This article shows how to use Azure Front Door Premium, Azure Web Application Firewall, and Azure Private Link Service (PLS) to securely expose and protect a workload running in Azure Kubernetes Serv...
Updated Mar 04, 2024
Version 11.0
Blog Post
30 MIN READ
How to expose NGINX Ingress Controller via Azure Front Door and Azure Private Link Service
Hi tnabil, in the Bicep I declared that the VMSSs backing the node pools should spread across availability zones, but I didn't explicitly declare that the frontend IP configuration of the internal load balancer should use availability zones. Actually, the Bicep modules do not create the internal load balancer. The internal load balancer is created when I deploy the NGINX Ingress Controller with the service.beta.kubernetes.io/azure-load-balancer-internal annotation set to true. This tells the Azure cloud provider to create an internal load balancer called kubernetes-internal in the node resource group. Now, if you:
- Created an AKS cluster with node pools across availability zones
- Create an NGINX Ingress Controller with the service.beta.kubernetes.io/azure-load-balancer-internal annotation set to true
the following Azure CLI command:
az resource show --id /subscriptions/<subscription-id>/resourceGroups/<node-resource-group>/providers/Microsoft.Network/loadBalancers/kubernetes-internal --query properties.frontendIPConfigurations[0].zones
returns an array containing the three zones 1, 2, and 3.
[
"1",
"2",
"3"
]
This means that the frontend IP configuration of the internal load balancer is configured to use availability zones as documented in Load Balancer and Availability Zones. Hope this answers your question.