After the first article on how to deploy AKS we will check how to use an Application Gateway as an Ingress controller and a WAF. Why? To protect your websites 😊

To start, be sure to deploy your AKS cluster.

Now, you can deploy your Application Gateway, in Azure, with WAFv2 SKU:

Deploy your Application Gateway

Create a public IP for this WAF:

Create a public IP for this WAF

Create an empty backend pool (it will not be used, because of the integration as Ingress):

Create an empty backend pool

Create a routing rule1, with HTTP protocol (it will not be used, because of the integration as Ingress):

Create a routing rule1, with HTTP protocol

And the backend target (it will not be used, because of the integration as Ingress):

And the backend target

You will have this:

Configuration

When the App Gateway has been deployed, go to your Azure AD, and get the name of your Service Principal:

Name of your Service Principal

Get the application ID, and create a new secret:

Get the application ID

Give to this Azure AD Service Principal, the Contributor right on the AKS Resource Group:

AKS Resource Group

Now, connect to your AKS Cluster:

Execute the following command, to apply the deployment template rbac:

Convert your Azure AD Service principal secret to base 64:

Now, create 2 files, with the following content:

01-aadpodidentity-sp.yaml

02-aadpodidentitybinding.yaml

And apply them:

script

Pods are now running:

Pods are now running

Pods are now running

Now, we will convert the following connection string, to base64:

Copy this code with your values and go to https://www.base64encode.org/. Paste it and click to Encode. And get the result:

Encode

Create a new file, 04-helm-config.yaml, and paste the code, by replacing values, with your own:

It’s time to apply this configuration, with helm:

 

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!


Script

The ingress pod has been deployed:

The ingress pod has been deployed

We will deploy a test application:

I created a DNS entry, starwind, that points to the public IP of my Application gateway. After few seconds, the deployment is finished on the Application Gateway:

I created a DNS entry

DNS entry - StarWind

Listeners

Rules

Health probes

If you try to access your website, you should be able to see it:

Welcome to nginx

In the next article, we will protect this website, with a Let’s Encrypt certificate, directly generated by AKS.

Back to blog
The following two tabs change content below.
Florent Appointaire
Florent Appointaire is Microsoft Engineer with 5 years of experience, specialized in Cloud Technologies (Public/Hybrid/Private). He is a freelance consultant in Belgium from the beginning of 2017. He is MVP Cloud and Datacentre Management. He is MCSE Private Cloud and Hyper-V certified. His favorite products are SCVMM, SCOM, Windows Azure pack/Azure Stack and Microsoft Azure.