DEV Community

iapilgrim
iapilgrim

Posted on

Turn Your Regional AKS Ingress into a Global SaaS Entry Point

#aks #azure #agic #cloud

In the previous tutorial, we deployed:

  • 🧱 Azure Kubernetes Service
  • πŸ›‘ Azure Application Gateway (WAF_v2)
  • πŸ” AGIC (Application Gateway Ingress Controller)
  • 🌐 Exposed nginx via Kubernetes Ingress

That architecture looked like this:

User β†’ Application Gateway β†’ AKS β†’ Pods
Enter fullscreen mode Exit fullscreen mode

This works great for regional workloads.

But what if you want:

  • 🌎 Global routing
  • ⚑ Latency optimization
  • πŸ” Automatic regional failover
  • πŸ›‘ Edge TLS termination
  • 🌐 SaaS-grade architecture

That’s where Azure Front Door comes in.

πŸ— Target Architecture

We are extending the previous lab into this:

Global Users
     ↓
Azure Front Door (Global Edge)
     ↓
Application Gateway (Regional WAF)
     ↓
AKS (via AGIC)
     ↓
Pods
Enter fullscreen mode Exit fullscreen mode

Now:

  • Front Door handles global entry
  • App Gateway handles regional WAF
  • AGIC dynamically manages routing to Kubernetes services

This is a production SaaS pattern.

πŸš€ Step 1 β€” Assumptions

You already completed the AGIC lab and have:

  • Resource Group
  • VNet
  • AKS cluster
  • Application Gateway
  • Public IP for App Gateway
  • Working nginx ingress

You can verify:

curl http://<APPGW_PUBLIC_IP>
Enter fullscreen mode Exit fullscreen mode

You should see the nginx welcome page.

🌍 Step 2 β€” Create Azure Front Door

We’ll now add Azure Front Door in front of Application Gateway.

Create Front Door Profile 

AFD_PROFILE="afd-agic-demo"
AFD_ENDPOINT="afd-endpoint"

az afd profile create \
  --resource-group $RG \
  --profile-name $AFD_PROFILE \
  --sku Standard_AzureFrontDoor
Enter fullscreen mode Exit fullscreen mode

Create Endpoint 

az afd endpoint create \
  --resource-group $RG \
  --profile-name $AFD_PROFILE \
  --endpoint-name $AFD_ENDPOINT
Enter fullscreen mode Exit fullscreen mode

This gives us a global Anycast hostname like:

https://afd-endpoint-xxxxx.z01.azurefd.net
Enter fullscreen mode Exit fullscreen mode

πŸ”— Step 3 β€” Create Origin Group

Now we define where Front Door should send traffic.

AFD_ORIGIN_GROUP="origin-group-appgw"

az afd origin-group create \
  --resource-group $RG \
  --profile-name $AFD_PROFILE \
  --origin-group-name $AFD_ORIGIN_GROUP \
  --probe-request-type GET \
  --probe-protocol Http \
  --probe-interval-in-seconds 30 \
  --probe-path "/" \
  --sample-size 4 \
  --successful-samples-required 3 \
  --additional-latency-in-milliseconds 0
Enter fullscreen mode Exit fullscreen mode

Health probes ensure automatic failover later if needed.

πŸ”Œ Step 4 β€” Add Application Gateway as Origin

We use the App Gateway Public IP as backend.

APPGW_IP=$(az network public-ip show \
  --resource-group $RG \
  --name appgw-pip \
  --query ipAddress \
  --output tsv)

az afd origin create \
  --resource-group $RG \
  --profile-name $AFD_PROFILE \
  --origin-group-name $AFD_ORIGIN_GROUP \
  --origin-name origin-appgw \
  --host-name $APPGW_IP \
  --http-port 80 \
  --https-port 443 \
  --origin-host-header $APPGW_IP \
  --priority 1 \
  --weight 1000
Enter fullscreen mode Exit fullscreen mode

Now Front Door knows where to route traffic.

πŸ”€ Step 5 β€” Create Routing Rule 

az afd route create \
  --resource-group $RG \
  --profile-name $AFD_PROFILE \
  --endpoint-name $AFD_ENDPOINT \
  --route-name route-all \
  --origin-group $AFD_ORIGIN_GROUP \
  --supported-protocols Http Https \
  --forwarding-protocol HttpOnly \
  --https-redirect Enabled \
  --link-to-default-domain Enabled
Enter fullscreen mode Exit fullscreen mode

This connects:

Front Door β†’ Origin Group β†’ Application Gateway

πŸ§ͺ Step 6 β€” Test Global Entry

Get hostname:

az afd endpoint show \
  --resource-group $RG \
  --profile-name $AFD_PROFILE \
  --endpoint-name $AFD_ENDPOINT \
  --query hostName -o tsv
Enter fullscreen mode Exit fullscreen mode

Test:

curl https://<AFD_HOSTNAME>
Enter fullscreen mode Exit fullscreen mode

You should see:

 curl -L -s http://afd-endpoint-dxd8bebma8dbdsed.z01.azurefd.net/ | grep -i "welcome"
<title>Welcome to nginx!</title>
<h1>Welcome to nginx!</h1>
Enter fullscreen mode Exit fullscreen mode

Now traffic flow is:

User β†’ Front Door β†’ App Gateway β†’ AKS β†’ nginx Pod
Enter fullscreen mode Exit fullscreen mode

🧠 What Just Changed?

Before:

Internet β†’ Application Gateway β†’ AKS
Enter fullscreen mode Exit fullscreen mode

After:

Internet β†’ Azure Front Door β†’ Application Gateway β†’ AKS
Enter fullscreen mode Exit fullscreen mode

πŸ”₯ Why This Matters

Feature App Gateway Only With Front Door
Global Anycast ❌ βœ…
Multi-region routing ❌ βœ…
Edge TLS ❌ βœ…
Global failover ❌ βœ…
CDN caching ❌ βœ…

You just transformed a regional ingress into a global SaaS architecture.

🏒 Real-World SaaS Pattern

Large platforms use this layering:

  1. Azure Front Door (global entry)
  2. Regional WAF (Application Gateway)
  3. Kubernetes ingress (AGIC)
  4. Microservices

Benefits:

  • Defense in depth
  • Separation of concerns
  • Independent scaling
  • Enterprise security posture

πŸ’‘ Optional Next Steps

To take this further:

  • Add a second region and origin for active-active routing
  • Enable Front Door WAF
  • Use custom domain + managed TLS
  • Make App Gateway private and use Private Link
  • Add blue/green weighted routing

🧹 Cleanup 

az group delete --name $RG --yes
Enter fullscreen mode Exit fullscreen mode

🎯 Final Thoughts

By adding Azure Front Door in front of AGIC:

You moved from a regional demo
to a production-grade global SaaS architecture.

This pattern is ideal for:

  • Multi-region APIs
  • AI inference endpoints
  • E-commerce platforms
  • Enterprise SaaS

Top comments (0)