AKS: Configure TLS termination with the http application routing addon

When you install a AKS cluster you can configure it to deploy the http application routing addon or you you can update an existing cluster to deploy it.

Either way you end up with an NGINX Ingress Controller running, in the kube-system namespace of your cluster, with the following properties:

  • ingress-class: addon-http-application-routing
  • annotations-prefix: nginx.ingress.kubernetes.io

Does this means that you can use this controller for TLS termination? The answer is yes! And you can also use rate limits, and whitelisting as described in my post Secure your Kubernetes services with NGINX ingress controller, tls and more.

So to try it out, follow steps 2 and 5 of the previous post, but be sure to replace the contents of the ingress_rules.yaml file with the following yaml (Don’t forget to replace the DNS Zone Name):

 1apiVersion: extensions/v1beta1
 2kind: Ingress
 3metadata:
 4  name: dni-function
 5  namespace: default
 6  annotations:
 7    kubernetes.io/ingress.class: addon-http-application-routing
 8    nginx.ingress.kubernetes.io/rewrite-target: /
 9spec:
10  tls:
11  - hosts:
12    - dni-function.<YOUR CLUSTERS DNS ZONE NAME>
13    secretName: tls-secret
14  rules:
15  - host: dni-function.<YOUR CLUSTERS DNS ZONE NAME>
16    http:
17      paths:
18      - path: /
19        backend:
20          serviceName: dni-function
21          servicePort: 80

Note that the kubernetes.io/ingress.class value must be: addon-http-application-routing

Once you have tls working go ahead and try rate limits and whitelisting!

Hope it helps.

Please download all code and files here and be sure to check the online documentation to learn more about the annotations and other NGINX features.


Prepare yourself to work in Cloud
Updated Step by step: Serilog with ASP.NET Core
comments powered by Disqus