Integrations with Open Service Mesh on Azure Kubernetes Service (AKS)

The Open Service Mesh (OSM) add-on integrates with features provided by Azure as well as open source projects.


Integrations with open source projects aren't covered by the AKS support policy.


Ingress allows for traffic external to the mesh to be routed to services within the mesh. With OSM, you can configure most ingress solutions to work with your mesh, but OSM works best with Web Application Routing, NGINX ingress, or Contour ingress. Open source projects integrating with OSM are not covered by the AKS support policy.

At this time, Azure Gateway Ingress Controller (AGIC) only works for HTTP backends. If you configure OSM to use AGIC, AGIC will not be used for other backends such as HTTPS and mTLS.

Using the Azure Gateway Ingress Controller (AGIC) with the OSM add-on for HTTP ingress


You can't configure Azure Gateway Ingress Controller (AGIC) for HTTPS ingress.

After installing the AGIC ingress controller, create a namespace for the application service, add it to the mesh using the OSM CLI, and deploy the application service to that namespace:

# Create a namespace
kubectl create ns httpbin

# Add the namespace to the mesh
osm namespace add httpbin

# Deploy the application

export RELEASE_BRANCH=release-v1.2
kubectl apply -f$RELEASE_BRANCH/manifests/samples/httpbin/httpbin.yaml -n httpbin

Verify that the pods are up and running, and have the envoy sidecar injected:

kubectl get pods -n httpbin

Example output:

NAME                      READY   STATUS    RESTARTS   AGE
httpbin-7c6464475-9wrr8   2/2     Running   0          6d20h
kubectl get svc -n httpbin

Example output:

httpbin   ClusterIP   <none>        14001/TCP   6d20h

Next, deploy the following Ingress and IngressBackend configurations to allow external clients to access the httpbin service on port 14001.

kubectl apply -f <<EOF
kind: Ingress
  name: httpbin
  namespace: httpbin
  annotations: azure/application-gateway
  - http:
      - path: /
        pathType: Prefix
            name: httpbin
              number: 14001
kind: IngressBackend
  name: httpbin
  namespace: httpbin
  - name: httpbin
      number: 14001 # targetPort of httpbin service
      protocol: http
  - kind: IPRange

Ensure that both the Ingress and IngressBackend objects have been successfully deployed:

kubectl get ingress -n httpbin

Example output:

httpbin   <none>   *   80      6d20h
kubectl get ingressbackend -n httpbin

Example output:

httpbin   committed

Use kubectl to display the external IP address of the ingress service.

kubectl get ingress -n httpbin

Use curl to verify you can access the httpbin service using the external IP address of the ingress service.

curl -sI http://<external-ip>/get

Confirm you receive a response with status 200.

Metrics observability

Observability of metrics allows you to view the metrics of your mesh and the deployments in your mesh. With OSM, you can use Prometheus and Grafana for metrics observability, but those integrations aren't covered by the AKS support policy.

You can also integrate OSM with Azure Monitor.

Before you can enable metrics on your mesh to integrate with Azure Monitor:

  • Enable Azure Monitor on your cluster
  • Enable the OSM add-on for your AKS cluster
  • Onboard your application namespaces to the mesh

To enable metrics for a namespace in the mesh use osm metrics enable. For example:

osm metrics enable --namespace myappnamespace

Create a Configmap in the kube-system namespace that enables Azure Monitor to monitor your namespaces. For example, create a monitor-configmap.yaml with the following to monitor the myappnamespace:

kind: ConfigMap
apiVersion: v1
  schema-version: v1
  config-version: ver1
  osm-metric-collection-configuration: |-
    # OSM metric collection settings
          # Namespaces to monitor
          monitor_namespaces = ["myappnamespace"]
  name: container-azm-ms-osmconfig
  namespace: kube-system

Apply that ConfigMap using kubectl apply.

kubectl apply -f monitor-configmap.yaml

To access your metrics from the Azure portal, select your AKS cluster, then select Logs under Monitoring. From the Monitoring section, query the InsightsMetrics table to view metrics in the enabled namespaces. For example, the following query shows the envoy metrics for the myappnamespace namespace.

| where Name contains "envoy"
| extend t=parse_json(Tags)
| where == "myappnamespace"

Automation and developer tools

OSM can integrate with certain automation projects and developer tooling to help operators and developers build and release applications. For example, OSM integrates with Flagger for progressive delivery and Dapr for building applications. OSM's integration with Flagger and Dapr aren't covered by the AKS support policy.

External authorization

External authorization allows you to offload authorization of HTTP requests to an external service. OSM can use external authorization by integrating with Open Policy Agent (OPA), but that integration isn't covered by the AKS support policy.

Certificate management

OSM has several types of certificates it uses to operate on your AKS cluster. OSM includes its own certificate manager called Tresor, which is used by default. Alternatively, OSM allows you to integrate with Hashicorp Vault and cert-manager, but those integrations aren't covered by the AKS support policy.