This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 36%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDW%3C/text%3E%3C/svg%3E)
We are having some major problems getting TLS end to end with AKS. Here is how things are supposed to go:
Internet --> Application Gateway (WAF enabled) --> AKS load balancer --> pods
The problem is that one of the tools we use in AKS is istio. When traffic reaches istio, it is unencrypted. Further, we can't get the traffic to flow through the gateway to AKS, we have to take the App Gateway out of the picture. If we do this, istio receives encrypted traffic. Now I have a set of ideas which may be correct, but I was hoping the community here could give a hand.
@Duane Wolford Apologies for the delay in response and all the inconvenience caused because of the issue.
I have reached out to our internal team on the issue and once I have an update will keep you posted on same.
Thank you for your patience over the matter.
Thanks.
Thank you. I followed the instructions here: https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-ingress-controller-add-on-new. This is supposed to do a greenfield deployment, but what happens is that the application gateway has no backend pools and issuing "kubectl get ingress" from an administrative command line returns:
NAME HOSTS ADDRESS PORTS AGE
aspnetapp * 80 2m12s
I don't even know where "aspnetapp" name came from. The subscription I'm using is completely empty, no resources in it, so no conflicts anywhere. I hope that helps.
And just to reiterate, the first step is getting from the application gateway from the internet to the AKS cluster. Once we can expose the apps within AKS (which I'll probably need help with as well, I suck at this), we'll need to get the TLS end to end working.
Thanks again,
Duane
Update, I was able to get the aspnetapp up and running over port 80 by way of the AGIC, so that's awesome. We do still desperately need help with end to end TLS.
@Duane Wolford Glad to hear that you were able to et app running.
Since the above will need a proper investigation of your environment and requirements I will suggest you to open a Support Ticket with our Microsoft Technical Support since they are the right resource to help you out on tis one.
If you have a support plan, requesting you to file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
In this case, could you send an email to AzCommunity[at]Microsoft[dot]com referencing this thread as well as your subscription ID. Please mention "ATTN: Preeti" in the subject line. Thank you for your cooperation on this matter and look forward to your reply.
If the suggested response helped do click on "Up-Vote" for the answer that helped you for benefit of the community.
Hello, I actually opened a case with Microsoft, number 120101522000045, if you'd like to look into this I'd greatly appreciate it. I was able to get the AGIC to work on one project, but on another the backend servers for the app gateway are blank, and I'm assuming the backend servers for the app gateway should be the master nodes?
Hi, were you able to examine this ticket by chance?
Oh also, the AKS load balancer that shows up has two public IPs on it, so I don't know how to point the gateway to the AKS load balancer at all really.
@Duane Wolford Application Gateway Ingress Controller runs in its own pod on the customer’s AKS. Ingress Controller monitors a subset of Kubernetes’ resources for changes. The state of the AKS cluster is translated to Application Gateway specific configuration and applied to the Azure Resource Manager. The continuous re-configuration of Application Gateway ensures uninterrupted flow of traffic to AKS’ services. The diagram below illustrates the flow of state and configuration changes from the Kubernetes API, via Application Gateway Ingress Controller, to Resource Manager and then Application Gateway:
Hope it helps!!!
Do let me know in case of any more queries.
If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.
@Duane Wolford Any update on the issue?
If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 12%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
Hi, I didn't understand your answer. We've been able to create an istio ingress gateway with an internal load balancer. I've pointed the application gateway to the istio ingress controller and it works perfectly, so AGIC isn't used.
So we're not sure how to get up the end to end TLS.