Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Use an Application Gateway as Ingress and protect your AKS websites with a WAF

  • September 2, 2020
  • 7 min read
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.

After the first article on how to deploy AKS we will check how to use an Application Gateway as an Ingress controller and a WAF. Why? To protect your websites 😊

To start, be sure to deploy your AKS cluster.

Now, you can deploy your Application Gateway, in Azure, with WAFv2 SKU:

Deploy your Application Gateway

Create a public IP for this WAF:

Create a public IP for this WAF

Create an empty backend pool (it will not be used, because of the integration as Ingress):

Create an empty backend pool

Create a routing rule1, with HTTP protocol (it will not be used, because of the integration as Ingress):

Create a routing rule1, with HTTP protocol

And the backend target (it will not be used, because of the integration as Ingress):

And the backend target

You will have this:

Configuration

When the App Gateway has been deployed, go to your Azure AD, and get the name of your Service Principal:

Name of your Service Principal

Get the application ID, and create a new secret:

Get the application ID

Give to this Azure AD Service Principal, the Contributor right on the AKS Resource Group:

AKS Resource Group

Now, connect to your AKS Cluster:

Execute the following command, to apply the deployment template rbac:

Convert your Azure AD Service principal secret to base 64:

Now, create 2 files, with the following content:

01-aadpodidentity-sp.yaml

02-aadpodidentitybinding.yaml

And apply them:

script

Pods are now running:

Pods are now running

Pods are now running

Now, we will convert the following connection string, to base64:

Copy this code with your values and go to https://www.base64encode.org/. Paste it and click to Encode. And get the result:

Encode

Create a new file, 04-helm-config.yaml, and paste the code, by replacing values, with your own:

It’s time to apply this configuration, with helm:

 

Script

The ingress pod has been deployed:

The ingress pod has been deployed

We will deploy a test application:

I created a DNS entry, starwind, that points to the public IP of my Application gateway. After few seconds, the deployment is finished on the Application Gateway:

I created a DNS entry

DNS entry - StarWind

Listeners

Rules

Health probes

If you try to access your website, you should be able to see it:

Welcome to nginx

In the next article, we will protect this website, with a Let’s Encrypt certificate, directly generated by AKS.

Hey! Found Florent’s article helpful? Looking to deploy a new, easy-to-manage, and cost-effective hyperconverged infrastructure?
Alex Bykovskyi
Alex Bykovskyi StarWind Virtual HCI Appliance Product Manager
Well, we can help you with this one! Building a new hyperconverged environment is a breeze with StarWind Virtual HCI Appliance (VHCA). It’s a complete hyperconverged infrastructure solution that combines hypervisor (vSphere, Hyper-V, Proxmox, or our custom version of KVM), software-defined storage (StarWind VSAN), and streamlined management tools. Interested in diving deeper into VHCA’s capabilities and features? Book your StarWind Virtual HCI Appliance demo today!