What is Application Gateway for Containers?

Application Gateway for Containers is an application layer (layer 7) load balancing and dynamic traffic management product for workloads running in a Kubernetes cluster. It extends Azure's Application Load Balancing portfolio and is a new offering under the Application Gateway product family.

Application Gateway for Containers is the evolution of the Application Gateway Ingress Controller (AGIC), a Kubernetes application that enables Azure Kubernetes Service (AKS) customers to use Azure's native Application Gateway application load-balancer. In its current form, AGIC monitors a subset of Kubernetes Resources for changes and applies them to the Application Gateway, utilizing Azure Resource Manager (ARM).

How does it work?

Application Gateway for Containers is made up of three components:

  • Application Gateway for Containers resource
  • Frontends
  • Associations

The following dependencies are also referenced in an Application Gateway for Containers deployment:

  • Private IP address
  • Subnet Delegation
  • User-assigned Managed Identity

The architecture of Application Gateway for Containers is summarized in the following figure:

Diagram depicting traffic from the Internet ingressing into Application Gateway for Containers and being sent to backend pods in AKS.

For details about how Application Gateway for Containers accepts incoming requests and routes them to a backend target, see Application Gateway for Containers components.

Features and benefits

Application Gateway for Containers offers some entirely new features at release, such as:

  • Traffic splitting / Weighted round robin
  • Mutual authentication to the backend target
  • Kubernetes support for Ingress and Gateway API
  • Flexible deployment strategies
  • Increased performance, offering near real-time updates to add or move pods, routes, and probes

Application Gateway for Containers offers an elastic and scalable ingress to AKS clusters and comprises a new data plane as well as control plane with new set of ARM APIs, different from existing Application Gateway. These APIs are different from the current implementation of Application Gateway. Application Gateway for Containers is outside the AKS cluster data plane and is responsible for ingress. The service is managed by an ALB controller component that runs inside the AKS cluster and adheres to Kubernetes Gateway APIs.

Load balancing features

Application Gateway for Containers supports the following features for traffic management:

  • Automatic retries
  • Autoscaling
  • Availability zone resiliency
  • Default and custom health probes
  • ECDSA and RSA certificate support
  • Header rewrite
  • HTTP/2
  • HTTPS traffic management:
    • SSL termination
    • End to End SSL
  • Ingress and Gateway API support
  • Layer 7 HTTP/HTTPS request forwarding based on prefix/exact match on:
    • Hostname
    • Path
    • Header
    • Query string
    • Methods
    • Ports (80/443)
  • Mutual authentication (mTLS) to backend target
  • Server-sent event (SSE) support
  • Traffic splitting / weighted round robin
  • TLS policies
  • URL redirect
  • URL rewrite

Deployment strategies

There are two deployment strategies for management of Application Gateway for Containers:

  • Bring your own (BYO) deployment: In this deployment strategy, deployment and lifecycle of the Application Gateway for Containers resource, Association resource, and Frontend resource is assumed via Azure portal, CLI, PowerShell, Terraform, etc. and referenced in configuration within Kubernetes.
    • In Gateway API: Every time you wish to create a new Gateway resource in Kubernetes, a Frontend resource should be provisioned in Azure prior and referenced by the Gateway resource. Deletion of the Frontend resource is responsible by the Azure administrator and isn't deleted when the Gateway resource in Kubernetes is deleted.
  • Managed by ALB Controller: In this deployment strategy, ALB Controller deployed in Kubernetes is responsible for the lifecycle of the Application Gateway for Containers resource and its sub resources. ALB Controller creates the Application Gateway for Containers resource when an ApplicationLoadBalancer custom resource is defined on the cluster and its lifecycle is based on the lifecycle of the custom resource.
    • In Gateway API: Every time a Gateway resource is created referencing the ApplicationLoadBalancer resource, ALB Controller provisions a new Frontend resource and manage its lifecycle based on the lifecycle of the Gateway resource.

Supported regions

Application Gateway for Containers is currently offered in the following regions:

  • Australia East
  • Canada Central
  • Central India
  • Central US
  • East Asia
  • East US
  • East US2
  • France Central
  • Germany West Central
  • Korea Central
  • North Central US
  • North Europe
  • Norway East
  • South Central US
  • Southeast Asia
  • Switzerland North
  • UAE North
  • UK South
  • West US
  • West Europe

Implementation of Gateway API

ALB Controller implements version v1 of the Gateway API.

Gateway API Resource Support Comments
GatewayClass Yes
Gateway Yes Support for HTTP and HTTPS protocol on the listener. The only ports allowed on the listener are 80 and 443.
HTTPRoute Yes
ReferenceGrant Yes Currently supports version v1alpha1 of this API

Implementation of Ingress API

ALB Controller implements support for Ingress.

Ingress API Resource Support Comments
Ingress Yes Support for HTTP and HTTPS protocol on the listener.

Report issues and provide feedback

For feedback, post a new idea in feedback.azure.com For issues, raise a support request via the Azure portal on your Application Gateway for Containers resource.

Pricing and SLA

For Application Gateway for Containers pricing information, see Application Gateway pricing.

For Application Gateway for Containers SLA information, see Service Level Agreements (SLA) for Online Services.

What's new

To learn what's new with Application Gateway for Containers, see Azure updates.

Next steps