic coming through the application gateway but the gateway uses a different subnet than what is used for the pods in the AKS cluster.
So I'm not sure how to proceed. My question is: Is the application gateway the correct solution to providing https access to a UI running in an AKS cluster or is there another approach I need to use?
azure azure-aks azure azure-aks edited Nov 21 at 5:14
Jean-Philippe Bond
7,37622853
asked Nov 19 at 22:34
user3280383
7518
edited Nov 21 at 5:14
Jean-Philippe Bond
7,37622853
asked Nov 19 at 22:34
user3280383
7518
edited Nov 21 at 5:14
Jean-Philippe Bond
7,37622853
edited Nov 21 at 5:14
Jean-Philippe Bond
7,37622853
edited Nov 21 at 5:14
Jean-Philippe Bond
7,37622853
7,37622853
asked Nov 19 at 22:34
user3280383
7518
asked Nov 19 at 22:34
user3280383
7518
asked Nov 19 at 22:34
user3280383
7518
7518
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
1
down vote
Certificate issuing and renewal are not handled by the ingress, but using cert-manager you can easily add your own CA or use Let's encrypt to automatically issue certificates when you annotate the ingress or service objects. The http_application_routing addon for AKS is perfectly capable of working with cert-manager; can even be further configured using ConfigMaps (addon-http-application-routing-nginx-configuration in kube-system namespace). You can also look at initial support for Application Gateway as ingress here
answered Nov 20 at 6:49
alev
1509
My question wasn't related to how to generate and manage certificates but how to configure the load balancer to use them (assuming you've obtained a signed certificate from somewhere). These are two separate matters really. I will check out cert-manager though.
– user3280383
Nov 20 at 21:09
add a comment |
up vote
0
down vote
You are right, the default Load Balancer created by AKS is a Layer 4 LB and doesn't support SSL offloading. The equivalent of the AWS Application Load Balancer in Azure is the Application Gateway. As of now there is no option in AKS which allows to choose the Application Gateway instead of a classic load balancer, but like alev said, there is an ongoing project that still in preview which will allow to deploy a special ingress controller that will drive the routing rules on an external Application Gateway based on your ingress rules. If you really need something that is production ready, here are your options :
- Deploy an Ingress controller like NGINX, Traefik, etc. and use cert-manager to generate your certificate.
- Create an Application Gateway and manage your own routing rule that will point to the default layer 4 LB (k8s LoadBalancer service or via the ingress controller)
We implemented something similar lately and we decide to managed our own Application Gateway because we wanted to do the SSL offloading outside the cluster and because we needed the WAF feature of the Application Gateway. We were able to automatically manage the routing rules inside our deployment pipeline. We will probably use the Application Gateway as an ingress project when it will be production ready.
answered Nov 21 at 5:10
Jean-Philippe Bond
7,37622853
Any word when the Application Gateway project will be GA?
– user3280383
Nov 21 at 14:26
You'll need to ask microsoft, but my guess is that it will be in a couple of months.
– Jean-Philippe Bond
Nov 21 at 15:39
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53383614%2fconfiguring-an-aks-load-balancer-for-https-access%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Certificate issuing and renewal are not handled by the ingress, but using cert-manager you can easily add your own CA or use Let's encrypt to automatically issue certificates when you annotate the ingress or service objects. The http_application_routing addon for AKS is perfectly capable of working with cert-manager; can even be further configured using ConfigMaps (addon-http-application-routing-nginx-configuration in kube-system namespace). You can also look at initial support for Application Gateway as ingress here
answered Nov 20 at 6:49
alev
1509
My question wasn't related to how to generate and manage certificates but how to configure the load balancer to use them (assuming you've obtained a signed certificate from somewhere). These are two separate matters really. I will check out cert-manager though.
– user3280383
Nov 20 at 21:09
add a comment |
up vote
1
down vote
Certificate issuing and renewal are not handled by the ingress, but using cert-manager you can easily add your own CA or use Let's encrypt to automatically issue certificates when you annotate the ingress or service objects. The http_application_routing addon for AKS is perfectly capable of working with cert-manager; can even be further configured using ConfigMaps (addon-http-application-routing-nginx-configuration in kube-system namespace). You can also look at initial support for Application Gateway as ingress here
answered Nov 20 at 6:49
alev
1509
My question wasn't related to how to generate and manage certificates but how to configure the load balancer to use them (assuming you've obtained a signed certificate from somewhere). These are two separate matters really. I will check out cert-manager though.
– user3280383
Nov 20 at 21:09
add a comment |
up vote
1
down vote
up vote
1
down vote
Certificate issuing and renewal are not handled by the ingress, but using cert-manager you can easily add your own CA or use Let's encrypt to automatically issue certificates when you annotate the ingress or service objects. The http_application_routing addon for AKS is perfectly capable of working with cert-manager; can even be further configured using ConfigMaps (addon-http-application-routing-nginx-configuration in kube-system namespace). You can also look at initial support for Application Gateway as ingress here
answered Nov 20 at 6:49
alev
1509
Certificate issuing and renewal are not handled by the ingress, but using cert-manager you can easily add your own CA or use Let's encrypt to automatically issue certificates when you annotate the ingress or service objects. The http_application_routing addon for AKS is perfectly capable of working with cert-manager; can even be further configured using ConfigMaps (addon-http-application-routing-nginx-configuration in kube-system namespace). You can also look at initial support for Application Gateway as ingress here
answered Nov 20 at 6:49
alev
1509
answered Nov 20 at 6:49
alev
1509
answered Nov 20 at 6:49
alev
1509
answered Nov 20 at 6:49
alev
1509
1509
My question wasn't related to how to generate and manage certificates but how to configure the load balancer to use them (assuming you've obtained a signed certificate from somewhere). These are two separate matters really. I will check out cert-manager though.
– user3280383
Nov 20 at 21:09
add a comment |
My question wasn't related to how to generate and manage certificates but how to configure the load balancer to use them (assuming you've obtained a signed certificate from somewhere). These are two separate matters really. I will check out cert-manager though.
– user3280383
Nov 20 at 21:09
My question wasn't related to how to generate and manage certificates but how to configure the load balancer to use them (assuming you've obtained a signed certificate from somewhere). These are two separate matters really. I will check out cert-manager though.
– user3280383
Nov 20 at 21:09
My question wasn't related to how to generate and manage certificates but how to configure the load balancer to use them (assuming you've obtained a signed certificate from somewhere). These are two separate matters really. I will check out cert-manager though.
– user3280383
Nov 20 at 21:09
add a comment |
up vote
0
down vote
You are right, the default Load Balancer created by AKS is a Layer 4 LB and doesn't support SSL offloading. The equivalent of the AWS Application Load Balancer in Azure is the Application Gateway. As of now there is no option in AKS which allows to choose the Application Gateway instead of a classic load balancer, but like alev said, there is an ongoing project that still in preview which will allow to deploy a special ingress controller that will drive the routing rules on an external Application Gateway based on your ingress rules. If you really need something that is production ready, here are your options :
- Deploy an Ingress controller like NGINX, Traefik, etc. and use cert-manager to generate your certificate.
- Create an Application Gateway and manage your own routing rule that will point to the default layer 4 LB (k8s LoadBalancer service or via the ingress controller)
We implemented something similar lately and we decide to managed our own Application Gateway because we wanted to do the SSL offloading outside the cluster and because we needed the WAF feature of the Application Gateway. We were able to automatically manage the routing rules inside our deployment pipeline. We will probably use the Application Gateway as an ingress project when it will be production ready.
answered Nov 21 at 5:10
Jean-Philippe Bond
7,37622853
Any word when the Application Gateway project will be GA?
– user3280383
Nov 21 at 14:26
You'll need to ask microsoft, but my guess is that it will be in a couple of months.
– Jean-Philippe Bond
Nov 21 at 15:39
add a comment |
up vote
0
down vote
You are right, the default Load Balancer created by AKS is a Layer 4 LB and doesn't support SSL offloading. The equivalent of the AWS Application Load Balancer in Azure is the Application Gateway. As of now there is no option in AKS which allows to choose the Application Gateway instead of a classic load balancer, but like alev said, there is an ongoing project that still in preview which will allow to deploy a special ingress controller that will drive the routing rules on an external Application Gateway based on your ingress rules. If you really need something that is production ready, here are your options :
- Deploy an Ingress controller like NGINX, Traefik, etc. and use cert-manager to generate your certificate.
- Create an Application Gateway and manage your own routing rule that will point to the default layer 4 LB (k8s LoadBalancer service or via the ingress controller)
We implemented something similar lately and we decide to managed our own Application Gateway because we wanted to do the SSL offloading outside the cluster and because we needed the WAF feature of the Application Gateway. We were able to automatically manage the routing rules inside our deployment pipeline. We will probably use the Application Gateway as an ingress project when it will be production ready.
answered Nov 21 at 5:10
Jean-Philippe Bond
7,37622853
Any word when the Application Gateway project will be GA?
– user3280383
Nov 21 at 14:26
You'll need to ask microsoft, but my guess is that it will be in a couple of months.
– Jean-Philippe Bond
Nov 21 at 15:39
add a comment |
up vote
0
down vote
up vote
0
down vote
You are right, the default Load Balancer created by AKS is a Layer 4 LB and doesn't support SSL offloading. The equivalent of the AWS Application Load Balancer in Azure is the Application Gateway. As of now there is no option in AKS which allows to choose the Application Gateway instead of a classic load balancer, but like alev said, there is an ongoing project that still in preview which will allow to deploy a special ingress controller that will drive the routing rules on an external Application Gateway based on your ingress rules. If you really need something that is production ready, here are your options :
- Deploy an Ingress controller like NGINX, Traefik, etc. and use cert-manager to generate your certificate.
- Create an Application Gateway and manage your own routing rule that will point to the default layer 4 LB (k8s LoadBalancer service or via the ingress controller)
We implemented something similar lately and we decide to managed our own Application Gateway because we wanted to do the SSL offloading outside the cluster and because we needed the WAF feature of the Application Gateway. We were able to automatically manage the routing rules inside our deployment pipeline. We will probably use the Application Gateway as an ingress project when it will be production ready.
answered Nov 21 at 5:10
Jean-Philippe Bond
7,37622853
You are right, the default Load Balancer created by AKS is a Layer 4 LB and doesn't support SSL offloading. The equivalent of the AWS Application Load Balancer in Azure is the Application Gateway. As of now there is no option in AKS which allows to choose the Application Gateway instead of a classic load balancer, but like alev said, there is an ongoing project that still in preview which will allow to deploy a special ingress controller that will drive the routing rules on an external Application Gateway based on your ingress rules. If you really need something that is production ready, here are your options :
- Deploy an Ingress controller like NGINX, Traefik, etc. and use cert-manager to generate your certificate.
- Create an Application Gateway and manage your own routing rule that will point to the default layer 4 LB (k8s LoadBalancer service or via the ingress controller)
We implemented something similar lately and we decide to managed our own Application Gateway because we wanted to do the SSL offloading outside the cluster and because we needed the WAF feature of the Application Gateway. We were able to automatically manage the routing rules inside our deployment pipeline. We will probably use the Application Gateway as an ingress project when it will be production ready.
answered Nov 21 at 5:10
Jean-Philippe Bond
7,37622853
answered Nov 21 at 5:10
Jean-Philippe Bond
7,37622853
answered Nov 21 at 5:10
Jean-Philippe Bond
7,37622853
answered Nov 21 at 5:10
Jean-Philippe Bond
7,37622853
7,37622853
Any word when the Application Gateway project will be GA?
– user3280383
Nov 21 at 14:26
You'll need to ask microsoft, but my guess is that it will be in a couple of months.
– Jean-Philippe Bond
Nov 21 at 15:39
add a comment |
Any word when the Application Gateway project will be GA?
– user3280383
Nov 21 at 14:26
You'll need to ask microsoft, but my guess is that it will be in a couple of months.
– Jean-Philippe Bond
Nov 21 at 15:39
Any word when the Application Gateway project will be GA?
– user3280383
Nov 21 at 14:26
Any word when the Application Gateway project will be GA?
– user3280383
Nov 21 at 14:26
You'll need to ask microsoft, but my guess is that it will be in a couple of months.
– Jean-Philippe Bond
Nov 21 at 15:39
You'll need to ask microsoft, but my guess is that it will be in a couple of months.
– Jean-Philippe Bond
Nov 21 at 15:39
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53383614%2fconfiguring-an-aks-load-balancer-for-https-access%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
