Azure Kubernetes with ingress-nginx-controller and external static ip is not accessed from the outside.

Question

Azure Kubernetes with ingress-nginx-controller and external static ip is not accessed from the outside.

Piotr Makowiec 40

I've got an Azure Kubernetes Cluster. I also have a Public IP Address resource. Public IP Address is within the same resource group as aks-vnet. The Public IP Address is assigned front-end ip configuration for kubernetes load balancer service. I have installed ingress-nginx-controller with external ip address

controller was created with the script:
helm upgrade --install nginx-ingress ingress-nginx/ingress-nginx --set controller.replicaCount=2 --set controller.service.loadBalancerIP="ip-address" --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-resource-group"="group-name" --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dedicated-public-ip"="true" --set controller.service.externalTrafficPolicy=Local --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz

I heard about some issues, that could have been resolved by setting externallTraficPolicy to local and health probe request path to /healthz, but it didn't work.

When requesting ip address server doesn't response.

Do you have any ideas why it doesn't work?

Thank you

Konstantinos Passadis 19,586 Reputation points MVP

2023-05-14T12:30:05.79+00:00

Hello @Piotr Makowiec !

Do you have any feedback or your issue is resolved?

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-14T15:37:08.1133333+00:00

Hello

Can i kindly ask you are you reported my answer ?

I clearly display that it could be helped by AI , and in additon i have carefully syntaxed and validated the commands

I am trying to help here and i do not understand the problem and i thik the report was not for me !!!

Kindly elaborate!
Piotr Makowiec 40 Reputation points

2023-05-14T16:44:14.7566667+00:00

Sorry, by accident I put the ip-address which I shouldn't and removed directly from the question, and reported the comment in hope it will disappear. I really thought that was automatic AI response.
I apologize once again
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-14T16:52:01.34+00:00

Ok I am glad you have acknowledged it! I really hope the moderator can see this , because it is now under review!
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-14T16:54:24.04+00:00

Can you please post a request with the link of this thread with the tag Microsoft Q & A that my report was accidental? I would really appreciate you to do this please!
Piotr Makowiec 40 Reputation points

2023-05-14T17:17:24.28+00:00

Done, I requested a post with the tag and description of the issue. I hope you're not going to have any troubles because of that :) sorry once again
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-14T17:24:00.8433333+00:00

That is great of you ! Thank you ! Yes a report may have consequenes so if we could at least show that it was a mistake then i think it would not be an issue! Again thank you !

Accepted answer

2 additional answers

Your answer

Konstantinos Passadis 19,586 Reputation points MVP

2023-05-14T12:30:05.79+00:00

Hello @Piotr Makowiec !

Do you have any feedback or your issue is resolved?

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-14T15:37:08.1133333+00:00

Hello

Can i kindly ask you are you reported my answer ?

I clearly display that it could be helped by AI , and in additon i have carefully syntaxed and validated the commands

I am trying to help here and i do not understand the problem and i thik the report was not for me !!!

Kindly elaborate!
Piotr Makowiec 40 Reputation points

2023-05-14T16:44:14.7566667+00:00

Sorry, by accident I put the ip-address which I shouldn't and removed directly from the question, and reported the comment in hope it will disappear. I really thought that was automatic AI response.
I apologize once again
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-14T16:52:01.34+00:00

Ok I am glad you have acknowledged it! I really hope the moderator can see this , because it is now under review!
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-14T16:54:24.04+00:00

Can you please post a request with the link of this thread with the tag Microsoft Q & A that my report was accidental? I would really appreciate you to do this please!
Piotr Makowiec 40 Reputation points

2023-05-14T17:17:24.28+00:00

Done, I requested a post with the tag and description of the issue. I hope you're not going to have any troubles because of that :) sorry once again
Konstantinos Passadis 19,586 Reputation points MVP

2023-05-14T17:24:00.8433333+00:00

That is great of you ! Thank you ! Yes a report may have consequenes so if we could at least show that it was a mistake then i think it would not be an issue! Again thank you !

Answer 1

AirGordon 7,150

Pretty sure you only need to provide health probe request path when your app doesn't respond on the root "/". This can be the case for some dot net app where the routing defaults to "/api", in these cases /healthz can be useful.

I'd suggest you get a known good app working and then figure out the delta between that app and yours. If both don't work then you likely have an infrastructure issue and not a cluster one (eg. an NSG blocking all incoming traffic).
The app i tend to use for this is the Azure Voting App. You can see one of my manifests here: https://github.com/Gordonby/Snippets/blob/master/AKS/Azure-Vote-Labelled-ILB-WarIngress-NetPolicy.yaml
Install nginx again on the cluster with default config a different ingressClassName and see how you fare.

NB: If you're going to use my manifest file, make sure to change line 101 (IngressClassName). Also note that i'm additionally exposing my service via another LoadBalancer on line 90 - this is helpful for debugging an App Problem vs an Ingress problem during development.

Piotr Makowiec 40

Thank you so much for your help.
I removed ingress-nginx ingress-nginx/ingress-nginx and recreated new one like this:

DNS_LABEL="<DNS_LABEL>"
NAMESPACE="ingress-basic"
STATIC_IP=<STATIC_IP>
helm upgrade ingress-nginx ingress-nginx/ingress-nginx \
  --namespace $NAMESPACE \
  --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"=$DNS_LABEL \
  --set controller.service.loadBalancerIP=$STATIC_IP \
  --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz

Then I took your deployment yaml script which you provided and adjusted it for my need:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: guestbookapi
spec:
  replicas: 1
  selector:
    matchLabels:
      app: guestbookapi
  template:
    metadata:
      labels:
        app: guestbookapi
        role: backend
    spec:
      containers:
        - name: guestbookapi
          image: guestbookwedding.azurecr.io/guestbookapi:22
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: guestbookapi-service
spec:
  ports:
    - port: 80
  selector:
    app: guestbookapi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: guestbookwebclient
spec:
  replicas: 3
  selector:
    matchLabels:
      app: guestbookwebclient
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  minReadySeconds: 5
  template:
    metadata:
      labels:
        app: guestbookwebclient
        role: frontend
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchExpressions:
                    - key: app
                      operator: In
                      values:
                        - guestbookwebclient
                topologyKey: kubernetes.io/hostname
              weight: 100
      containers:
        - name: guestbookwebclient
          image: guestbookwedding.azurecr.io/guestbookwebclient:24
          ports:
            - containerPort: 3000
          resources:
            requests:
              cpu: 250m
            limits:
              cpu: 500m
          env:
            - name: NEXT_PUBLIC_WebApiBaseAddress
              value: guestbookapi-service
---
apiVersion: v1
kind: Service
metadata:
  name: guestbookwebclient-service
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 3000
  selector:
    app: guestbookwebclient

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook-ing
spec:
  ingressClassName: nginx
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: guestbookwebclient-service
                port:
                  number: 80
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-allow-external
spec:
  podSelector:
    matchLabels:
      role: frontend
  ingress:
    - ports:
        - port: 80
      from: []
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: guestbook-policy
spec:
  podSelector:
    matchLabels:
      app: guestbookapi
      role: backend
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: guestbookwebclient

But I didn't specify the route path to the backend (ASP.Core API) and indeed, the path for the endpoints are: "/api/[Endpoint]

When I applied this, the frontend app (NextJS) is resolved by the static ip address and default domain name. But how then how can I access the backed service? Nextjs app is using client side rendering.
It's the first time I'm trying to deploy something like this, so thanks in advance for any kind of help.

Best regards
Piotr

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 3

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

1 deleted comment

Comments have been turned off. Learn more

Share via

Azure Kubernetes with ingress-nginx-controller and external static ip is not accessed from the outside.

2 additional answers

Your answer