Overview

Azure Kubernetes Service (AKS) is a managed Kubernetes offering in Azure that provides a highly scalable, consistent, and manageable Kubernetes environment. The Application Gateway Ingress Controller (AGIC) is an Azure resource that allows you to use Application Gateway as an ingress for the Azure Kubernetes Service (AKS). However, at times, users may encounter issues where Ingress is not working when employing AGIC as an add-on for AKS. Understanding how AGIC orchestrates with AKS and identifying common misconfigurations can be essential for troubleshooting and ensuring seamless application delivery and network traffic management.

Understanding AGIC Configuration

AGIC serves as a bridge between AKS and Azure's Application Gateway, allowing you to route traffic from external clients to the applications running on AKS. It watches for changes in Kubernetes Ingress resources and updates the Application Gateway accordingly. Here’s a basic flow to understand how AGIC facilitates ingress for applications:

1. Ingress Resource: When a new Ingress resource is created or modified in AKS, AGIC picks up on these changes.
2. Application Gateway Sync: AGIC updates the corresponding configurations on the Azure Application Gateway to reflect these Ingress changes.
3. Traffic Flow: With the configurations updated, the Application Gateway can efficiently route incoming traffic to the designated services in the AKS cluster.

Common Reasons for Ingress Not Working

1. Misconfiguration of Ingress Resources

• Path Issues: Incorrect path specifications can lead to inbound traffic routing failures. Ensure paths in the Ingress resource match the paths required by your application endpoints.
• Service Specification: The Ingress resource may reference services not correctly configured or named, causing the Application Gateway to not route requests to the expected pods.

2. AGIC Add-On Not Properly Enabled

• If the AGIC add-on is not correctly deployed or configured in your AKS cluster, it won't monitor and propagate Ingress changes. Ensure the AGIC is enabled and associating correctly with the Application Gateway.

3. Application Gateway Configuration Issues

• WAF Policies: If Web Application Firewall (WAF) policies are too restrictive, valid traffic could inadvertently be blocked.
• SSL Certificate Mismatches: Incorrectly configured SSL certificates can prevent successful SSL handshake, impeding application accessibility over HTTPS.

4. Network and Connectivity Problems

• Subnet Configurations: Ensure the Application Gateway is placed in a subnet that allows communication with AKS.
• Network Security Groups (NSGs): Confirm that NSGs and firewalls allow traffic flow between the Application Gateway and the AKS nodes.

Technical Diagnostic and Solutions

Load Balancer Integration

The AGIC must be synchronized with the AKS service types (e.g., LoadBalancer or ClusterIP). Here’s an example of a potential misconfiguration:

• host: myapp.example.com
  • path: /api
• NSG Flow Logs can be used to verify if traffic is hitting the intended target or being blocked at the Network Security Group level.
• Diagnostic Logging: Enable diagnostic logging on Application Gateway to capture connection attempts and errors.
• Metrics and Alerts: Use Azure Monitor to track Gateway performance and receive alerts on failure conditions.