Application Gateway Ingress Controller does not show extenal IP

Sridhar 5 Reputation points
2023-04-06T16:08:23.8866667+00:00

Hello - I followed the steps below to enable AGIC add on my AKS cluster (CNI network plugin).. -- Application Gateway is created -- add on is enabled on AKS cluster Deployed the sample apps given below Now the Ingress Controller not updated with external IP of AGI and AGI backend pool settings are not updated.... How to find the root cause of the issue...

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,892 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Andrei Barbu 2,576 Reputation points Microsoft Employee
    2023-04-06T19:32:41.68+00:00

    Hello Sridhar To identify the issue, please check the pod created by enabling AGIC addon. You can use the following command to get the logs (add "-f" if you want to follow the logs):

    kubectl logs -l app=ingress-appgw -n kube-system
    

    The most common scenarios are:

    Network connectivity to Azure Resource Manager In order to be able to fetch and apply updates to the Application Gateway configuration, the AGIC pod requires TCP/IP connectivity to the Azure Resource Manager REST API endpoint (management.azure.com) over port 443. This outbound connectivity requirement is clearly stated in AKS Egress Traffic Requirements public documentation. If for some reason this connection cannot be established, the AGIC pod logs will display the error "ErrorGetApplicationGatewayError" with message "Failed fetching configuration for Application Gateway", followed by the lower level TCP error message "dial timeout" and "Retrying in 10s", which indicates AGIC will keep retrying to connect to this endpoint. If for some reason this connection cannot be established, the AGIC pod logs will display the error "ErrorGetApplicationGatewayError" with message "Failed fetching configuration for Application Gateway", followed by the lower level TCP error message "dial timeout" and "Retrying in 10s", which indicates AGIC will keep retrying to connect to this endpoint. User's image

    If that is the case, please make sure you allow the traffic with management.azure.com over port 443.

    AGIC Identity authorization failure In order to be able to fetch and apply updates to the Application Gateway configuration, the following role assignments are required:

    Assignee	Role	Scope
    AGIC identity	Contributor	Application Gateway
    AGIC identity	Reader	Application Gateway Resource Group
    

    In AGIC addon enabled clusters, AKS will handle the configuration of any necessary role assignments. If for some reason the required role assignments are not configured, the AGIC pod logs will display the error "AuthorizationFailed" and the details of the missing role assignment. This output should look similar to:


    I hope this is helpful. If any clarification needed, let me know and I will do my best to answer. Please "Accept as Answer" and Upvote if it helped, so that it can help others in the community looking for help on similar topics. Thank you!

    0 comments No comments