How to connect azure application gateway with aks service of type load balancer without ingress on AKS, where aks and ag are in same vnet but different subnets.

Question

I want to host a three tier application on azure with fine grained security. What I'm trying is,
To deploy frontend on AKS(private) - accessible publicly via application gateway(WAF-2)
To deploy APIs on the same AKS(private) - protected by private APIM, in the same Vnet but different subnet.

I want my front end to access APIM apis.

DB can be in same subnet with APIs and accessed using managed identities.

Answer 1

Hello Nayangiri Goswami,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

I understand that you would like to deploy the frontend on a private AKS cluster, making it publicly accessible through an Application Gateway (WAF-2). The APIs will also be deployed on the same private AKS cluster but will be protected by a private API Management service, all within the same virtual network but in a different subnet.

Solution

Quiet and well thoughtful out for a secure, three-tier application architecture. As a solution architect I put together the breakdown of how you can configure each component:

Frontend on AKS (Private) with Application Gateway (WAF-2).

• Deploy your frontend application in a private AKS cluster, ensuring that the nodes and the application are not directly exposed to the internet.
• Set up an Azure Application Gateway with Web Application Firewall (WAF) in front of your AKS cluster. The Application Gateway will act as a reverse proxy, routing traffic to your frontend application. This also provides security features such as SSL termination, DDoS protection, and web application firewall capabilities.
• The frontend will be publicly accessible through the Application Gateway's public IP address. Ensure that the necessary routing and security configurations are in place to allow public access only through the Application Gateway.

APIs on the Same AKS (Private) with Private APIM.

• Deploy your API services in the same private AKS cluster, but ensure they are on separate namespaces or with proper network policies to isolate them from the frontend.
• Set up a Private API Management instance in a different subnet within the same VNet. Private APIM allows you to secure your APIs and ensure they are only accessible within your VNet. You can configure APIM to expose APIs securely and apply additional policies like rate limiting, IP filtering, etc.
• Both the AKS cluster and the Private APIM should be integrated into the same VNet. Use different subnets for the AKS and APIM to maintain clear boundaries and apply network security rules accordingly.
• Use internal load balancers or private endpoints for communication between your frontend and API services within the VNet. This ensures that the traffic never leaves the Azure network, providing an additional layer of security.

Special Security Considerations

• Implement NSGs to control inbound and outbound traffic to the subnets where your AKS and APIM are deployed.
• Consider adding an Azure Firewall or a third-party network virtual appliance for additional network-level security and threat detection.
• Use Azure Active Directory (AAD) for authentication and authorization. Implement managed identities for your services to access Azure resources securely.

I am sure this will make the setup provides a robust and secure architecture, and make sure that only the frontend is exposed publicly while keeping the APIs and other backend components private and protected.

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam