We’ll deploy:
- Azure Kubernetes Service (AKS)
- Azure Application Gateway (WAF v2)
- Azure Application Gateway Ingress Controller (AGIC)
- A simple NGINX test app
🔷 Prerequisites
Make sure:
az version
kubectl version --client
Login:
az login
Set variables:
RG=rg-aks-agic-demo
LOCATION=eastus2
AKS_NAME=aks-agic-demo
APPGW_NAME=appgw-agic-demo
VNET_NAME=vnet-agic-demo
AKS_SUBNET=aks-subnet
APPGW_SUBNET=appgw-subnet
🟢 Step 1 — Create Resource Group
az group create \
--name $RG \
--location $LOCATION
🟢 Step 2 — Create VNet with 2 Subnets
⚠️ Application Gateway must be in a dedicated subnet.
az network vnet create \
--resource-group $RG \
--name $VNET_NAME \
--address-prefix 10.0.0.0/8 \
--subnet-name $AKS_SUBNET \
--subnet-prefix 10.240.0.0/16
Create App Gateway subnet:
az network vnet subnet create \
--resource-group $RG \
--vnet-name $VNET_NAME \
--name $APPGW_SUBNET \
--address-prefix 10.241.0.0/16
🟢 Step 3 — Create Public IP for App Gateway
az network public-ip create \
--resource-group $RG \
--name appgw-pip \
--sku Standard \
--allocation-method Static
🟢 Step 4 — Create Application Gateway (WAF v2)
az network application-gateway create \
--name $APPGW_NAME \
--resource-group $RG \
--location $LOCATION \
--sku Standard_v2 \
--capacity 2 \
--vnet-name $VNET_NAME \
--subnet appgw-subnet \
--public-ip-address appgw-pip \
--priority 100
🟢 Step 5 — Get Subnet ID for AKS
AKS_SUBNET_ID=$(az network vnet subnet show \
--resource-group $RG \
--vnet-name $VNET_NAME \
--name $AKS_SUBNET \
--query id -o tsv)
🟢 Step 6 — Create AKS with AGIC Enabled
We attach existing Application Gateway.
APPGW_ID=$(az network application-gateway show \
--name $APPGW_NAME \
--resource-group $RG \
--query id -o tsv)
Now create AKS:
az aks create \
--resource-group $RG \
--name $AKS_NAME \
--network-plugin azure \
--vnet-subnet-id $AKS_SUBNET_ID \
--enable-addons ingress-appgw \
--appgw-id $APPGW_ID \
--node-count 2 \
--generate-ssh-keys
This automatically deploys AGIC inside AKS.
🟢 Step 7 — Get AKS Credentials
az aks get-credentials \
--resource-group $RG \
--name $AKS_NAME
Verify:
kubectl get pods -n kube-system
You should see AGIC pod running.
🟢 Step 8 — Deploy Demo Application
kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --port 80
Verify:
kubectl get svc
🟢 Step 9 — Create Ingress Resource
Create file: ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
Apply:
kubectl apply -f ingress.yaml
🟢 Step 10 — Get Public IP
az network public-ip show \
--resource-group $RG \
--name appgw-pip \
--query ipAddress \
--output tsv
Wait 2–3 minutes for AGIC to sync.
Open in browser:
http://<PUBLIC-IP>
You should see:
Welcome to nginx!
🔷 What Just Happened (Enterprise Flow)
Internet
↓
Application Gateway
↓
AGIC watches Ingress
↓
Routes to AKS Service
↓
Pod
Traffic never hits AKS directly.
Application Gateway filters it first.
🔷 Verify AGIC Is Syncing
Check logs:
kubectl logs -n kube-system \
deploy/ingress-appgw-deployment
You should see configuration updates. (*)
(*) If have error like
E0301 06:36:34.657523 1 client.go:191] Code="ErrorApplicationGatewayForbidden"
See https://dev.to/pilgrim2go/troubleshooting-azure-application-gateway-ingress-controller-403-error-fhc
🧹 Cleanup
az group delete --name $RG --yes --no-wait
🎯 You Now Have
✅ Layer 7 routing outside cluster
✅ AKS private nodes
✅ Enterprise ingress pattern
Top comments (0)