This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 73%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello - I followed the steps below to enable AGIC add on my AKS cluster (CNI network plugin).. -- Application Gateway is created -- add on is enabled on AKS cluster Deployed the sample apps given below Now the Ingress Controller not updated with external IP of AGI and AGI backend pool settings are not updated.... How to find the root cause of the issue...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Hello Sridhar To identify the issue, please check the pod created by enabling AGIC addon. You can use the following command to get the logs (add "-f" if you want to follow the logs):
kubectl logs -l app=ingress-appgw -n kube-system
The most common scenarios are:
Network connectivity to Azure Resource Manager
In order to be able to fetch and apply updates to the Application Gateway configuration, the AGIC pod requires TCP/IP connectivity to the Azure Resource Manager REST API endpoint (management.azure.com) over port 443. This outbound connectivity requirement is clearly stated in AKS Egress Traffic Requirements public documentation.
If for some reason this connection cannot be established, the AGIC pod logs will display the error "ErrorGetApplicationGatewayError" with message "Failed fetching configuration for Application Gateway", followed by the lower level TCP error message "dial timeout" and "Retrying in 10s", which indicates AGIC will keep retrying to connect to this endpoint.
If for some reason this connection cannot be established, the AGIC pod logs will display the error "ErrorGetApplicationGatewayError" with message "Failed fetching configuration for Application Gateway", followed by the lower level TCP error message "dial timeout" and "Retrying in 10s", which indicates AGIC will keep retrying to connect to this endpoint.
AGIC Identity authorization failure In order to be able to fetch and apply updates to the Application Gateway configuration, the following role assignments are required:
Assignee Role Scope
AGIC identity Contributor Application Gateway
AGIC identity Reader Application Gateway Resource Group
In AGIC addon enabled clusters, AKS will handle the configuration of any necessary role assignments. If for some reason the required role assignments are not configured, the AGIC pod logs will display the error "AuthorizationFailed" and the details of the missing role assignment. This output should look similar to:
I hope this is helpful. If any clarification needed, let me know and I will do my best to answer. Please "Accept as Answer" and Upvote if it helped, so that it can help others in the community looking for help on similar topics. Thank you!