Concept and topology

The Application Gateway Ingress Controller (AGIC) is a Kubernetes application, which makes it possible for Azure Kubernetes Service (AKS) customers to leverage Azure's native Application Gateway L7 load-balancer to expose cloud software to the Internet. AGIC monitors the Kubernetes cluster it is hosted on and continuously updates an Application Gateway, so that selected services are exposed to the Internet.

Set up

•AKS Add-On Greenfield Deployment: Instructions on installing AGIC add-on, AKS, and Application Gateway on blank-slate infrastructure.

•AKS Add-On Brownfield Deployment: Install AGIC add-on on an AKS cluster with an existing Application Gateway.

•Helm Greenfield Deployment: Install AGIC through Helm, new AKS cluster, and new Application Gateway on blank-slate infrastructure.

•Helm Brownfield Deployment: Deploy AGIC through Helm on an existing AKS cluster and Application Gateway.

Troubleshooting

diagram of how the Ingress, Service, and Pod (Deployment)

Identity in AGIC

1. using MSI

2. If using SP, there is known issue in AGIC1.4 and lower version. This is a known issue in version 1.4.0 or smaller where AGIC addon doesn't work in non-public cloud with AKS clusters using service principal. AGIC addon works correctly with AKS clusters using system-assigned identity.

This happens because AGIC tries to use the public AAD endpoint to fetch an auth token which fails as public AAD doesn't know about resources in non-public cloud like mooncake.

We have already merged a fix for this via pull request https://github.com/Azure/application-gateway-kubernetes-ingress/pull/1271

***Important: System-assigned identity is also a recommended way to deploy the AKS cluster as it uses a platform managed secret.