Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configuring an AKS load balancer for HTTPS access

I'm porting an application that was originally developed for the AWS Fargate container service to AKS under Azure. In the AWS implementation an application load balancer is created and placed in front of the UI microservice. This load balancer is configured to use a signed certificate, allowing https access to our back-end.

I've done some searches on this subject and how something similar could be configured in AKS. I've found a lot of different answers to this for a variety of similar questions but none that are exactly what I'm looking for. From what I gather, there is no exact equivalent to the AWS approach in Azure. One thing that's different in the AWS solution is that you create an application load balancer upfront and configure it to use a certificate and then configure an https listener for the back-end UI microservice.

In the Azure case, when you issue the "az aks create" command the load balancer is created automatically. There doesn't seem be be a way to do much configuration, especially as it relates to certificates. My impression is that the default load balancer that is created by AKS is ultimately not the mechanism to use for this. Another option might be an application gateway, as described here. I'm not sure how to adapt this discussion to AKS. The UI pod needs to be the ultimate target of any traffic coming through the application gateway but the gateway uses a different subnet than what is used for the pods in the AKS cluster.

So I'm not sure how to proceed. My question is: Is the application gateway the correct solution to providing https access to a UI running in an AKS cluster or is there another approach I need to use?

like image 346
user3280383 Avatar asked Nov 19 '18 22:11

user3280383


People also ask

How do I add a load balancer to aks?

Use the az aks create command with the load-balancer-outbound-ips parameter to create a new cluster with your public IPs at the start. Use the az aks create command with the load-balancer-outbound-ip-prefixes parameter to create a new cluster with your public IP prefixes at the start.

How do I set a static IP address for Kubernetes load balancer?

To create a LoadBalancer service with the static public IP address, add the loadBalancerIP property and the value of the static public IP address to the YAML manifest. Create a file named load-balancer-service. yaml and copy in the following YAML. Provide your own public IP address created in the previous step.

How do I enable RBAC in existing AKS?

To add Azure RBAC for Kubernetes Authorization into an existing AKS cluster, use the az aks update command with the flag enable-azure-rbac . To remove Azure RBAC for Kubernetes Authorization from an existing AKS cluster, use the az aks update command with the flag disable-azure-rbac .


2 Answers

You are right, the default Load Balancer created by AKS is a Layer 4 LB and doesn't support SSL offloading. The equivalent of the AWS Application Load Balancer in Azure is the Application Gateway. As of now there is no option in AKS which allows to choose the Application Gateway instead of a classic load balancer, but like alev said, there is an ongoing project that still in preview which will allow to deploy a special ingress controller that will drive the routing rules on an external Application Gateway based on your ingress rules. If you really need something that is production ready, here are your options :

  1. Deploy an Ingress controller like NGINX, Traefik, etc. and use cert-manager to generate your certificate.
  2. Create an Application Gateway and manage your own routing rule that will point to the default layer 4 LB (k8s LoadBalancer service or via the ingress controller)

We implemented something similar lately and we decide to managed our own Application Gateway because we wanted to do the SSL offloading outside the cluster and because we needed the WAF feature of the Application Gateway. We were able to automatically manage the routing rules inside our deployment pipeline. We will probably use the Application Gateway as an ingress project when it will be production ready.

like image 60
Jean-Philippe Bond Avatar answered Sep 20 '22 16:09

Jean-Philippe Bond


Certificate issuing and renewal are not handled by the ingress, but using cert-manager you can easily add your own CA or use Let's encrypt to automatically issue certificates when you annotate the ingress or service objects. The http_application_routing addon for AKS is perfectly capable of working with cert-manager; can even be further configured using ConfigMaps (addon-http-application-routing-nginx-configuration in kube-system namespace). You can also look at initial support for Application Gateway as ingress here

like image 20
Alessandro Vozza Avatar answered Sep 23 '22 16:09

Alessandro Vozza