You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Concepts - Ingress Networking in Azure Kubernetes Service (AKS)
3
+
description: Learn about ingress networking in Azure Kubernetes Service (AKS) including ingress controllers
4
+
ms.topic: conceptual
5
+
ms.date: 06/03/2024
6
+
author: schaffererin
7
+
ms.author: schaffererin
8
+
---
9
+
# Ingress in Azure Kubernetes Service (AKS)
10
+
11
+
Ingress in AKS is a Kubernetes resource that manages external HTTP-like traffic access to [services][services] within a cluster. An AKS ingress may provide services like load balancing, SSL termination, and name-based virtual hosting. For more information about Kubernetes Ingress, see the [Kubernetes Ingress documentation][k8s-ingress].
12
+
13
+
## Ingress controllers
14
+
15
+
When managing application traffic, Ingress controllers provide advanced capabilities by operating at layer 7. They can route HTTP traffic to different applications based on the inbound URL, allowing for more intelligent and flexible traffic distribution rules. For example, an ingress controller can direct traffic to different microservices depending on the URL path, enhancing the efficiency and organization of your services.
16
+
17
+
On the other hand, a LoadBalancer-type Service, when created, sets up an underlying Azure load balancer resource. This load balancer works at layer 4, distributing traffic to the pods in your Service on a specified port. However, layer 4 services are unaware of the actual applications and can't implement these types of complex routing rules.
18
+
19
+
Understanding the distinction between these two approaches helps in selecting the right tool for your traffic management needs.
20
+
21
+
![Diagram showing Ingress traffic flow in an AKS cluster][aks-ingress]
22
+
23
+
## Compare ingress options
24
+
25
+
The following table lists the feature differences between the different ingress controller options:
26
+
27
+
| Feature | Application Routing addon | Application Gateway for Containers | Azure Service Mesh/Istio-based service mesh |
|**Azure DNS integration for DNS zone management**| Yes | Yes | N/A |
39
+
40
+
The following table lists the different scenarios where you might use each ingress controller:
41
+
42
+
| Ingress option | When to use |
43
+
|----------------|-------------|
44
+
|**Managed NGINX - Application Routing addon**| • In-cluster hosted, customizable, and scalable NGINX ingress controllers. </br> • Basic load balancing and routing capabilities. </br> • Internal and external load balancer configuration. </br> • Static IP address configuration. </br> • Integration with Azure Key Vault for certificate management. </br> • Integration with Azure DNS Zones for public and private DNS management. </br> • Supports the Ingress API. |
45
+
|**Application Gateway for Containers**| • Azure hosted ingress gateway. </br> • Flexible deployment strategies managed by the controller or bring your own Application Gateway for Containers. </br> • Advanced traffic management features such as automatic retries, availability zone resiliency, mutual authentication (mTLS) to backend target, traffic splitting / weighted round robin, and autoscaling. </br> • Integration with Azure Key Vault for certificate management. </br> • Integration with Azure DNS Zones for public and private DNS management. </br> • Supports the Ingress and Gateway APIs. |
46
+
|**Istio Ingress Gateway**| • Based on Envoy, when using with Istio for a service mesh. </br> • Advanced traffic management features such as rate limiting and circuit breaking. </br> • Support for mTLS </br> • Supports the Gateway API. |
47
+
48
+
## Create an Ingress resource
49
+
50
+
The application routing addon is the recommended way to configure an Ingress controller in AKS. The application routing addon is a fully managed ingress controller for Azure Kubernetes Service (AKS) that provides the following features:
51
+
52
+
- Easy configuration of managed NGINX Ingress controllers based on Kubernetes NGINX Ingress controller.
53
+
54
+
- Integration with Azure DNS for public and private zone management.
55
+
56
+
- SSL termination with certificates stored in Azure Key Vault.
57
+
58
+
For more information about the application routing addon, see [Managed NGINX ingress with the application routing add-on](app-routing.md).
59
+
60
+
## Client source IP preservation
61
+
62
+
Configure your ingress controller to preserve the client source IP on requests to containers in your AKS cluster. When your ingress controller routes a client's request to a container in your AKS cluster, the original source IP of that request is unavailable to the target container. When you enable _client source IP preservation_, the source IP for the client is available in the request header under _X-Forwarded-For_.
63
+
64
+
If you're using client source IP preservation on your ingress controller, you can't use TLS pass-through. Client source IP preservation and TLS pass-through can be used with other services, such as the _LoadBalancer_ type.
65
+
66
+
To learn more about client source IP preservation, see [How client source IP preservation works for LoadBalancer Services in AKS][ip-preservation].
Copy file name to clipboardExpand all lines: articles/aks/concepts-network.md
+2-61Lines changed: 2 additions & 61 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
title: Concepts - Networking in Azure Kubernetes Services (AKS)
3
3
description: Learn about networking in Azure Kubernetes Service (AKS), including kubenet and Azure CNI networking, ingress controllers, load balancers, and static IP addresses.
4
4
ms.topic: conceptual
5
-
ms.date: 05/14/2024
5
+
ms.date: 06/03/2024
6
6
author: schaffererin
7
7
ms.author: schaffererin
8
8
ms.custom: fasttrack-edit
@@ -20,7 +20,6 @@ In a container-based, microservices approach to application development, applica
20
20
This article introduces the core concepts that provide networking to your applications in AKS:
@@ -52,66 +51,8 @@ In AKS, you can deploy a cluster that uses one of the following network models:
52
51
***Overlay network model**: Overlay networking is the most common networking model used in Kubernetes. Pods are given an IP address from a private, logically separate CIDR from the Azure virtual network subnet where AKS nodes are deployed. This model enables simpler, improved scalability when compared to the flat network model.
53
52
***Flat network model**: A flat network model in AKS assigns IP addresses to pods from a subnet from the same Azure virtual network as the AKS nodes. Any traffic leaving your clusters isn't SNAT'd, and the pod IP address is directly exposed to the destination. This model can be useful for scenarios like exposing pod IP addresses to external services.
54
53
55
-
56
-
57
-
58
54
For more information on networking models in AKS, see [CNI Networking in AKS][network-cni-overview].
59
55
60
-
## Ingress controllers
61
-
62
-
When you create a LoadBalancer-type Service, you also create an underlying Azure load balancer resource. The load balancer is configured to distribute traffic to the pods in your Service on a given port.
63
-
64
-
The *LoadBalancer* only works at layer 4. At layer 4, the Service is unaware of the actual applications, and can't make any more routing considerations.
65
-
66
-
*Ingress controllers* work at layer 7 and can use more intelligent rules to distribute application traffic. Ingress controllers typically route HTTP traffic to different applications based on the inbound URL.
67
-
68
-
![Diagram showing Ingress traffic flow in an AKS cluster][aks-ingress]
69
-
70
-
### Compare ingress options
71
-
72
-
The following table lists the feature differences between the different ingress controller options:
73
-
74
-
| Feature | Application Routing addon | Application Gateway for Containers | Azure Service Mesh/Istio-based service mesh |
|**Azure DNS integration for DNS zone management**| Yes | Yes | N/A |
86
-
87
-
The following table lists the different scenarios where you might use each ingress controller:
88
-
89
-
| Ingress option | When to use |
90
-
|----------------|-------------|
91
-
|**Managed NGINX - Application Routing addon**| • In-cluster hosted, customizable, and scalable NGINX ingress controllers. </br> • Basic load balancing and routing capabilities. </br> • Internal and external load balancer configuration. </br> • Static IP address configuration. </br> • Integration with Azure Key Vault for certificate management. </br> • Integration with Azure DNS Zones for public and private DNS management. </br> • Supports the Ingress API. |
92
-
|**Application Gateway for Containers**| • Azure hosted ingress gateway. </br> • Flexible deployment strategies managed by the controller or bring your own Application Gateway for Containers. </br> • Advanced traffic management features such as automatic retries, availability zone resiliency, mutual authentication (mTLS) to backend target, traffic splitting / weighted round robin, and autoscaling. </br> • Integration with Azure Key Vault for certificate management. </br> • Integration with Azure DNS Zones for public and private DNS management. </br> • Supports the Ingress and Gateway APIs. |
93
-
|**Istio Ingress Gateway**| • Based on Envoy, when using with Istio for a service mesh. </br> • Advanced traffic management features such as rate limiting and circuit breaking. </br> • Support for mTLS </br> • Supports the Gateway API. |
94
-
95
-
### Create an Ingress resource
96
-
97
-
The application routing addon is the recommended way to configure an Ingress controller in AKS. The application routing addon is a fully managed ingress controller for Azure Kubernetes Service (AKS) that provides the following features:
98
-
99
-
- Easy configuration of managed NGINX Ingress controllers based on Kubernetes NGINX Ingress controller.
100
-
101
-
- Integration with Azure DNS for public and private zone management.
102
-
103
-
- SSL termination with certificates stored in Azure Key Vault.
104
-
105
-
For more information about the application routing addon, see [Managed NGINX ingress with the application routing add-on](app-routing.md).
106
-
107
-
### Client source IP preservation
108
-
109
-
Configure your ingress controller to preserve the client source IP on requests to containers in your AKS cluster. When your ingress controller routes a client's request to a container in your AKS cluster, the original source IP of that request is unavailable to the target container. When you enable *client source IP preservation*, the source IP for the client is available in the request header under *X-Forwarded-For*.
110
-
111
-
If you're using client source IP preservation on your ingress controller, you can't use TLS pass-through. Client source IP preservation and TLS pass-through can be used with other services, such as the *LoadBalancer* type.
112
-
113
-
To learn more about client source IP preservation, see [How client source IP preservation works for LoadBalancer Services in AKS][ip-preservation].
114
-
115
56
## Control outbound (egress) traffic
116
57
117
58
AKS clusters are deployed on a virtual network and have outbound dependencies on services outside of that virtual network. These outbound dependencies are almost entirely defined with fully qualified domain names (FQDNs). By default, AKS clusters have unrestricted outbound (egress) Internet access, which allows the nodes and services you run to access external resources as needed. If desired, you can restrict outbound traffic.
@@ -141,7 +82,7 @@ For more information, see [Secure traffic between pods using network policies in
141
82
142
83
## Next steps
143
84
144
-
To get started with AKS networking, create and configure an AKS cluster with your own IP address ranges using [kubenet][aks-configure-kubenet-networking] or [Azure CNI][aks-configure-advanced-networking].
85
+
To get started with AKS networking, create and configure an AKS cluster with your own IP address ranges using [Azure CNI Overlay][azure-cni-overlay] or [Azure CNI][aks-configure-advanced-networking].
145
86
146
87
For associated best practices, see [Best practices for network connectivity and security in AKS][operator-best-practices-network].
0 commit comments