How to configure Azure Application Gateway work with AKS via SSL

The tutorial will provide steps to deploy Application gateway and AKS. The two resources communicate with SSL.

1. Deploy an AKS cluster

Kubernetes on Azure tutorial - Deploy a cluster

2. Create self-signed certificate for demo purpose

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
 -out aks-ingress-tls.crt \
 -keyout aks-ingress-tls.key \
 -subj "/CN=demo.azure.com/O=aks-ingress-tls"

Use your own TLS certificates for ingress with Azure Kubernetes Service (AKS) cluster

3. Create secret in AKS with the TLS certificate generated previously

kubectl create secret tls aks-ingress-tls \
--key aks-ingress-tls.key \
--cert aks-ingress-tls.crt

Use your own TLS certificates for ingress with Azure Kubernetes Service (AKS) cluster

4. Deploy nginx ingress controller manually

a. wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml

https://kubernetes.github.io/ingress-nginx/deploy/#prerequisite-generic-deployment-command

b. Modify the ‘args’ in ‘nginx-ingress-controller’ deployment section. Add the parameter ‘--default-ssl-certificate=default/aks-ingress-tls’ and change version of nginx image to 0.23.0

TLS/HTTPS - NGINX Ingress Controller

c. kubectl apply -f mandatory.yaml

d. wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml

Installation Guide - NGINX Ingress Controller

e. Add below to the ‘annotation’ and remove the ‘http’ port

service.beta.kubernetes.io/azure-load-balancer-internal: “true”
ports:
--name: https
  port: 443
  targetPort: https
f. kubectl apply -f cloud-generic.yaml

5. Deploy demo applications

Create an ingress controller for an internal network in Azure Kubernetes Service (AKS)

6. Deploy demo ingress route

https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#test-the-ingress-controller

7. Test if the internal ingress controller works

kubectl run -it -rm aks-ingress-test -image=debian
apt-get update && apt-get install -y curl
curl -kv https://<service IP>
curl -kv https://<service IP>/whatever

The ‘Server Certificate’ should contain the information from the secret ‘aks-ingress-tls’

Create an ingress controller for an internal network in Azure Kubernetes Service (AKS)

8. Download the ‘aks-ingress-tls.crt’ file and transfer to the CER certificate

a. Open the ‘crt’ file, ‘Details’ tab and ‘Copy to File’

b. Export it as ‘CER’ file

9. Transfer the ‘aks-ingress-tls.key’ and ‘aks-ingress-tls.crt’ to pfx certificate and download

openssl pkcs12 -export -out tls.pfx -inkey aks-ingress-tls.key -in aks-ingress-tls.crt

10. Deploy the application gateway

12. Add the ‘https’ custom probe. You need to define per your own service detail

https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-probe-overview#default-health-probe-settings

13. Add the ‘https’ setting to the application gateway. Use the ‘CER’ certificate you extracted before and the health probe created in last step

14. Add backend Pool with the address of your internal Ingress Controller Service

15. Modify the ‘http setting’ to the https one

16. Verify if backend is healthy

17. Verify from the browser with DNS resolves the ‘demo.azure.com’ to the public IP of the application gateway