Share via

Azure Application Gateway with AGIC - multiple listeners on same Hostname with different ports - best approach

Manakkal. Subash 20 Reputation points
2025-11-11T15:59:55.2333333+00:00

Hello,

I am deploying a private Azure Application Gateway (v2) with Azure Application Gateway Ingress Controller (AGIC) in an AKS environment and need guidance on the best approach for my specific requirements.

Architecture Overview:

  • Private Application Gateway (no public IP)
  • Azure Firewall in front doing DNAT to App Gateway private IP
  • Backend: AKS cluster running a single application exposing multiple ports
  • SSL termination at Application Gateway level
  • Backend protocol: HTTP

Requirements-

I need three listeners configured on the Application Gateway:

  1. https.pnr.com:443 → SSL termination → backend HTTP port 8080
  2. as2.pnr.com:443 → SSL termination → backend HTTP port 8081
  3. https.pnr.com:5555 → SSL termination → backend HTTP port 8082

Current Understanding:

  • Listeners 1 and 2 can be managed by AGIC using standard Kubernetes Ingress resources (different hostnames on port 443)
  • Listener 3 requires a custom frontend port (5555) on the same hostname as Listener 1
  • Standard Kubernetes Ingress spec doesn't have native support for specifying custom frontend ports

My Questions:

  1. What is the recommended approach to achieve this configuration with AGIC? Should I use pure AGIC, a combination of approaches, or something else entirely?
  2. Does AGIC support custom frontend ports (like 5555) through any annotations or specifications? I haven't found documentation on this capability.
  3. Are there alternative architectures or patterns that would better suit this use case while maintaining the requirement for three separate listeners with SSL termination?

Additional Context:

  • Both hostnames (https.pnr.com and as2.pnr.com) use separate SSL certificates
  • Azure Firewall will have DNAT rules for the required ports
  • All three listeners should ideally route to the same AKS backend pool (same pods, different target ports)
  • The use case is for AS2 protocol integration alongside a standard HTTPS web portal
  • Port 5555 is required by AS2 trading partners and cannot be changedHello, I'm deploying a private Azure Application Gateway (v2) with Azure Application Gateway Ingress Controller (AGIC) in an AKS environment and need guidance on the best approach for my specific requirements. Architecture Overview:
    • Private Application Gateway (no public IP)
    • Azure Firewall in front doing DNAT to App Gateway private IP
    • Backend: AKS cluster running a single application exposing multiple ports
    • SSL termination at Application Gateway level
    • Backend protocol: HTTP
    My Requirements: I need three listeners configured on the Application Gateway:
    1. https.pnr.com:443 → SSL termination → backend HTTP port 8080
    2. as2.pnr.com:443 → SSL termination → backend HTTP port 8081
    3. https.pnr.com:5555 → SSL termination → backend HTTP port 8082
    Current Understanding:
    • Listeners 1 and 2 can be managed by AGIC using standard Kubernetes Ingress resources (different hostnames on port 443)
    • Listener 3 requires a custom frontend port (5555) on the same hostname as Listener 1
    • Standard Kubernetes Ingress spec doesn't have native support for specifying custom frontend ports
    My Questions:
    1. What is the recommended approach to achieve this configuration with AGIC? Should I use pure AGIC, a combination of approaches, or something else entirely?
    2. Does AGIC support custom frontend ports (like 5555) through any annotations or specifications?
    3. Are there alternative architectures or patterns that would better suit this use case while maintaining the requirement for three separate listeners with SSL termination?
    Additional Context:
    • Both hostnames (https.pnr.com and as2.pnr.com) use separate SSL certificates
    • Azure Firewall will have DNAT rules for the required ports
    • All three listeners should ideally route to the same AKS backend pool (same pods, different target ports)
    • The use case is for AS2 protocol integration alongside a standard HTTPS web portal
    • Port 5555 is required by AS2 trading partners and cannot be changed
    Thank you.
    • Subash M
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
Answer accepted by question author
  1. Jeevan Shanigarapu 3,280 Reputation points Microsoft External Staff Moderator
    2025-11-11T22:19:48.09+00:00

    Hello @Manakkal. Subash,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    Thank you for sharing the detailed architecture and requirements. Based on your scenario, below is the recommended approach and considerations.

    Listeners on Port 443 (https.pnr.com and as2.pnr.com): These can be managed by AGIC (Application Gateway Ingress Controller) using standard Kubernetes Ingress resources with multi-site listeners. Each hostname should have its own SSL certificate and routing configuration.

    Listener on Port 5555 (https.pnr.com): Since standard Kubernetes Ingress does not natively support custom frontend ports, you can configure this in AGIC by adding the following annotations to your YAML definition:

    appgw.ingress.kubernetes.io/override-frontend-port: "5555"

    appgw.ingress.kubernetes.io/appgw-ssl-certificate: "<certificate-name>"

    appgw.ingress.kubernetes.io/backend-protocol: "http"

    Ensure that your AGIC version is 1.3.0 or later before applying these annotations.

    Application Gateway Ingress Controller annotations | Microsoft Learn

    Support for Custom Frontend Ports AGIC supports custom frontend ports through the override-frontend-port annotation. If this annotation is not used, AGIC defaults to standard ports 80 and 443.

    What is Azure Application Gateway Ingress Controller? | Microsoft Learn

    Alternative Architectures

    Option A: Application Gateway for Containers Allows more flexibility for custom port configurations and supports Gateway API for improved scalability.

    Option B: Hybrid Approach Use AGIC for standard ingress (port 443) and manually configure port 5555 using ARM or Bicep templates. Ensure that AGIC sync operations do not overwrite any manual changes applied at the Application Gateway level.

    Enabling end to end TLS on Azure Application Gateway | Microsoft Learn

    Note:

    1.      Configure Azure Firewall DNAT rules to allow traffic on ports 443 and 5555.

    2.      Use separate HTTP settings for backend ports (for example, 8080, 8081, 8082).

    3.      For AS2 protocol traffic, SSL termination at the Application Gateway is acceptable, but the backend must verify AS2 message integrity and MDN acknowledgments.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to "Accept the answer” and “up-vote it” wherever the information provided helps you, this can be beneficial to other community members__.__ It would be greatly appreciated and helpful to others.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.