Ingress Options

Azure Kubernetes Service (AKS) supports a wide range of ingress controllers, giving you flexibility in how you expose your applications. You can deploy and manage any Kubernetes Ingress or Gateway API controller yourself, but Azure also offers managed options that simplify deployment and integration.

Self-Managed vs. Azure-Managed Ingress

You can install any open-source ingress controller (such as Nginx, Traefik, or Istio) or Gateway API implementation by deploying it directly into your cluster. This gives you full control over configuration and upgrades, but also means you are responsible for maintenance, scaling, and integration. Alternatively, Azure provides managed ingress solutions that handle much of the operational overhead for you. These options are tightly integrated with Azure networking and security features, making them easier to set up and maintain for many scenarios.

Managed Ingress Options

Azure offers several managed ingress solutions that simplify the process of exposing applications running in AKS. These options are managed by Azure, meaning you don’t have to worry about the underlying infrastructure or scaling.

Managed Nginx (Application Routing Addon)

Azure’s Application Routing Addon provides a fully managed Nginx ingress controller. It’s easy to enable during AKS cluster creation or on an existing cluster. Azure handles deployment, scaling, and integration with Azure DNS and SSL certificates, making it ideal for teams who want a quick, low-maintenance ingress solution.

Benefits:

• Simple to set up and use
• Automatic DNS integration with Azure DNS
• Automatic SSL certificate management with Azure Key Vault
• Managed scaling and updates

Limitations:

• Less customizable than self-managed Nginx
• Limited to HTTP/HTTPS
• Limited to five Azure DNS zones
• Uses Ingress rather than Gateway API

Application Gateway for Containers

Application Gateway for Containers is Azure’s newest, Kubernetes-native ingress solution, based on the Kubernetes Gateway API. This solution allows you to use Azure Application Gateway as a fully managed ingress controller, providing advanced features like Web Application Firewall (WAF), SSL offload, and path-based routing. The creation of resources in Application Gateway is fully automated, and it integrates seamlessly with Azure networking.

Application Gateway for Containers can use an existing Application Gateway instance, or it can deploy a new instance for you.

Benefits:

• Kubernetes-native management and scaling
• Deep Azure integration
• Integrated WAF and SSL offload
• Traffic Splitting
• Scaleable ingress resources

Limitations:

• Limited to HTTP/HTTPS
• Additional cost for Application Gateway
• Limited region support

App Gateway Ingress Controller (AGIC)

AGIC is the previous iteration of Application Gateway integration with AKS. This is based on the Ingress API and whilst still supported, it is recommended that new installations implement the newer Application Gateway for Containers solution.

Istio Ingress Gateway

Istio is a powerful, open-source service mesh that includes its own ingress gateway. Deploying Istio in AKS gives you advanced traffic management, security, and observability features.

Istio can be installed either through a managed AKS add-on, or from the open source solution. The managed add-on is the simplest solution for deploying Istio, however it does not support all features of the full open source Istio solution. The gateway feature of the Istio add-on does require additional configuration to enable.

Benefits:

• Full service mesh capabilities
• Advanced routing, security, and telemetry
• Supports HTTP, HTTPS, and TCP
• Integrates with Istio’s service mesh features

Limitations:

• More complex to set up and manage
• Requires additional resources for Istio control plane
• Requires additional understanding of Istio concepts for full utilisation