Exercise 1: Enable the Istio Add-on

In this exercise, you will remove the Application Routing Gateway API add-on, enable Istio using the AKS add-on, confirm the managed control plane is running, and enable an external Istio ingress gateway.

Info

This lab uses sidecar injection because it is the most widely understood Istio data plane model and is supported by the AKS Istio add-on experience. Ambient mesh is covered in the education module, but is not used in this short lab.

Task 1: Remove the Application Routing Gateway API Add-on

In Lab 1 the cluster was created with the Application Routing Gateway API add-on (--enable-app-routing-istio). That add-on deploys its own managed Istio control plane, and the Istio service mesh add-on cannot be enabled at the same time . You must disable it before enabling the service mesh add-on. Once it is removed you will no longer have a managed ingress, which is why this lab stands up an Istio ingress gateway in Task 3.

  1. Disable the Application Routing Gateway API add-on.

    az aks update `
  --resource-group $RESOURCE_GROUP `
  --name $AKS_NAME `
  --disable-app-routing-istio
    az aks update \
  --resource-group $RESOURCE_GROUP \
  --name $AKS_NAME \
  --disable-app-routing-istio

  2. Remove the approuting-istio GatewayClass left behind by the add-on so it does not conflict with the service mesh add-on.

    kubectl delete gatewayclass approuting-istio --ignore-not-found
    kubectl delete gatewayclass approuting-istio --ignore-not-found
    Tip

    The Managed Gateway API CRDs (--enable-gateway-api) can stay enabled — they are just the Gateway API resource definitions and do not conflict with the Istio service mesh add-on.

Task 2: Enable the Istio Add-on

  1. Enable the Istio service mesh add-on on your AKS cluster.

    az aks mesh enable `
  --resource-group $RESOURCE_GROUP `
  --name $AKS_NAME
    az aks mesh enable \
  --resource-group $RESOURCE_GROUP \
  --name $AKS_NAME

  2. Check that the add-on is enabled and that istiod is running.

    az aks show `
  --resource-group $RESOURCE_GROUP `
  --name $AKS_NAME `
  --query "serviceMeshProfile.mode" `
  -o tsv

kubectl get pods -n aks-istio-system
    az aks show \
  --resource-group $RESOURCE_GROUP \
  --name $AKS_NAME \
  --query "serviceMeshProfile.mode" \
  -o tsv

kubectl get pods -n aks-istio-system

    The Azure CLI command should return Istio, and you should see istiod running in the aks-istio-system namespace.

  3. Store the installed revision in a variable. This revision is used to enable sidecar injection for a namespace.

    $ISTIO_REVISION = az aks show `
  --resource-group $RESOURCE_GROUP `
  --name $AKS_NAME `
  --query "serviceMeshProfile.istio.revisions[0]" `
  -o tsv

Write-Host $ISTIO_REVISION
    ISTIO_REVISION=$(az aks show \
  --resource-group $RESOURCE_GROUP \
  --name $AKS_NAME \
  --query "serviceMeshProfile.istio.revisions[0]" \
  -o tsv)

echo "$ISTIO_REVISION"

Task 3: Enable an Istio Ingress Gateway

The AKS Istio add-on installs the control plane. For ingress traffic, you also need to enable an Istio ingress gateway.

  1. Enable an external Istio ingress gateway.

    az aks mesh enable-ingress-gateway `
  --resource-group $RESOURCE_GROUP `
  --name $AKS_NAME `
  --ingress-gateway-type external
    az aks mesh enable-ingress-gateway \
  --resource-group $RESOURCE_GROUP \
  --name $AKS_NAME \
  --ingress-gateway-type external

  2. Verify that the gateway pods and service are running.

    kubectl get pods -n aks-istio-ingress
kubectl get service -n aks-istio-ingress
    kubectl get pods -n aks-istio-ingress
kubectl get service -n aks-istio-ingress