Quickstart: Create Application Gateway for Containers - bring your own deployment
This guide assumes you're following the bring your own deployment strategy, where ALB Controller references the Application Gateway for Containers resources precreated in Azure. It's assumed that resource lifecycles are managed in Azure, independent from what is defined within Kubernetes.
Prerequisites
Ensure you have first deployed ALB Controller into your Kubernetes cluster. You may follow the Quickstart: Deploy Application Gateway for Containers ALB Controller guide if you haven't already deployed the ALB Controller.
Create the Application Gateway for Containers resource
Execute the following command to create the Application Gateway for Containers resource.
RESOURCE_GROUP='<your resource group name>'
AGFC_NAME='alb-test' # Name of the Application Gateway for Containers resource to be created
az network alb create -g $RESOURCE_GROUP -n $AGFC_NAME
Create a frontend resource
Execute the following command to create the Application Gateway for Containers frontend resource.
FRONTEND_NAME='test-frontend'
az network alb frontend create -g $RESOURCE_GROUP -n $FRONTEND_NAME --alb-name $AGFC_NAME
Create an association resource
Delegate a subnet to association resource
To create an association resource, you first need to reference a subnet for Application Gateway for Containers to establish connectivity to. Ensure the subnet for an Application Gateway for Containers association is at least a class C or larger (/24 or smaller CIDR prefix). For this step, you may either reuse an existing subnet and enable subnet delegation on it or create a new VNET, subnet, and enable subnet delegation.
To reference an existing subnet, execute the following command to set the variables for reference to the subnet in later steps.
VNET_NAME='<name of the virtual network to use>'
VNET_RESOURCE_GROUP='<the resource group of your VNET>'
ALB_SUBNET_NAME='subnet-alb' # subnet name can be any non-reserved subnet name (i.e. GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet would all be invalid)
Enable subnet delegation for the Application Gateway for Containers service. The delegation for Application Gateway for Containers is identified by the Microsoft.ServiceNetworking/trafficControllers resource type.
az network vnet subnet update \
--resource-group $VNET_RESOURCE_GROUP \
--name $ALB_SUBNET_NAME \
--vnet-name $VNET_NAME \
--delegations 'Microsoft.ServiceNetworking/trafficControllers'
ALB_SUBNET_ID=$(az network vnet subnet list --resource-group $VNET_RESOURCE_GROUP --vnet-name $VNET_NAME --query "[?name=='$ALB_SUBNET_NAME'].id" --output tsv)
echo $ALB_SUBNET_ID
Delegate permissions to managed identity
ALB Controller needs the ability to provision new Application Gateway for Containers resources and join the subnet intended for the Application Gateway for Containers association resource.
In this example, we delegate the AppGW for Containers Configuration Manager role to the resource group and delegate the Network Contributor role to the subnet used by the Application Gateway for Containers association subnet, which contains the Microsoft.Network/virtualNetworks/subnets/join/action permission.
If desired, you can create and assign a custom role with the Microsoft.Network/virtualNetworks/subnets/join/action permission to eliminate other permissions contained in the Network Contributor role. Learn more about managing subnet permissions.
IDENTITY_RESOURCE_NAME='azure-alb-identity'
resourceGroupId=$(az group show --name $RESOURCE_GROUP --query id -otsv)
principalId=$(az identity show -g $RESOURCE_GROUP -n $IDENTITY_RESOURCE_NAME --query principalId -otsv)
# Delegate AppGw for Containers Configuration Manager role to RG containing Application Gateway for Containers resource
az role assignment create --assignee-object-id $principalId --assignee-principal-type ServicePrincipal --scope $resourceGroupId --role "fbc52c3f-28ad-4303-a892-8a056630b8f1"
# Delegate Network Contributor permission for join to association subnet
az role assignment create --assignee-object-id $principalId --assignee-principal-type ServicePrincipal --scope $ALB_SUBNET_ID --role "4d97b98b-1d4f-4787-a291-c67834d212e7"
Create an association resource
Execute the following command to create the association resource and connect it to the referenced subnet. It can take 5-6 minutes for the Application Gateway for Containers association to be created.
ASSOCIATION_NAME='association-test'
az network alb association create -g $RESOURCE_GROUP -n $ASSOCIATION_NAME --alb-name $AGFC_NAME --subnet $ALB_SUBNET_ID
Next steps
Congratulations, you have installed ALB Controller on your cluster and deployed the Application Gateway for Containers resources in Azure!
Try out a few of the how-to guides to deploy a sample application, demonstrating some of Application Gateway for Container's load balancing concepts.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for