Ingress Options

Azure Kubernetes Service (AKS) supports a wide range of ingress controllers, giving you flexibility in how you expose your applications. You can deploy and manage any Kubernetes Ingress or Gateway API controller yourself, but Azure also offers managed options that simplify deployment and integration.

Self-Managed vs. Azure-Managed Ingress

You can install any open-source ingress controller (such as Nginx, Traefik, or Istio) or Gateway API implementation by deploying it directly into your cluster. This gives you full control over configuration and upgrades, but also means you are responsible for maintenance, scaling, and integration. Alternatively, Azure provides managed ingress solutions that handle much of the operational overhead for you. These options are tightly integrated with Azure networking and security features, making them easier to set up and maintain for many scenarios.

Managed Ingress Options

Azure offers several managed ingress solutions that simplify the process of exposing applications running in AKS. These options are managed by Azure, meaning you don’t have to worry about the underlying infrastructure or scaling.

Ingress OptionKey FeaturesBest ForGateway API or Ingress
Application Routing Add-on – Gateway API (approuting-istio)Managed, Istio-based, auto-scalingSimplicity, quick start, new appsGateway API
Managed Nginx (Application Routing Add-on) – deprecatedEasy setup, auto-scaling, SSLExisting apps (migrate by Nov 2026)Ingress
App Gateway for ContainersKubernetes-native, scalableModern, cloud-native workloadsGateway API
App Gateway Ingress Controller (AGIC)WAF, SSL offload, path-based rulesLegacy Ingress solutionIngress
Istio Ingress GatewayService mesh, advanced routingMicroservices, service meshGateway API

Application Routing Add-on with Gateway API

The Application Routing Add-on now supports the Kubernetes Gateway API, and this is the recommended managed ingress option for new clusters. It is the successor to the older managed Nginx implementation. Rather than deploying Nginx, this implementation deploys a managed Istio control plane that provisions and manages the infrastructure behind your Gateway API resources. You interact with it purely through standard Gateway API resources (Gateway and HTTPRoute) using the approuting-istio GatewayClass — you do not work with Istio directly, and sidecar injection and Istio CRDs are not part of this add-on.

Benefits:

  • Managed, auto-scaling control plane (HPA and PodDisruptionBudget per gateway)
  • Uses the future-proof Gateway API instead of the legacy Ingress API
  • Standard, portable Gateway / HTTPRoute resources with role-based separation
  • Upgraded in-place automatically with your AKS Kubernetes version

Limitations:

  • Requires the Managed Gateway API installation (--enable-gateway-api) and azure-cli 2.86.0 or higher
  • Cannot be enabled at the same time as the Istio service mesh add-on — they each deploy their own Istio control plane
  • Azure DNS / Key Vault TLS automation is configured differently than the Nginx add-on (TLS termination is set up per Gateway)
Tip

Enable this add-on with az aks create/az aks update using --enable-gateway-api --enable-app-routing-istio. The GatewayClass to reference in your Gateway resources is approuting-istio. You use it in Lab 1 .

Managed Nginx (Application Routing Add-on)

Warning

The managed Nginx implementation of the Application Routing Add-on is deprecated and will stop receiving Azure support after November 2026. If you are using it, you must migrate to the Application Routing Add-on with Gateway API (or another supported implementation) before then. New clusters should use the Gateway API implementation above.

Azure’s Application Routing Add-on originally provided a fully managed Nginx ingress controller. It’s easy to enable during AKS cluster creation or on an existing cluster. Azure handles deployment, scaling, and integration with Azure DNS and SSL certificates, making it a quick, low-maintenance ingress solution.

Benefits:

  • Simple to set up and use
  • Automatic DNS integration with Azure DNS
  • Automatic SSL certificate management with Azure Key Vault
  • Managed scaling and updates

Limitations:

  • Deprecated — loses Azure support after November 2026
  • Less customizable than self-managed Nginx
  • Limited to HTTP/HTTPS
  • Limited to five Azure DNS zones
  • Uses the legacy Ingress API rather than Gateway API
Info

Managed Nginx is still the default option deployed when using AKS Automatic. You are able to deploy additional ingress controllers alongside it if required.

Application Gateway for Containers

Application Gateway for Containers is Azure’s newest, Kubernetes-native ingress solution, based on the Kubernetes Gateway API. This solution allows you to use Azure Application Gateway as a fully managed ingress controller, providing advanced features like Web Application Firewall (WAF), SSL offload, and path-based routing. The creation of resources in Application Gateway is fully automated, and it integrates seamlessly with Azure networking.

Application Gateway for Containers can use an existing Application Gateway instance, or it can deploy a new instance for you.

Benefits:

  • Kubernetes-native management and scaling
  • Deep Azure integration
  • Integrated WAF and SSL offload
  • Traffic Splitting
  • Scaleable ingress resources

Limitations:

  • Limited to HTTP/HTTPS
  • Additional cost for Application Gateway
  • Limited region support

App Gateway Ingress Controller (AGIC)

AGIC is the previous iteration of Application Gateway integration with AKS. This is based on the Ingress API and whilst still supported, it is recommended that new installations implement the newer Application Gateway for Containers solution.

Istio Ingress Gateway

Istio is a powerful, open-source service mesh that includes its own ingress gateway. Deploying Istio in AKS gives you advanced traffic management, security, and observability features.

Istio can be installed either through a managed AKS add-on, or from the open source solution. The managed add-on is the simplest solution for deploying Istio, however it does not support all features of the full open source Istio solution. The gateway feature of the Istio add-on does require additional configuration to enable.

Benefits:

  • Full service mesh capabilities
  • Advanced routing, security, and telemetry
  • Supports HTTP, HTTPS, and TCP
  • Integrates with Istio’s service mesh features

Limitations:

  • More complex to set up and manage
  • Requires additional resources for Istio control plane
  • Requires additional understanding of Istio concepts for full utilisation