Azure Frontdoor using wrong port to forward traffic to AKS

Question

Azure Frontdoor using wrong port to forward traffic to AKS

Redel, Renan Augusto 20

Hello all,

I'm using Azure Front Door (AFD) with Azure Kubernetes Service (AKS), employing a Private Link Service (PLS) to provide internal access (AFD > PLS > Private Link > Internal Load Balancer > Pod).

I've configured one endpoint in AFD with two routes:

Route A: domain.com/*

Origin: pls-alias:8443

Route B: domain.com/api/*

Origin: pls-alias:8444

However, when I access the URL of Route A, I'm being redirected to the port of Route B.

I've checked the logs (FrontDoorAccessLog), and I can confirm that the rule mappings are correct (the traffic is mapped to Route A but redirects to the port of Route B). The Origin URL in the logs is domain.com:8444/.

When accessing the internal IP from the Internal Load Balancer, I can access the backend correctly on ports 8444 and 8443 (as expected).

Can someone help me?

Thanks.

KapilAnanth 49,876 Reputation points Moderator

2024-05-13T13:07:13.2+00:00
@Redel, Renan Augusto ,

Thanks for sharing the info. This is strange.

A mismatch between RoutingRule and the Origin of the RoutingRule (port) should not be happening.

I believe this is an isolated issue, specific to your environment.

As next steps, I'd suggest you file a support ticket, where a support engineer can have a screen share session and check the backend logs to pinpoint the issue.

In case you need a one-time free technical support, please do let us know

NOTE:

Not sure if this has been tried, you can always delete the routes and origin groups and reconfigure them (if that is something you are comfortable with)

However, doing so will not help you identify the root cause in the pre-deleted configuration.

Cheers,

Kapil.
Redel, Renan Augusto 20 Reputation points

2024-05-14T13:16:57.7366667+00:00

Hi @KapilAnanth ,

Thank you for your reply.

I tried what do you suggest, but didn't work.

I also tried to delete the whole AFD and recreate it after some time, still nothing.

I will open a ticket with MS.
KapilAnanth 49,876 Reputation points Moderator

2024-05-14T13:59:15.9766667+00:00

@Redel, Renan Augusto ,

You are welcome.

Sure.

Please keep us updated on how the case goes.

Cheers,

Kapil

Answer accepted by question author

0 additional answers

Your answer

KapilAnanth 49,876 Reputation points Moderator

2024-05-13T13:07:13.2+00:00

@Redel, Renan Augusto ,

Thanks for sharing the info. This is strange.

A mismatch between RoutingRule and the Origin of the RoutingRule (port) should not be happening.

I believe this is an isolated issue, specific to your environment.

As next steps, I'd suggest you file a support ticket, where a support engineer can have a screen share session and check the backend logs to pinpoint the issue.

In case you need a one-time free technical support, please do let us know

NOTE:

Not sure if this has been tried, you can always delete the routes and origin groups and reconfigure them (if that is something you are comfortable with)

However, doing so will not help you identify the root cause in the pre-deleted configuration.

Cheers,

Kapil.
Redel, Renan Augusto 20 Reputation points

2024-05-14T13:16:57.7366667+00:00

Hi @KapilAnanth ,

Thank you for your reply.

I tried what do you suggest, but didn't work.

I also tried to delete the whole AFD and recreate it after some time, still nothing.

I will open a ticket with MS.
KapilAnanth 49,876 Reputation points Moderator

2024-05-14T13:59:15.9766667+00:00

@Redel, Renan Augusto ,

You are welcome.

Sure.

Please keep us updated on how the case goes.

Cheers,

Kapil

Answer 1

KapilAnanth 49,876 Moderator

@Redel, Renan Augusto ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I tried to repo your set up and I was not able to.

I had an IIS Service with 2 Ports - 80 and 81.

A single end point
Route1
- Patterns to match - /*
- OriginGroup - origingroup1 has one origin with a PublicIP
- origingroup1's origin has HTTP port as 80
Route2
- Patterns to match - /api/*
- OriginGroup - origingroup2 with a PublicIP (I am using a second origin group with same IP as origingroup1)
- origingroup2's origin has HTTP port as 81

Please see the logs :

P.S : You have to make sure there exists a folder called "api" in your origin.

I'd suggest you check the configuration once again.

Should the issue persist, can you please share the results of this Kusto query so I can verify it.

AzureDiagnostics
| where Category == "FrontDoorAccessLog"
|where routingRuleName_s == "
| project TimeGenerated, requestUri_s, httpStatusCode_s, httpStatusDetails_s, routingRuleName_s, originUrl_s , domain_s

i.e. write an AND condition to Match RouteA in "routingRuleName_s" and the Port of RouteB in "originUrl_s"

If the result is empty set, this means Route A never redirected traffic to the Port of RouteB.

Cheers,

Kapil

Redel, Renan Augusto 20 Reputation points

2024-05-13T11:41:41.7833333+00:00

Hi @KapilAnanth ,

Follow below some screenshots:

Origin group A, Route A (pattern /*):

Origin Group B, Route B (pattern /api/*)

Routers:

Both use the same host name alias (the PLS):

Logs:

As you can see, the AFD maps the traffic to the correct route, but the OriginURL sends to the PLS, using the port 8444 instead (from Route B).

Print detailed:
KapilAnanth 49,876 Reputation points Moderator

2024-05-13T13:07:39.4766667+00:00
@Redel, Renan Augusto ,

Thanks for sharing the info. This is strange.

A mismatch between RoutingRule and the Origin of the RoutingRule (port) should not be happening.

I believe this is an isolated issue, specific to your environment.

As next steps, I'd suggest you file a support ticket, where a support engineer can have a screen share session and check the backend logs to pinpoint the issue.

In case you need a one-time free technical support, please do let us know

NOTE:

Not sure if this has been tried, you can always delete the routes and origin groups and reconfigure them (if that is something you are comfortable with)

However, doing so will not help you identify the root cause in the pre-deleted configuration.

Cheers,

Kapil.
Redel, Renan Augusto 20 Reputation points

2024-05-15T12:21:42.8666667+00:00

I just got the reply from the MS Support.

There's a limitation/issue on the PLS. If there two or more routes to the same PLS and both (or more) routes using in the same region, the AFD use the latest PLS configuration added to every connection. This behavior are under invetigation by MS.

To workaround this, is possible to adjust the PLS connect (in the AFD), to another region. This will create another Private Endpoint (to be approved), and increase the latency between the User, AFD and Origin resource.

Share via

Azure Frontdoor using wrong port to forward traffic to AKS

0 additional answers

Your answer