As its definition says – “Azure Front Door is a global, scalable, and secure entry point for fast delivery of your web applications. It offers dynamic site acceleration, SSL offloading, domain and certificate management, application firewall, and URL-based routing”. We can consider this as an Application Gateway at global scale with CDN profile thrown in to spice it up. AGIC or Application Gateway as Ingress Controller is already available and widely used. I received this question recently, asking whether Azure Front Door can be used in the same way. I didn’t have to reinvent the wheel as so many blog posts and YouTube videos are already there on this topic. In this article, I will only discuss different options to implement Azure Front Door with AKS and will add some critical tips you should be aware of. In general, using Azure Front Door with Azure Kubernetes Service has following benefits:
To follow this guide, you will need the following:
In this option you will create an internal load balancer within your AKS cluster (under the same namespace) to expose your web app running within the deployment or pod created earlier. This means the load balancer will have an internal IP instead of an external or internet facing IP. This as you may already know, can be done using annotations. Beyond this you will add few more annotations to add a private link to this internal IP of the load balancer. Next, you will connect your Azure Front Door using a private end point to this private link. A detailed blog post can be found here: Connect Azure Front Door Premium to an AKS App origin with Private Link | by James Dumont le Douarec.... Here is a YouTube video that describes the whole process: Publish Your AKS Services with Azure Private Link and Front Door (youtube.com).
Tips:
The previous option of using internal load balancer, although easy to implement, but has a few limitations:
Using an ingress will help you to overcome both the issues mentioned above. In this case also we will use a private IP, private link, and private endpoint. Unlike to previous option you do not add annotations to the Ingress declaration (YAML). There is a Techcommunity post with detailed info along with Bicep code, YML etc. to create the whole environment: How to expose NGINX Ingress Controller via Azure Front Door and Azure Private Link Service - Microso....
But before using artifacts from the post mentioned above, I’ll ask you to try it yourself once using a bit simpler method. You already have an AKS cluster and Azure Front End ready. Use following tips to reuse it to check how to use Ingress.
Tips:
service:
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-pls-create: "true"
service.beta.kubernetes.io/azure-pls-name: "<your pls name>"
service.beta.kubernetes.io/azure-pls-visibility: "<your subscription ID>"
helm install nginx-ingress ingress-nginx/ingress-nginx -f values.yaml \
--set controller.replicaCount=2 \
--set controller.nodeSelector."kubernetes\.io/os"=linux \
--set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
--set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux
In this blog post, I have shown you how to use Azure Front Door with Azure Kubernetes Service to improve the performance and security of your web applications. You have learned how to:
I hope you have found this guide useful and informative. If you have any questions or feedback, please feel free to leave a comment below.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.