TLS end to end with Azure Kubernetes services and an application gateway

Duane Wolford 26 Reputation points
2020-10-14T19:56:09.423+00:00

We are having some major problems getting TLS end to end with AKS. Here is how things are supposed to go:

Internet --> Application Gateway (WAF enabled) --> AKS load balancer --> pods

The problem is that one of the tools we use in AKS is istio. When traffic reaches istio, it is unencrypted. Further, we can't get the traffic to flow through the gateway to AKS, we have to take the App Gateway out of the picture. If we do this, istio receives encrypted traffic. Now I have a set of ideas which may be correct, but I was hoping the community here could give a hand.

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,932 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Duane Wolford 26 Reputation points
    2020-10-14T19:57:07.98+00:00

    Oh also, the AKS load balancer that shows up has two public IPs on it, so I don't know how to point the gateway to the AKS load balancer at all really.

    0 comments No comments

  2. prmanhas-MSFT 17,901 Reputation points Microsoft Employee
    2020-10-21T07:55:22.34+00:00

    @Duane Wolford Application Gateway Ingress Controller runs in its own pod on the customer’s AKS. Ingress Controller monitors a subset of Kubernetes’ resources for changes. The state of the AKS cluster is translated to Application Gateway specific configuration and applied to the Azure Resource Manager. The continuous re-configuration of Application Gateway ensures uninterrupted flow of traffic to AKS’ services. The diagram below illustrates the flow of state and configuration changes from the Kubernetes API, via Application Gateway Ingress Controller, to Resource Manager and then Application Gateway:
    33972-image.png

    Hope it helps!!!

    Do let me know in case of any more queries.

    If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.