
Managing an Azure Gateway Ingress Controller in your Kubernetes environment can be a complex task. The Azure Gateway Ingress Controller is a crucial component that enables communication between your Kubernetes cluster and the outside world.
To begin, you need to have a basic understanding of Kubernetes and Azure. Specifically, you should be familiar with Azure Kubernetes Service (AKS) and the concept of ingress controllers.
The Azure Gateway Ingress Controller is a highly customizable component that allows you to define custom routes and rules for incoming traffic. This is particularly useful for complex applications with multiple services and routing requirements.
By following the best practices outlined in this guide, you can ensure a smooth and secure experience for your users, even with the most demanding applications.
Here's an interesting read: Ingress Nginx Azure
Ingress Controller Management
Managing your Azure Gateway Ingress Controller can be a daunting task, especially if you're not familiar with the process.
The Azure Kubernetes Service (AKS) provides a built-in ingress controller, but it's not suitable for Azure Gateway.
To manage your Azure Gateway Ingress Controller, you'll need to configure the controller to work with Azure Gateway.
You can do this by setting the `annotations` property in your ingress resource to include the Azure Gateway configuration.
A unique perspective: Azure Storage Not Displaying
Disable Add-on with Application Gateway Deployment
If you're using the AGIC add-on and have an associated Application Gateway deployment, you need to be aware of a potential issue when disabling the add-on.
The AGIC add-on considers two criteria to determine if it should delete the associated Application Gateway deployment: whether Application Gateway is deployed in the MC_* node resource group and if the deployment has the tag created-by: ingress-appgw.
If both criteria are met, disabling the add-on will delete the Application Gateway deployment by default.
However, if the first criterion isn't met, disabling the add-on won't delete the Application Gateway deployment, even if it has the created-by: ingress-appgw tag.
If you don't want the add-on to delete your Application Gateway deployment when you disable the add-on, but the deployment meets both criteria, you can remove the created-by: ingress-appgw tag.
To avoid any issues, it's a good idea to check your Application Gateway deployment before disabling the AGIC add-on.
Here are the key things to keep in mind:
- Check if Application Gateway is deployed in the MC_* node resource group.
- Check if the Application Gateway deployment has the tag created-by: ingress-appgw.
Ingress URL Redirect
In Ingress Controller Management, URL redirects play a crucial role in routing traffic to the correct destination.
To set up a URL redirect for Ingress API, you need to define an IngressExtension resource, which contains a rule that defines a requestRedirect with a scheme value of https.
Two Ingress resources must be defined: one for listening on port 80 for the HTTP request to trigger a redirect, and another for listening on port 443 for handling HTTPS requests.
The IngressExtension resource is a key component in configuring URL redirects for Ingress API, allowing you to define specific rules for redirecting traffic.
You might like: Ingress Load Balancer Azure
Session Affinity in Ingress
Session Affinity in Ingress is a crucial aspect of managing Ingress Controllers.
In the Ingress API, you can define an IngressExtension resource to configure session affinity. More details on this can be found in the Session Affinity documentation.
Application Gateway for Containers supports session affinity via cookie for both Gateway and Ingress API. This means you can use cookies to maintain session affinity.
To configure session affinity, you can use specific annotations. The AGIC annotation "appgw.ingress.kubernetes.io/cookie-based-affinity" is used to enable cookie-based affinity.
If you're using custom resources, you can find a list of AGIC annotations and their equivalent implementation in the Annotations section of this article. This can help you translate Ingress configurations to use Ingress or Gateway API natively.
A different take: Azure Attribute Based Access Control
Direct Traffic to Container Gateway
Direct traffic to your Container Gateway by updating public DNS records to point to the frontend A record of the Application Gateway for Containers. This typically involves creating a CNAME record or an alias record.
Identify the time to live (TTL) value of the DNS record currently serving traffic to the frontend of Application Gateway. This is crucial to ensure a smooth transition.
Consider migrating during a time of low-peak traffic to validate the new setup. This will help you catch any issues before they affect your users.
In the event of unexpected behavior, revert the DNS record to point back to the Application Gateway frontend and repeat the process.
Worth a look: Traffic Manager in Azure
To ensure a seamless migration, make sure to configure the same amount of time for connection draining in Application Gateway as the TTL value of the DNS record. This will give all clients time to resolve the new DNS record before retiring the Ingress/Gateway configuration.
Here are some key considerations to keep in mind during the migration process:
- Prior to migration, identify the time to live (TTL) value of the DNS record currently serving traffic to the frontend of Application Gateway.
- Consider migration during a time of low-peak traffic to validate the new setup.
- In the event migration does not behave the way you anticipated, revert the DNS record to point back to the Application Gateway frontend and repeat the process.
Azure Resource Management
Azure Resource Management is a crucial aspect of managing Azure Gateways. It allows you to create, manage, and monitor resources in a single place.
In Azure Resource Management, you can create and manage Azure Gateways, including their ingress controllers. This is done through the Azure Portal or using Azure CLI commands.
Azure Resource Management provides a centralized view of all your Azure resources, making it easier to track and manage them. This view includes the Azure Gateways and their ingress controllers.
You can manage Azure Gateways in the Azure Portal by selecting the "Networking" section and then clicking on "Azure Gateways". From there, you can create, update, or delete Azure Gateways and their ingress controllers.
Recommended read: Azure Api Management vs Api Gateway
Azure Resource Management also allows you to set up tags and assign them to your Azure resources, including Azure Gateways. This helps with organization and makes it easier to track costs.
To manage Azure Gateways using Azure CLI, you can use the `az network application-gateway` command. This command allows you to create, update, or delete Azure Gateways and their ingress controllers.
Feature and Prerequisites
Before we dive into the migration process, let's cover the essential features and prerequisites. You'll need to identify any dependencies on Application Gateway Ingress Controller that may not yet be available in Application Gateway for Containers.
To do this, take a look at the following features that are currently not supported or have limitations in Application Gateway for Containers: Web Application Firewall (WAF)Private IPPorts other than 80 and 443Configurable request timeout values
As for prerequisites, you'll need the following: An Azure subscription, helm, kubectl, azure-cli, terraform installed, an example app to publish, and a domain in your hands to play around with.
Discover more: Azure Pipeline Not Equal
Deprecate Application Gateway
If you've already deployed Application Gateway with the AGIC add-on, you may want to deprecate it once you've migrated all services. Deprecating Application Gateway Ingress Controller is a straightforward process, as mentioned in Example 2.
To avoid deleting the Application Gateway deployment by default, be aware of the criteria the AGIC add-on uses to determine whether to delete it. The add-on checks if Application Gateway is deployed in the MC_* node resource group and if the deployment has the tag created-by: ingress-appgw.
Here's a quick rundown of what happens when you disable the AGIC add-on:
- If both criteria are met, the AGIC add-on deletes the Application Gateway deployment.
- If the first criterion isn't met, disabling the add-on doesn't delete the Application Gateway deployment.
- If the second criterion isn't met, disabling the add-on also doesn't delete the Application Gateway deployment.
If you don't want the add-on to delete your Application Gateway deployment when you disable it, you can remove the created-by: ingress-appgw tag. This will prevent the add-on from deleting the deployment, even if it meets both criteria.
Recommended read: Azure Function Disappeared after Deployment
Feature Dependencies
Before you start migrating to Application Gateway for Containers, it's essential to identify any feature dependencies that may not be available yet. This includes workloads that rely on features like Web Application Firewall (WAF), Private IP, ports other than 80 and 443, and configurable request timeout values.
These dependencies should be prioritized later in your migration strategy until such capabilities are unblocked in Application Gateway for Containers.
Here's a list of specific dependencies to consider:
- Web Application Firewall (WAF)
- Private IP
- Ports other than 80 and 443
- Configurable request timeout values
By understanding these dependencies, you can plan your migration strategy accordingly and avoid potential issues down the line.
Agic Add-on
The AGIC add-on is a feature worth mentioning. If you're using the AGIC add-on, you may delete it by running a specific command.
To delete the AGIC add-on, you'll need to run a command in your terminal or command prompt. The command is:
If you're not sure how to run commands, don't worry - it's a simple process that you can learn quickly.
Customization and Settings
In the Ingress API, you can define an IngressExtension resource with properties related to sessionAffinity. This allows for more control over how traffic is routed to your applications.
To configure Application Gateway for Containers with session affinity, you'll want to check out the Session Affinity documentation.
Frontend Port Override

Frontend Port Override is a customization option in Application Gateway for Containers that allows you to override the default frontend port.
You can use the annotation `appgw.ingress.kubernetes.io/override-frontend-port` to specify a custom frontend port.
Application Gateway for Containers only supports ports 80 and 443, so you'll need to choose one of these ports for your custom frontend.
To override the frontend port, simply add the `appgw.ingress.kubernetes.io/override-frontend-port` annotation to your Gateway or Ingress resource with the desired port number.
Here are the supported ports:
- 80
- 443
Remember to update your frontend configuration accordingly to reflect the new port number.
Helm Deployment
If you deployed the Application Gateway Ingress Controller (AGIC) using Helm, you may need to uninstall the controller.
You can do this by running the following command:
The command to uninstall the AGIC is not provided in the article section facts, but you can refer to Example 2 for context.
A different take: Domain Controller in Azure
Custom Health Probes
Custom Health Probes are a powerful tool for monitoring system performance. They allow you to create custom metrics to measure specific aspects of your system.

You can define multiple probes to track different aspects of your system, such as CPU usage, memory usage, and disk space. This helps you identify potential issues before they become major problems.
Each probe can be configured to collect data at a specified interval, such as every 5 minutes. This ensures you have a clear picture of system performance over time.
For example, you could create a probe to track the average CPU usage over the past hour, or the total memory usage over the past day. This helps you make informed decisions about system optimization.
Custom Health Probes can also be used to trigger alerts when certain conditions are met, such as when CPU usage exceeds 80% or memory usage falls below 10%. This ensures you're notified quickly if there's a problem.
Curious to learn more? Check out: Memory Dump in Azure
Cleanup and Removal
To remove the Ingress resources, you'll need to delete each one referencing the Application Gateway Ingress Controller with the kubernetes.io/ingress.class: azure/application-gateway annotation or defines an ingressClassName of azure-application-gateway.

This is crucial because those resources are still pointing to the Ingress Controller, even after it's been removed.
You'll need to delete the Application Gateway resource after removing the Ingress controller.
If the aks add-on was provisioned referencing a previously deployed Application Gateway, you'll have to delete the Application Gateway resource manually.
Frequently Asked Questions
How do I disable the ingress controller?
To disable the ingress controller, specify "none" to the ingress provider directive in your cluster configuration. This will prevent the default controller from being used.
Featured Images: pexels.com

