How can I expose the LoadBalancer Service IP instead of the Pod IP in the Azure Application Gateway backend pool target?

Question

How can I expose the LoadBalancer Service IP instead of the Pod IP in the Azure Application Gateway backend pool target?

Venkatesh D 0

AGIC is creating backend pools in the Application Gateway with the Pod IPs as targets. How can we configure it to expose the LoadBalancer service IP instead of the Pod IP?

below is the YML:

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

name: dev-ingress

namespace: default

annotations:

appgw.ingress.kubernetes.io/ssl-redirect: "true"

appgw.ingress.kubernetes.io/use-private-ip: "true"

#kubernetes.io/ingress.class: azure/application-gateway

nginx.ingress.kubernetes.io/rewrite-target: "/"

spec:

ingressClassName: azure-application-gateway

tls:

- secretName: agic-tls-secret

rules:

- host: dev.ba.apim.com

  http:

    paths:

      - path: /

        pathType: Prefix

        backend:

          service:

            name: sv-default-service

            port:

              number: 80

Anonymous

2025-03-17T16:45:06.9166667+00:00
Hi Venkatesh D,

To configure Azure Application Gateway Ingress Controller to use the LoadBalancer service IP instead of Pod IPs in the backend pool, follow these steps:

By default, Azure Application Gateway Ingress Controller registers Pod IPs in the backend pool. To use the LoadBalancer service IP, do the following:

Ensure the service type is LoadBalancer Modify your service definition to explicitly set the type as LoadBalancer:

apiVersion: v1 kind: Service metadata: name: sv-default-service annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" # Use internal LoadBalancer if needed spec: type: LoadBalancer ports: - port: 80 selector: app: my-app

Update the Ingress to use the service IP

Add the following annotation to instruct AGIC to use the

service IP instead of Pod IPs:

annotations: appgw.ingress.kubernetes.io/use-istio-pool: "true"

Ensure AGIC runs in "unified mode" If AGIC is not running in unified mode, it will default to using Pod IPs. Ensure it is configured properly by adding:

appgw.ingress.kubernetes.io/use-private-ip: "true"

Please reference to below documentation Azure Application Gateway Ingress Controller Overview: https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview

Using a LoadBalancer with AGIC: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/aks-agic/aks-agic

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.
Venkatesh D 0 Reputation points

2025-03-18T07:04:32.0866667+00:00

Hi @ Geethasri.V

We have added the annotation appgw.ingress.kubernetes.io/use-istio-pool: "true" to our Ingress and AGIC is running in unified mode. However, the Application Gateway is still using the pod IPs in the backend pool instead of the external service IP.
Anonymous

2025-03-19T09:15:09.9966667+00:00
Hi Venkatesh D,

Thanks for the update! Since AGIC is still using Pod IPs despite enabling appgw.ingress.kubernetes.io/use-istio-pool: "true" and running in unified mode, please check the following:

Confirm Service Type & External IP

Run:

kubectl get svc sv-default-service -n default

Ensure TYPE=LoadBalancer and EXTERNAL-IP is assigned (not <pending>).

Check AGIC Logs

kubectl logs -l app=ingress-azure -n kube-system

Look for backend targets to verify if AGIC detects the LoadBalancer IP.

Explicitly Define Backend Hostname

Add this annotation to your service:

annotations: appgw.ingress.kubernetes.io/backend-hostname: "<EXTERNAL-IP>"

Restart AGIC

kubectl rollout restart deployment ingress-azure -n kube-system

Check AGIC Version

kubectl get pods -n kube-system -l app=ingress-azure -o jsonpath="{.items[0].spec.containers[0].image}"

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.
Anonymous

2025-03-20T08:37:12.9+00:00

Hi Venkatesh D ,

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.

Venkatesh D 0

HI @ Geethasri.V

Thank you. We are using a service with the LoadBalancer service type, and an external IP has been assigned. We also added the annotation with the external IP of the service as suggested. The AGIC version in use is mcr.microsoft.com/azure-application-gateway/kubernetes-ingress:1.7.6. Upon checking the AGIC pod logs, I noticed that the backend is targeting the POD IP.

Below is the ingress resource yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dev-ingress
  namespace: default
  annotations:
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
    appgw.ingress.kubernetes.io/use-private-ip: "true"
    #appgw.ingress.kubernetes.io/backend-protocol: "http"
    #appgw.ingress.kubernetes.io/use-istio-mtls: "false"
    appgw.ingress.kubernetes.io/use-istio-pool: "true"
    #appgw.ingress.kubernetes.io/use-service-principal: "false"
    #appgw.ingress.kubernetes.io/use-external-service: "true"
    #appgw.ingress.k8s.io/backend-address-type: "External"
    appgw.ingress.kubernetes.io/backend-hostname: "10.**.**.**"
    appgw.ingress.kubernetes.io/health-probe-status-codes: "200-599"
spec:
  ingressClassName: azure-application-gateway
  tls:
    - secretName: agic-tls-secret
  rules:
    - host: 
      http:
        paths:
          - path: /v1/user-service/*
            pathType: Prefix
            backend:
              service:
                name: sv-default-service
                port:
                  number: 80

Anonymous

2025-03-24T04:31:20.49+00:00

Hi Venkatesh D,

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.
Anonymous

2025-03-25T05:39:01.5333333+00:00

Hi Venkatesh D,

I wanted to check if you had the opportunity to review the information which was provided in my previous posted comment.

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.

1 answer

Your answer

Anonymous

2025-03-17T16:45:06.9166667+00:00

Hi Venkatesh D,

To configure Azure Application Gateway Ingress Controller to use the LoadBalancer service IP instead of Pod IPs in the backend pool, follow these steps:

By default, Azure Application Gateway Ingress Controller registers Pod IPs in the backend pool. To use the LoadBalancer service IP, do the following:

Ensure the service type is LoadBalancer Modify your service definition to explicitly set the type as LoadBalancer:

apiVersion: v1 kind: Service metadata: name: sv-default-service annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" # Use internal LoadBalancer if needed spec: type: LoadBalancer ports: - port: 80 selector: app: my-app

Update the Ingress to use the service IP

Add the following annotation to instruct AGIC to use the

service IP instead of Pod IPs:

annotations: appgw.ingress.kubernetes.io/use-istio-pool: "true"

Ensure AGIC runs in "unified mode" If AGIC is not running in unified mode, it will default to using Pod IPs. Ensure it is configured properly by adding:

appgw.ingress.kubernetes.io/use-private-ip: "true"

Please reference to below documentation Azure Application Gateway Ingress Controller Overview: https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview

Using a LoadBalancer with AGIC: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/aks-agic/aks-agic

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.
Venkatesh D 0 Reputation points

2025-03-18T07:04:32.0866667+00:00

Hi @ Geethasri.V

We have added the annotation appgw.ingress.kubernetes.io/use-istio-pool: "true" to our Ingress and AGIC is running in unified mode. However, the Application Gateway is still using the pod IPs in the backend pool instead of the external service IP.
Anonymous

2025-03-19T09:15:09.9966667+00:00

Hi Venkatesh D,

Thanks for the update! Since AGIC is still using Pod IPs despite enabling appgw.ingress.kubernetes.io/use-istio-pool: "true" and running in unified mode, please check the following:

Confirm Service Type & External IP

Run:

kubectl get svc sv-default-service -n default

Ensure TYPE=LoadBalancer and EXTERNAL-IP is assigned (not <pending>).

Check AGIC Logs

kubectl logs -l app=ingress-azure -n kube-system

Look for backend targets to verify if AGIC detects the LoadBalancer IP.

Explicitly Define Backend Hostname

Add this annotation to your service:

annotations: appgw.ingress.kubernetes.io/backend-hostname: "<EXTERNAL-IP>"

Restart AGIC

kubectl rollout restart deployment ingress-azure -n kube-system

Check AGIC Version

kubectl get pods -n kube-system -l app=ingress-azure -o jsonpath="{.items[0].spec.containers[0].image}"

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.
Anonymous

2025-03-20T08:37:12.9+00:00

Hi Venkatesh D ,

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.
Venkatesh D 0 Reputation points

2025-03-20T10:41:30.24+00:00

HI @ Geethasri.V

Thank you. We are using a service with the LoadBalancer service type, and an external IP has been assigned. We also added the annotation with the external IP of the service as suggested. The AGIC version in use is mcr.microsoft.com/azure-application-gateway/kubernetes-ingress:1.7.6. Upon checking the AGIC pod logs, I noticed that the backend is targeting the POD IP.

Below is the ingress resource yml

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: dev-ingress namespace: default annotations: appgw.ingress.kubernetes.io/ssl-redirect: "true" appgw.ingress.kubernetes.io/use-private-ip: "true" #appgw.ingress.kubernetes.io/backend-protocol: "http" #appgw.ingress.kubernetes.io/use-istio-mtls: "false" appgw.ingress.kubernetes.io/use-istio-pool: "true" #appgw.ingress.kubernetes.io/use-service-principal: "false" #appgw.ingress.kubernetes.io/use-external-service: "true" #appgw.ingress.k8s.io/backend-address-type: "External" appgw.ingress.kubernetes.io/backend-hostname: "10.**.**.**" appgw.ingress.kubernetes.io/health-probe-status-codes: "200-599" spec: ingressClassName: azure-application-gateway tls: - secretName: agic-tls-secret rules: - host: http: paths: - path: /v1/user-service/* pathType: Prefix backend: service: name: sv-default-service port: number: 80
Anonymous

2025-03-24T04:31:20.49+00:00

Hi Venkatesh D,

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.
Anonymous

2025-03-25T05:39:01.5333333+00:00

Hi Venkatesh D,

I wanted to check if you had the opportunity to review the information which was provided in my previous posted comment.

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.

Answer 1

Hi Venkatesh D,

Thanks for the update! Since your service is of type LoadBalancer with an assigned external IP and AGIC is still targeting Pod IPs, please check the following:

Confirm use-external-service Annotation Uncomment and apply the following annotation in your Ingress resource to explicitly instruct AGIC to use the external service IP:

 appgw.ingress.kubernetes.io/use-external-service: "true"

Verify AGIC’s Backend Address Type Uncomment and set:

yaml

appgw.ingress.kubernetes.io/backend-address-type:"External"

This ensures AGIC targets the LoadBalancer service IP instead of Pod IPs.

Restart AGIC to Apply Changes

kubectl rollout restart deployment ingress-azure -n kube-system

After applying these changes, check the AGIC logs again to verify if the LoadBalancer IP is being used.

If it was helpful, please click "Upvote" on this post to let us know.

Thank You.

Share via

How can I expose the LoadBalancer Service IP instead of the Pod IP in the Azure Application Gateway backend pool target?

1 answer

Your answer