Expose Kube Service Using Azure Application Gateway + AGIC
Source: Dev.to
🔷 Prerequisites
Make sure you have the Azure CLI and kubectl installed:
az version
kubectl version --clientLogin to Azure
az loginSet variables
RG=rg-aks-agic-demo
LOCATION=eastus2
AKS_NAME=aks-agic-demo
APPGW_NAME=appgw-agic-demo
VNET_NAME=vnet-agic-demo
AKS_SUBNET=aks-subnet
APPGW_SUBNET=appgw-subnet🟢 Step 1 — Create Resource Group
az group create \
--name $RG \
--location $LOCATION🟢 Step 2 — Create VNet with 2 Subnets
⚠️ Application Gateway must be in a dedicated subnet.
Create the VNet and the AKS subnet:
az network vnet create \
--resource-group $RG \
--name $VNET_NAME \
--address-prefix 10.0.0.0/8 \
--subnet-name $AKS_SUBNET \
--subnet-prefix 10.240.0.0/16Create the Application Gateway subnet:
az network vnet subnet create \
--resource-group $RG \
--vnet-name $VNET_NAME \
--name $APPGW_SUBNET \
--address-prefix 10.241.0.0/16🟢 Step 3 — Create Public IP for Application Gateway
az network public-ip create \
--resource-group $RG \
--name appgw-pip \
--sku Standard \
--allocation-method Static🟢 Step 4 — Create Application Gateway (WAF v2)
az network application-gateway create \
--name $APPGW_NAME \
--resource-group $RG \
--location $LOCATION \
--sku Standard_v2 \
--capacity 2 \
--vnet-name $VNET_NAME \
--subnet $APPGW_SUBNET \
--public-ip-address appgw-pip \
--priority 100🟢 Step 5 — Get Subnet ID for AKS
AKS_SUBNET_ID=$(az network vnet subnet show \
--resource-group $RG \
--vnet-name $VNET_NAME \
--name $AKS_SUBNET \
--query id -o tsv)🟢 Step 6 — Create AKS with AGIC Enabled
First, retrieve the Application Gateway resource ID:
APPGW_ID=$(az network application-gateway show \
--name $APPGW_NAME \
--resource-group $RG \
--query id -o tsv)Now create the AKS cluster and attach the existing Application Gateway:
az aks create \
--resource-group $RG \
--name $AKS_NAME \
--network-plugin azure \
--vnet-subnet-id $AKS_SUBNET_ID \
--enable-addons ingress-appgw \
--appgw-id $APPGW_ID \
--node-count 2 \
--generate-ssh-keysThis automatically deploys the AGIC add‑on inside AKS.
🟢 Step 7 — Get AKS Credentials
az aks get-credentials \
--resource-group $RG \
--name $AKS_NAMEVerify the AGIC pod is running:
kubectl get pods -n kube-systemYou should see a pod named ingress-appgw-....
🟢 Step 8 — Deploy Demo Application
kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --port 80Verify the service:
kubectl get svc🟢 Step 9 — Create Ingress Resource
Create a file named ingress.yaml with the following content:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80Apply the manifest:
kubectl apply -f ingress.yaml🟢 Step 10 — Get Public IP
az network public-ip show \
--resource-group $RG \
--name appgw-pip \
--query ipAddress \
--output tsvWait 2–3 minutes for AGIC to sync the configuration.
Open the IP address in a browser:
http://<public-ip>You should see the default NGINX welcome page:
Welcome to nginx!🔷 What Just Happened (Enterprise Flow)
Internet
↓
Application Gateway
↓
AGIC watches Ingress
↓
Routes to AKS Service
↓
PodTraffic never hits the AKS nodes directly; the Application Gateway filters it first.
🔷 Verify AGIC Is Syncing
Check the AGIC logs:
kubectl logs -n kube-system \
deploy/ingress-appgw-deploymentYou should see messages about configuration updates.
Note: If you encounter an error like
E0301 06:36:34.657523 1 client.go:191] Code="ErrorApplicationGatewayForbidden"
see the troubleshooting guide.
🧹 Cleanup
az group delete --name $RG --yes --no-wait🎯 You Now Have
- ✅ Layer 7 routing outside cluster
- ✅ AKS private nodes
- ✅ Enterprise ingress pattern