🛡️ Azure Application Gateway setup for AKS

What is Azure Application Gateway?

Azure Application Gateway is a Layer-7 (HTTP/HTTPS) load balancer that helps you manage and secure inbound traffic to your applications.

When used with Azure Kubernetes Service (AKS), Application Gateway provides:

🌐 HTTP/HTTPS traffic routing

🔐 SSL termination

🛡️ Web Application Firewall (WAF) support

🔀 Path-based and host-based routing

❤️ Health monitoring of backend services

In AKS architectures, Application Gateway is commonly used as the entry point for traffic, forwarding requests to services running inside the cluster.

Important Prerequisite (Very Important ⚠️)

Before creating the Application Gateway, ensure the following:

✅ AKS and Application Gateway must be in the same VNET

❌ They must NOT be in the same subnet

✅ Application Gateway requires its own dedicated subnet

VNET: aks-vnet
├─ Subnet: aks-subnet           (Used by AKS)
└─ Subnet: appgw-subnet         (Used by Application Gateway)

High-Level Flow

Client (Browser)
   ↓
Azure Application Gateway (Public IP / Private IP)
   ↓
AKS Service (Internal LoadBalancer IP)
   ↓
Pods

Create Azure Application Gateway for AKS

Step 1: Create Application Gateway Resource

• Sign in to Azure Portal

• Search for Application Gateway

• Click Create

Step 2: Basics – Project Details & Instance Details

Project Details

• Subscription: Select your subscription

• Resource Group: Select existing or create new

Instance Details:

• Name: aks-clustergateway (example)

• Region: Same region as AKS

Step 3: Networking – VNET and Subnet Selection

• Select the same VNET used by AKS

• Choose a dedicated subnet for Application Gateway (example: aks-appgateway)

Step 4: Frontend IP Configuration

Application Gateway can be exposed using:

• Public IP

• Private IP

• Or both

In this setup:

Frontend IP type: Public

Public IP: Create new

Name: aks-publicIP

Step 5: Backend Pool Configuration

The backend pool defines where traffic will be forwarded.

• Create a backend pool

• Add Target IP addresses

• Use the AKS Service External IP (from kubectl get svc <service-name> -n <namespace>)

Step 6: Routing Rules

Routing rules define how traffic flows.

• Create a rule

• Select:

Listener (Frontend IP + Port)

Backend pool: Select which we already created.

Backend Settings

Configure how Application Gateway talks to the backend:

• Protocol: HTTP or HTTPS

• Port: Same as AKS service port

• Request timeout: Default or custom (Recommended 60)

Click on Create, it will take a while to complete.

Step 7: Health Probe Configuration

Health probes ensure traffic is sent only to healthy backends.

Recommended configuration:

• Protocol: HTTP

• Host: Leave empty (Or default 127.0.0.1)

• Path: /health or /

• Interval: 30 seconds

• Timeout: 30 seconds

• Unhealthy threshold: 3

• Backend Settings: Select the one which we already created.

• Test the probe before saving.

Step 8: Validate Backend Health

After deployment completes:

• Open Application Gateway

• Navigate to Backend health

• Status should show: Healthy ✅

If unhealthy:

• Check health probe path

• Verify AKS service IP

• Ensure port and protocol match

Step 9: Access the Application

Use the Application Gateway Public IP:

http://<app-gateway-public-ip>