Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,456 questions
AGC Gateway fails when one of multiple Listeners has problems - Seeking multi-app configuration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 9%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBK%3C/text%3E%3C/svg%3E)
Bastian Kluge
5
Reputation points
Hi there,
I'm trying some first tenous steps in using Application Gateway for Container (AGC) in order to make multiple different applications running in my AKS accessible from the internet.
I use the ALB Controller which manages the Application Gateway Resources. I've defined a Gateway using multiple Listeners using individual certificates (supplied by a cert-manager)
Spec:
Addresses:
Type: Hostname
Value: bga9d2fqf6a6bqef.fz52.alb.azure.com
Gateway Class Name: azure-alb-external
Listeners:
Allowed Routes:
Namespaces:
From: All
Name: http-listener
Port: 80
Protocol: HTTP
Allowed Routes:
Namespaces:
From: All
Hostname: host1.whatever.com
Name: my-listener1
Port: 443
Protocol: HTTPS
Tls:
Certificate Refs:
Group:
Kind: Secret
Name: cert-a
Mode: Terminate
Allowed Routes:
Namespaces:
From: All
Hostname: host2.whatever.com
Name: my-listener2
Port: 443
Protocol: HTTPS
Tls:
Certificate Refs:
Group:
Kind: Secret
Name: cert-b
Mode: Terminate
Then I can deploy some HttpRoutes in order to route the traffic to my deployed pods.
Now I've stumbled about a behaviour which irritates me massively. Whenever there is something wrong with one listener the whole gateway fails.
If I (for the sake of demonstration) delete the secret/cert-b, I'd expect the domain host2.whatever.com to be unreachable while the othe domain/listener for host1.whatever.com continues to work. But what reallyhappens is that the Gateway stops working completely, when it has issues with one listener.
From my point of view this is a strange behaviour and unless solved prevents me from using AGC as described in this scenario.
Is there another way to configure one gateway to connect multiple apps / pods to the outside without having this kind of single point of failure?
Any thoughts / ideas are appreciated!!!
Regards,
Bastian
Azure Kubernetes Service
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 9%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator2025-04-07T18:49:22.2133333+00:00 Hi Bastian Kluge,
Could you please give us more information to help you.Are you using Application gateway type load balancer and facing issue at the listener or are you facing issue with AGIC (Application Gateway Ingress Controller), and how did you integrate at the application gateway.
-
Bastian Kluge 5 Reputation points
2025-04-08T06:52:11.69+00:00 Hey Vamsi Ram Annepu,
im not using AGIC but the new Application Gateway for Container.
I deployed the Gateway as described here https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/quickstart-deploy-application-gateway-for-containers-alb-controller?tabs=install-helm-windows and I've chosen to use the "managed by ALB Controller" version.For clarification I added the complete Kubernetes manifest of the Gateway
resource "kubernetes_manifest" "gateway" { manifest = { apiVersion = "gateway.networking.k8s.io/v1beta1" kind = "Gateway" metadata = { name = "gateway-01" namespace = var.kubernetes_namespace_alb annotations = { "alb.networking.azure.io/alb-namespace" = var.kubernetes_namespace_alb "alb.networking.azure.io/alb-name" = "application-load-balancer" } } spec = { gatewayClassName = "azure-alb-external" # see https://learn.microsoft.com/en-us/azure/application-gateway/configuration-listeners listeners = [ # see my initial question ] } } } -
Arko 4,150 Reputation points Microsoft External Staff Moderator2025-04-08T15:21:57.18+00:00 Hello Bastian Kluge,
In its current preview state, Application Gateway for Containers (AGC), managed by the Azure ALB Controller, uses an “all-or-nothing” reconciliation strategy when evaluating theGatewayresource. That means:If any listener is misconfigured (e.g., references a missing TLS secret or has invalid properties), the entire Gateway fails to reconcile. As a result, none of the configured listeners — even those that are valid — will function.
This behavior is not explicitly documented yet, but it can be inferred from patterns in AGC’s error handling.
While the current documentation doesn’t directly call out the listener-failure behavior, the official AGC Troubleshooting Guide includes this note:
“If an HTTPRoute has two backends specified with equal weights, and one is invalid, 50 percent of the traffic must receive a 500.”
This illustrates that AGC does not support graceful degradation in cases of partial misconfiguration which aligns with the “fail closed” behavior you observed with the Gateway listeners.
-
Arko 4,150 Reputation points Microsoft External Staff Moderator
2025-04-08T15:28:19.7433333+00:00 If any one listener fails validation for example, due to a missing or misconfigured TLS certificate (certificateRefs) then the entire Gateway fails to reconcile, and no listeners are brought online, even if the others are valid. In your case, when cert-b is missing, the controller rejects the entire Gateway, and even host1.whatever.com (which uses the valid cert-a) becomes unreachable. This is by design. As of now you can split gateway per Listener/Domain i.e. create one Gateway per domain or certificate. If one TLS secret goes missing, it only affects that Gateway not all apps. Let me know if that works for you.
-
Bastian Kluge 5 Reputation points
2025-04-09T07:51:09.0266667+00:00 Hey Arko,
thanks for the clarification. At least I now know not to continue research into this direction.
I'll consider using multiple Gateways as described by you but since I plan to deploy lots of Webapps on my cluster which all use individual FQDNs, I'd end up with many (meaning twenty to fiftyish) Gateways. I think I remember reading somewhere that there is a limit of Gateways I can deploy in parallel. Am I right?
If there is a limit, I might as well route the traffic inside my Kubernetes Cluster (e.g. an nginx or Traefik or...)...Thanks for your help!!!
-
Bastian Kluge 5 Reputation points
2025-04-09T13:58:00.2333333+00:00 Okay, after checking some docs I'm quite sure, I won't consider use AGC in the near future. In my scenario I'd be forced to deploy multiple gateways for lots of moderately used Webapps / -services. The Gateways are simply too expensive in this scenario...
And in my initial read I didn't notice the part "current preview stage". This disqualifies AGC for any production use.
Sign in to comment
Sign in to answer