Share via

Support for both L4 and L7 traffic in AKS cluster

Boopathy, Elango 111 Reputation points
2025-04-24T10:41:56.7433333+00:00

Hi Team,

We have a requirement from client asking to design AKS cluster and some of the workloads get deployed in cluster support L4 (non-http) traffic and others are APIs which are L7 http traffic. Not sure how to design AKS reference architecture with zero trust model supporting both L4 & L7 traffic for K8 cluster. Could you please help us in designing this arch model ?

Moreover like to know when the traffic originates from client to Azure, what service(s) in the Azure will receive the traffic and process the request. Later it should decide whether its a L4 or L7 traffic and send to either Load balancer or AGIC respectively ? or Do we have any better approach altogether to achieve this by having only one Load Balancer to handle all ?

Thanks.

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,457 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sudheer Reddy 2,055 Reputation points Microsoft External Staff Moderator
    2025-04-24T13:46:41.68+00:00

    Hi Boopathy, Elango,Try leveraging the different types of load balancers options Azure supports based on https(s)/non-http(s) or regional/global level. https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview

    For a non-HTTP traffic, try to use Azure Load Balancer Kubernetes Services of type LoadBalancer which forwards to pod.

    Please follow below workaround for more information:

    https://learn.microsoft.com/en-us/answers/questions/1121824/app-gateway-load-balancer-when-to-use-them-togethe#

    If the information is helpful, please click on "upvote"

    If you have any queries, please do let us know, we will help you.

    0 comments
  2. Mounika Reddy Anumandla 6,845 Reputation points Microsoft External Staff Moderator
    2025-04-25T02:17:11.47+00:00

    Hi Boopathy, Elango,

    As per my understanding, your network flow makes good architectural sense and is actually quite well thought out for a Zero Trust model supporting both L4 (non-HTTP) and L7 (HTTP/HTTPS) traffic in Azure Kubernetes Service (AKS).

    As per the Best practice guidance https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-network

    To distribute HTTP or HTTPS traffic to your applications, use ingress resources and controllers. Compared to an Azure load balancer, ingress controllers provide extra features and can be managed as native Kubernetes resources.

    L7 Traffic Path (HTTP/HTTPS APIs):
    Correct use of Azure Front Door for L7 global routing, WAF, and SSL offload.

    Kubernetes Ingress resources and controllers, like Azure Application Gateway Ingress Controller (AGIC), operate at Layer 7. They can evaluate HTTP requests and make routing decisions based on URL paths, hostnames, and more. This provides richer traffic management capabilities.

    DNS directs traffic to the right path depending on origination.
    This is Zero Trust compliant — ingress is controlled at each layer.

    L4 Traffic Path:

    Use of Kubernetes Service with type: LoadBalancer for ILB will be correct.

    DNAT from public IP to ILB private IP (Firewall-controlled) is valid for controlled exposure.

    ILB can forward L4 traffic to pods without application-layer inspection ,meets L4 requirements.

    Security & Zero Trust Considerations

    • Firewall before ILB ensures controlled exposure of L4 traffic.
    • WAF (You can use Barracuda WAF for Azure) and App Gateway filter L7 traffic before hitting the cluster.
    • Private endpoints and internal AGIC reduce attack surface.
    • Ingress Controller applies Kubernetes-native RBAC, policies, etc.

    Suggestions:

    L7 Monitoring: Enable diagnostics in AGIC and Front Door for better visibility.

    Cert Rotation: Automate TLS certs in AGIC via Azure Key Vault integration.

    Conduct thorough testing of the entire flow to ensure both L4 and L7 traffic is processed as expected. This includes simulating various traffic patterns and use cases.

    Additional reference: https://learn.microsoft.com/en-us/samples/azure-samples/aks-front-door-end-to-end-tls/aks-front-door-end-to-end-tls/

    Hope this helps!

    Let me know if you have any further queries!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.