configuring a backend pool with internal FQDN of clusterIP service

Priyam 0 Reputation points
2023-03-07T07:24:18.64+00:00

Here my manifest of clusterIP Service

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
  name: myapp
  labels:
    app: myapp
spec:
  selector:
    app: myapp
  ports:
    - name: http
      port: 80
      targetPort: 6420
  type: ClusterIP

And the Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp-ingress
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/backend-path-prefix: "/myapp"
spec:
  rules:
    - http:
        paths:
          - path: /myapp
            backend:
              service:
                name: myapp
                port:
                   name: http
            pathType: Prefix

It creates backend pool with IP address of pods/http settings/health probe etc automatically in azure application gateway. And backend pool status is healthy without issues and am able to access the service using public ip.
However, when i add the annotation appgw.ingress.kubernetes.io/ssl-redirect: "true", since I need to access service on https, It doesn't configure the application gateway automatically while configuring the Ingress.
Also if I change the IP address to ClusterIP of service in backend pool and change the http setting to port of service even without setting up ssl-redirect=true, backend pool status changes to unhealthy.

Is it not possible to use clusterIP of service in backend pool? What is the best approach to enable https for clusterIP service without using any IP address in configurations.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
972 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,892 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Ammar-Abdelqader01 926 Reputation points Microsoft Employee
    2023-03-07T08:00:53.6866667+00:00

    Hello Priyam,

    Thank you for your question, actually you can't change the IP of the Pod to the clusterIP because by design AGIC will call the IP of the pod not the clusterIP check this document from this link :

    User's image

    Regarding your issue, it seems that you are trying to use the ClusterIP of the service in the backend pool, but it is not possible to use the ClusterIP of the service in the backend pool. The backend pool must use the IP addresses of the pods, not the ClusterIP of the service

    Regarding the annotation appgw.ingress.kubernetes.io/ssl-redirect: "true", it is used to redirect all HTTP traffic to HTTPS. If you want to access the service on HTTPS, you need to configure the SSL certificate for the Application Gateway

    You can find more information about the Application Gateway Ingress Controller annotations in the following link: here

    If this answers your query, do click “Accept the answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread.
    And, if you have any further query, do let us know in the comments and I would be happy to investigate further.

    0 comments No comments

  2. Priyam 0 Reputation points
    2023-03-07T09:14:22.6366667+00:00

    With the configuration in my original question, my service is accessible on app gw ip over http.

    I have created certificate and uploaded it and created a listener in app-gw. What other changes in both app-gw or manifest yaml, should I make to make it accessible on https where SSL is terminated application gateway.