Application Gateway

for Containers

Houssem Dellai, CSA at Microsoft

 apiVersion: networking.k8s.io/v1

Kubernetes (old) Ingress

kind: Ingress
metadata:
name: hello-world-ingress
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx-app-02 # nginx
tls:
- hosts:
- aks-app-02.westeurope.cloudapp.azure.com
secretName: tls-ingress-app-02-secret
rules:
- host: aks-app-02.westeurope.cloudapp.azure.com
http:
paths:
- path: /hello-world-one(/|$)(.*)
pathType: Prefix
backend:
service:
name: aks-helloworld-one
port:
number: 80
- path: /hello-world-two(/|$)(.*)
pathType: Prefix
backend:
service:
name: aks-helloworld-two
port:
number: 80
What is Gateway API
An open-source project managed by the SIG-NETWORK community.

An API (collection of resources) that model service networking in Kubernetes.

These resources are GatewayClass, Gateway, HTTPRoute, TCPRoute, Service, etc.

Aim to evolve Kubernetes service networking through expressive, extensible, and role-oriented
interfaces that are implemented by many vendors and have broad industry support.
Gateway API project on Github

github.com/kubernetes-sigs/gateway-api
Gateway API components and owners
Gateway API role oriented (RBAC) model
Gateway API implementations
Azure Application Gateway for Containers (preview) Cilium (beta)

Amazon Elastic Kubernetes Service (alpha) Contour (beta)

HashiCorp Consul
Google Kubernetes Engine (GA)
Istio (beta)
NGINX Kubernetes Gateway
Kong (beta)
BIG-IP Kubernetes Gateway (beta)
Traefik (alpha)
Emissary-Ingress (Ambassador API Gateway) (alpha)
Envoy Gateway (alpha)
HAProxy Ingress (alpha)
HAProxy Ingress (alpha)

gateway-api.sigs.k8s.io/implementations/
 Load Balancing Portfolio

Standard Load Application Front Door Application Gateway

Balancer Gateway for Containers

VM/VMSS/AKS VM/VMSS/Hybrid AKS/container

workloads VM/VMSS/Hybrid workloads workloads
L4 passthrough workloads L7 global LB
LB L7 regional LB TCP/TLS proxy Dynamic traffic shifting
Regional/Global TCP/TLS proxy WAF L7 Ingress Controller
WAF Regional/Global
WAF
Application Gateway for Containers
New application load balancing (layer 7) and dynamic traffic management for AKS.

New offering under the Application Gateway product family.

The evolution of the Application Gateway Ingress Controller (AGIC).

Application
Gateway for
Containers
architecture
Application Gateway for Containers vs App Gateway/AGIC
Application Gateway for Containers components

ALB Controller

Associations

Frontends
Application Load Balancer (ALB) Controller

ALB is a Kubernetes deployment installed via Helm chart.

Creates the App Gateway for Containers if using the BYO (managed) mode

when an ApplicationLoadBalancer custom resource is defined on the cluster.

The service lifecycle is based on the lifecycle of the custom resource.

Supports Workload Identity and Managed Identity (UMI).

Watches CRD resources like Ingress, Gateway & ApplicationLoadBalancer.

Propagates configuration to the App Gateway for Containers.

Application Load Balancer (ALB) Controller
Two running pods inside azure-alb-system namespace.
1. alb-controller pod propagates configuration to Application Gateway for Containers
2. alb-controller-bootstrap pod is responsible for management of CRDs.
Application Load Balancer (ALB) Controller logs

kubectl logs pod/alb-controller-764cf9ccdf-hf8v6 -n azure-alb-system

{"level":"info","component":"lb-resources-reconciler","Timestamp":"2023-08-
03T19:12:41.47807995Z","caller":"/__w/1/s/alb-
controller/k8s/reconcilers/reconcile.go:142","message":"Successfully processed object test-
infra/gateway-01"}
{"level":"info","component":"armclient-logger","Timestamp":"2023-08-
03T19:12:41.508898212Z","caller":"/__w/1/s/pkg/armclient/armclient
.go:161","message":"Creating Application Gateway for Containers resource alb-eed2f86a from CRD alb-
infra/alb-appgw-containers in RG mc_rg-aks_aks-cluster_westeurope"}
{"level":"info","component":"armclient-logger","Timestamp":"2023-08-
03T19:13:53.094882916Z","caller":"/__w/1/s/pkg/armclient/armclient
.go:271","message":"Getting association as-25e7ea3b for Application Gateway for Containers resource
/subscriptions/xxxx/resourceGroups/mc_rg-aks_aks-
cluster_westeurope/providers/Microsoft.ServiceNetworking/trafficControllers/alb-eed2f86a"}
{"level":"info","component":"lb-resources-reconciler","Timestamp":"2023-08-
03T19:31:05.834265509Z","caller":"/__w/1/s/alb-
controller/k8s/reconcilers/reconcile.go:142","message":"Successfully processed object ns-app/httproute-
app"}
Application Gateway for Containers associations
Defines a connection point into a virtual network.

1:1 mapping of an association resource to a delegated Azure Subnet.

Application Gateway for Containers frontends
Defines the entry point client traffic should be received by a given AppGwC.

Each frontend provides a unique FQDN.

A single AppGwC support multiple frontends.

Azure Application Gateway for Containers benefits

• Traffic splitting / Weighted round robin

• Mutual authentication (mTLS) to the backend target

• Kubernetes support for Ingress and Gateway API

• AGIC only supports Ingress

• Better RBAC model for separation of concerns

• Near real-time updates to add or move pods, routes, and probes

 Sample resources
apiVersion: gateway.networking.k8s.io/v1beta1 apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway kind: HTTPRoute
metadata: metadata:
name: gateway-app name: httproute-app
namespace: ns-gateway namespace: ns-app
annotations: spec:
alb.networking.azure.io/alb-id: appgwc_resId parentRefs:
spec: - kind: Gateway
gatewayClassName: azure-alb-external name: gateway-app
listeners: namespace: ns-gateway
- name: http-listener rules:
port: 80 - backendRefs:
protocol: HTTP - name: svc-app
allowedRoutes: port: 80
namespaces:
from: All # Same
addresses:
- type: alb.networking.azure.io/alb-frontend
value: frontend-app