Exposing port in AKS via Nginx

Chintan Rajvir 426 Reputation points Microsoft Employee
2021-02-22T13:36:08.593+00:00

I have an application running in Azure Kubernetes Service as a part of our marketplace solution. The application is exposed outside to listen on port 443 via nginx. Internally, the ingress will map the port 443 to some internal port p1.

The application is exposed outside with custom domain, created using a DNS Zone deployment. Everything is working fine so far.

Now, my application has a health server exposed on port p2 within the cluster. I wish to expose this as a public endpoint. I choose the path where:

  1. I expose the port p2 in the service spec of the application.
  2. I edit the ingress rules to use another custom domain name (within same DNS Zone), which would map the traffic to port p2 from 443, based on all the paths. ...
    • host: <c2>.<dnsZoneName>
      http:
      paths:
      • backend:
        serviceName: <myappservice>
        servicePort: <p2>
        path: /healthz
        ...

I attempted the scenario using path as above and without it too.

Next, I add the custom domain name prefix as an A Name record in the DNS Zone deployment.

Next, I run the curl command on Azure Cloud Shell to call the health server of the application using the new domain name:
curl -k -v https://<domainNameForHealthServer>:443/healthz

The verbose error I receive is:

Trying <ipAddress1>...
* TCP_NODELAY set
* Connected to <domainNameForHealthServer> (<ipAddress1>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <domainNameForHealthServer>:443 
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <domainNameForHealthServer>:443

I am not able to debug the root cause of the issue. If I exec into the application pod, and run the health test using: curl localhost:<p2>/healthz then it returns the output correctly.

Regards,
Chintan Rajvir

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,081 questions
0 comments No comments
{count} votes

Accepted answer
  1. Chintan Rajvir 426 Reputation points Microsoft Employee
    2021-02-23T04:20:51.97+00:00

    I found the issue for the above scenario. Our application is not using TLS for now on port p2. However, when we expose it via nginx on port 443 publicly, the URI needs to use https. We had following annotations in our ingress YAML file:
    nginx.ingress.kubernetes.io/backend-protocol:"HTTPS"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"

    From which, we removed the ssl-passthrough annotation and changed the backend-protocol to HTTP by creating a new ingress YAML file with the rules for port p2. The following command works fine now:
    curl -k -v https://<domainNameForHealthServer>:443/healthz.

    Regards,
    Chintan Rajvir

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Lucas Camargo Reis 86 Reputation points
    2021-02-22T19:03:08.047+00:00

    Hi @Chintan Rajvir

    I think you need to identify where is the problem, so you I recommend:

    1. Try access your application from another pod/container using the App POD ID, you can see with command: kubectl describe pod <nomedopod>
    2. Try acess your application from antoher pod/container using the service IP and port
    3. Try acess your applicaiton from another pod/container using the ingress

    If possible, share yaml files used to ingress, service and pod (masking sensitive information).

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.