Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge
Find out how HCI cuts down virtualization costs and complexity

Use an Application Gateway as Ingress and protect your AKS websites with a WAF

  • September 2, 2020
  • 7 min read
Florent Appointaire
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.

After the first article on how to deploy AKS we will check how to use an Application Gateway as an Ingress controller and a WAF. Why? To protect your websites 😊

To start, be sure to deploy your AKS cluster.

Now, you can deploy your Application Gateway, in Azure, with WAFv2 SKU:

Deploy your Application Gateway

Create a public IP for this WAF:

Create a public IP for this WAF

Create an empty backend pool (it will not be used, because of the integration as Ingress):

Create an empty backend pool

Create a routing rule1, with HTTP protocol (it will not be used, because of the integration as Ingress):

Create a routing rule1, with HTTP protocol

And the backend target (it will not be used, because of the integration as Ingress):

And the backend target

You will have this:

Configuration

When the App Gateway has been deployed, go to your Azure AD, and get the name of your Service Principal:

Name of your Service Principal

Get the application ID, and create a new secret:

Get the application ID

Give to this Azure AD Service Principal, the Contributor right on the AKS Resource Group:

AKS Resource Group

Now, connect to your AKS Cluster:

az login

az account set --subscription subscriptionId

az aks get-credentials --name Starwind-WE --resource-group Starwind-WE

Execute the following command, to apply the deployment template rbac:

kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml

Convert your Azure AD Service principal secret to base 64:

echo "SecretofSP" | base64

Now, create 2 files, with the following content:

01-aadpodidentity-sp.yaml

apiVersion: v1

kind: Secret

metadata:

  name: aad1-sp

type: Opaque

data:

  ClientSecret: TheBase64ChainofTheServicePrincipal

---

apiVersion: "aadpodidentity.k8s.io/v1"

kind: AzureIdentity

metadata:

  name: aad1

spec:

  type: 1

  TenantID: YourTenantID

  ClientID: TheApplicationIDofTheServicePrincipal

  ClientPassword: {"Name":"aad1-sp","Namespace":"default"}

02-aadpodidentitybinding.yaml

apiVersion: "aadpodidentity.k8s.io/v1"

kind: AzureIdentityBinding

metadata:

  name: azure-id-binding

spec: 

  AzureIdentity: "aad1"

  Selector: "floapp"

And apply them:

kubectl apply -f 01-aadpodidentity-sp.yaml

kubectl apply -f 02-aadpodidentitybinding.yaml

kubectl get pods -A

script

Pods are now running:

Pods are now running

Pods are now running

Now, we will convert the following connection string, to base64:

{

"clientId": "The Service Principal ID",

"clientSecret": "Client Secret of the Service Principal (not encoded in base64)",

"subscriptionId": "SubscriptionID Where the AKS Cluster is hosted",

"tenantId": " YourTenantID ",

"activeDirectoryEndpointUrl": "https://login.microsoftonline.com",

"resourceManagerEndpointUrl": "https://management.azure.com/",

"activeDirectoryGraphResourceId": "https://graph.windows.net/",

"sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",

"galleryEndpointUrl": "https://gallery.azure.com/",

"managementEndpointUrl": "https://management.core.windows.net/"

}

Copy this code with your values and go to https://www.base64encode.org/. Paste it and click to Encode. And get the result:

Encode

Create a new file, 04-helm-config.yaml, and paste the code, by replacing values, with your own:

verbosityLevel: 3

appgw:

    subscriptionId: YourSubscriptionID

    resourceGroup: AKS

    name: FLOAPP-WAF01

    usePrivateIP: false

    shared: false

armAuth:

   type: servicePrincipal

   secretJSON: The Base64 encoded connection string create before

rbac:

    enabled: true

It’s time to apply this configuration, with helm:

helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/

helm repo update

helm install -f 04-helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure --generate-name

 

Script

The ingress pod has been deployed:

The ingress pod has been deployed

We will deploy a test application:

apiVersion: apps/v1

kind: Deployment

metadata:

  name: nginx-deployment

spec:

  selector:

    matchLabels:

      app: nginx

  replicas: 1

  template:

    metadata:

      labels:

        app: nginx

    spec:

      containers:

      - name: nginx

        image: nginx:1.16.1

        ports:

        - containerPort: 80

---

apiVersion: v1

kind: Service

metadata:

  name: nginx

spec:

  ports:

    - name: nginx

      port: 80

      protocol: TCP

      targetPort: 80

  type: ClusterIP

  selector:

    app: nginx

---

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  name: nginx

  labels:

    app: nginx

  annotations:

    kubernetes.io/ingress.class: azure/application-gateway

spec:

  rules:

  - host: starwind.falaconsulting.be

    http:

      paths:

      - backend:

          serviceName: nginx

          servicePort: 80

I created a DNS entry, starwind, that points to the public IP of my Application gateway. After few seconds, the deployment is finished on the Application Gateway:

I created a DNS entry

DNS entry - StarWind

Listeners

Rules

Health probes

If you try to access your website, you should be able to see it:

Welcome to nginx

In the next article, we will protect this website, with a Let’s Encrypt certificate, directly generated by AKS.

Related materials:

Tags
Hey! Found Florent’s article helpful? Looking to deploy a new, easy-to-manage, and cost-effective hyperconverged infrastructure?
Alex Bykovskyi
Alex Bykovskyi StarWind Virtual HCI Appliance Product Manager
Well, we can help you with this one! Building a new hyperconverged environment is a breeze with StarWind Virtual HCI Appliance (VHCA). It’s a complete hyperconverged infrastructure solution that combines hypervisor (vSphere, Hyper-V, Proxmox, or our custom version of KVM), software-defined storage (StarWind VSAN), and streamlined management tools. Interested in diving deeper into VHCA’s capabilities and features? Book your StarWind Virtual HCI Appliance demo today!