Adding an Ingress for DuploCloud Azure Load Balancers
Ingress controllers abstract the complexity of routed Kubernetes application traffic, providing a bridge between Kubernetes services and services that you define.
To add an SSL certificate to a service using Kubernetes Ingress, see the DuploCloud documentation for using SSL certificates with Ingress.
To run the load balancers, you must create one or more Services. To add a service, follow the steps in the Services topic. In this example, we created two Services named s1-alb and s4-nlb.
Before you add an Ingress rule, you need to enable the Ingress Controller for the application gateway.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure.
Select the Infrastructure from the NAME column.
Click the Settings tab.
Click Add. The Infra-Set Custom Data pane displays.
In the Setting Name field, select Enable App Gateway Ingress Controller. Click Enable and Set. In the Settings tab, the Enable App Gateway Ingress Controller setting contains the true value.
Add a load balancer listener that uses the Kubernetes NodePort (K8S NodePort).
In the DuploCloud Portal, navigate Kubernetes -> Services.
On the Services page, click on the name of the Service you created.
Click the Load Balancers tab.
Click Configure Load Balancer. The Add Load Balancer Listener pane appears.
In the Select Type field, select K8S Node Port.
In the Health Check field, add the Kubernetes Health Check URL for this container.
Complete the other fields in the Add Load Balancer Listener and click Add.
Using Kubernetes Health Check allows AKS's Application Load Balancer to determine whether your service is running properly.
Add an Ingress rule to listen on port 80 (in this example) using both Load Balancers.
In the DuploCloud Portal, navigate to Kubernetes -> Ingress.
Click Add. The Add Kubernetes Ingress page displays.
Supply the Ingress Name, select the Ingress Controller (in this example, azure-application-gateway), and set Visibility to Public.
In the DNS Prefix field, provide the DNS prefix to expose services using the Route53 domain.
From the Certificate ARN list box, select the certificate ARN to expose services over HTTPS.
In the Port Override field, select the port to override. This field allows configuring frontend listeners to use different ports other than 80/443 for HTTP/HTTPS. If you use a port other than 80, you must define an additional Security Group rule for that port. See this section for more information.
On the Add Kubernetes Ingress page, click Add Rule. The Add Ingress Rule pane displays. Specify a unique Path identifier.
In the Service Name field, select the Service (s1-alb:80 in this example). Click Add Rule to add the Ingress rule.
Repeat the previous steps to add additional rules. In this example, we added a second rule for Service s4-nlb:80.
On the Add Kubernetes Ingress page, click Add to create the Ingress.
The DuploCloud Platform supports defining multiple paths in Ingress.
Port 80 is configured by default when adding Ingress. If you want to use a custom port number other than 80, add an additional security group rule for the custom port using this procedure.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure.
Select the Infrastructure from the Name column.
Click the Security Group Rules tab.
Click Add. The Add Infrastructure Security pane displays.
Define the rule and click Add. The rule is added to the Security Group Rules list.
When Ingress is configured, you can access Services based on the rules for each DNS, displayed on the Kubernetes -> Ingress page.
The image below shows the output for three Services with Path Type rules and different DNS names. See the detailed steps to create Ingress rules.
By executing curl
commands, you can see the difference in the output for each Service. Services are accessed based on the DNS name specified in the DuploCloud Portal and the paths that you configured when you added Ingress rules:
>curl http://ig-nev-ingress-ing-t2-1.duplopoc.net/
this is IG-NEV >curl http://ing-doc-ingress-ing-t2-1.duplopoc.net/
this is ING-DOC
>curl http://ing-public-ingress-ing-t2.1.duplopoc.net/
this is ING2-PUBLIC
An Azure Application Gateway SSL policy allows you to configure the security settings for SSL/TLS connections between clients and the application gateway. By defining an SSL policy, you can specify which protocols and cipher suites to use, enhancing security, meeting compliance requirements, and optimizing performance. Configuration can be done via the Azure portal, Azure CLI, or ARM templates. See the Microsoft documentation for more information.
To use an Application Gateway SSL policy with Ingress for your ALB Load Balancer, follow these steps:
From the DuploCloud Portal, navigate to Administrator -> Systems Settings.
Select the System Config tab, and click Add. The Add Config pane displays.
In the Config Type list box, select AppConfig.
In the Key field, enter AZURE_APP_GATEWAY_SSL_POLICY
.
In the Value field, enter your Azure Application Gateway SSL Policy (for example AppGwSslPolicy20220101).
Click Submit.