End to End TLS with Application Gateway + AGIC And Pods Service Discovery Using Azure Private DNS

%3CLINGO-SUB%20id%3D%22lingo-sub-1533539%22%20slang%3D%22en-US%22%3EEnd%20to%20End%20TLS%20with%20Application%20Gateway%20%2B%20AGIC%20And%20Pods%20Service%20Discovery%20Using%20Azure%20Private%20DNS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1533539%22%20slang%3D%22en-US%22%3E%3CP%3EHI%20Microsoft%20Team%2C%26nbsp%3B%3C%2FP%3E%3CP%3ELately%20we%20have%20exploring%20the%20powerful%20addon%20%2C%20AGIC%20which%20fits%20in%20right%20way%20with%20AKS%20and%20App%20gateway.%20However%2C%20we%20are%20trying%20to%20figure%20out%20some%20problems%20we%20are%20facing.%20We%20are%20trying%20to%20achieve%20End%20to%20End%26nbsp%3B%3C%2FP%3E%3CP%3ETLS%20(%20FLow%20%3A%20client%20-%26gt%3B%20app%20gateway%20-%26gt%3B%20backend%20pools%20(%20AKS%20%2B%20AGIC%20enabled%20)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20we%20have%20this%20flow%20setup%20in%202%20regions%20.%20We%20need%20to%20enable%20communications%20between%20applications%20deployed%20in%20AKS%20clusters%20in%20both%20the%20regions.%20For%20this%20purpose%2C%20we%20have%20created%20Private%20DNS%20Zone%20and%20added%20ExternalDNS%20add%20on%20(%20which%20generally%20detects%20hostname%20and%20creates%20DNS%20A%20record%20in%20this%20private%20DNS%20Zone).%20We%20were%20able%20to%20integrate%20this%26nbsp%3BExternalDNS%20add%20on.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem1%20%3A%20When%20we%20deploy%20apps%20into%20AKS%20using%20hostnames%2C%20all%20the%20app%20dns%20records%20are%20pointing%20to%20App%20gateway%20public%20ip.%26nbsp%3B%3C%2FP%3E%3CP%3EDesired%20%3A%20We%20need%20to%20enable%20communication%20between%20apps%20deployed%20into%20AKS%20clusters%20in%202%20regions%20talk%20with%20each%20region%20with%20out%20app%20gateway.%20Something%20like%20using%20private%20DNS%20with%20A%20record%20mapped%20to%26nbsp%3B%20unique%20public%20ip%20to%20this%20application%20exposed%20as%20Service%20type%20Loadbalancer.%20We%20need%20to%20accomplish%20this%20along%20with%20AGIC%20in%20place%20(%20it%20should%20not%20point%20to%20app%20gateway%20public%20ip%2C%20instead%20point%20to%20public%20ip%20of%20app%20exposed%20as%20service%20type%20Loadbalancer)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem%202%20%3A%20End%20to%20End%20TLS%20between%20client%20to%20app%20gateway%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20there%20are%20some%20docs%20around%20the%20same%2C%20Does%20app%20gateway%20listener%20has%20capability%20to%20upload%20the%20cert%20and%20do%20TLS%20encryption%20between%20client%20and%20app%20gateway%3F%3C%2FP%3E%3CP%3EIf%20yes%2C%20can%20we%20have%20any%20related%20documentation%20to%20follow%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem%202%20%3A%20End%20to%20End%20TLS%20between%20app%20gateway%20to%20AKS%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20have%20seen%20some%20articles%20on%20this%2C%20we%20have%20figured%20out%202%20things%20out%20of%20this%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3Ea.%20We%20can%20upload%20certs%20to%20App%20gateway%20and%20with%20the%20help%20of%20AGIC%20annotation%20%3A%26nbsp%3BAppGw%20SSL%20Certificate%3C%2FP%3E%3CP%3Eit%20creates%20a%20http%20listener%20and%20updates%20app%20gateway.%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20solve%20end%20to%20end%20TLS%20between%20app%20gateway%20to%20AKS%20pods%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eb.%20we%20can%20go%20to%20AKS%20cluster%2C%20using%20azure%20CSI%2C%20we%20can%20reference%20or%20mount%20the%20certs%20stored%20in%20Azure%20key%20vault%20into%20AKS%20pods%20and%20enable%20TLS.%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20solve%20end%20to%20end%20TLS%20between%20app%20gateway%20to%20AKS%20pods%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20we%20need%20a%20%2B%20b%20to%20solve%20for%26nbsp%3BEnd%20to%20End%20TLS%20between%20app%20gateway%20to%20AKS%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1533539%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAGIC%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eapp-gateway%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EexternalDNS%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2062738%22%20slang%3D%22en-US%22%3ERe%3A%20End%20to%20End%20TLS%20with%20Application%20Gateway%20%2B%20AGIC%20And%20Pods%20Service%20Discovery%20Using%20Azure%20Private%20DN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2062738%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F734038%22%20target%3D%22_blank%22%3E%40vkuma297%3C%2FA%3E%26nbsp%3BFor%20the%20issues%20and%20concerns%26nbsp%3B%20you%20described%20you%20should%20consider%20using%20a%20service%20mesh%20product%20like%20LinkerD%20(%3CA%20href%3D%22https%3A%2F%2Flinkerd.io%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flinkerd.io%2F%3C%2FA%3E).%26nbsp%3B%20This%20has%20ingress%20controller%20functionality%2C%20policy%20for%20mTLS%2C%20and%20cross-cluster%20communication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlternatively%20look%20at%20the%20availability%20zones%20implementation%20of%20AKS%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Faks%2Favailability-zones%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Faks%2Favailability-zones%3C%2FA%3E%26nbsp%3Bwhich%20is%20different%20than%20just%20creating%20a%20base%20AKS%20install.%26nbsp%3B%20This%20guarantees%20cross-cluster%20communication%2C%20but%20would%20still%20require%20extra%20configuration%20for%20mTLS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20default%20with%20the%20MS%20scripts%20from%20some%20of%20the%20reference%20architectures%2C%20it's%20by%20design%20that%20all%20inbound%20communication%20go%20through%20the%20API%20Gateway%2C%20so%20some%20of%20your%20behaviour%20may%20be%20expected%2Fby%20default.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

HI Microsoft Team, 

Lately we have exploring the powerful addon , AGIC which fits in right way with AKS and App gateway. However, we are trying to figure out some problems we are facing. We are trying to achieve End to End 

TLS ( FLow : client -> app gateway -> backend pools ( AKS + AGIC enabled ) 

 

Also, we have this flow setup in 2 regions . We need to enable communications between applications deployed in AKS clusters in both the regions. For this purpose, we have created Private DNS Zone and added ExternalDNS add on ( which generally detects hostname and creates DNS A record in this private DNS Zone). We were able to integrate this ExternalDNS add on. 

 

Problem1 : When we deploy apps into AKS using hostnames, all the app dns records are pointing to App gateway public ip. 

Desired : We need to enable communication between apps deployed into AKS clusters in 2 regions talk with each region with out app gateway. Something like using private DNS with A record mapped to  unique public ip to this application exposed as Service type Loadbalancer. We need to accomplish this along with AGIC in place ( it should not point to app gateway public ip, instead point to public ip of app exposed as service type Loadbalancer)

 

 

Problem 2 : End to End TLS between client to app gateway : 

I believe there are some docs around the same, Does app gateway listener has capability to upload the cert and do TLS encryption between client and app gateway?

If yes, can we have any related documentation to follow ? 

 

Problem 2 : End to End TLS between app gateway to AKS : 

we have seen some articles on this, we have figured out 2 things out of this : 

a. We can upload certs to App gateway and with the help of AGIC annotation : AppGw SSL Certificate

it creates a http listener and updates app gateway. 

Does this solve end to end TLS between app gateway to AKS pods ?

 

b. we can go to AKS cluster, using azure CSI, we can reference or mount the certs stored in Azure key vault into AKS pods and enable TLS. 

Does this solve end to end TLS between app gateway to AKS pods ?

 

Or we need a + b to solve for End to End TLS between app gateway to AKS 

 

 

1 Reply

@vkuma297 For the issues and concerns  you described you should consider using a service mesh product like LinkerD (https://linkerd.io/).  This has ingress controller functionality, policy for mTLS, and cross-cluster communication.

 

Alternatively look at the availability zones implementation of AKS https://docs.microsoft.com/en-us/azure/aks/availability-zones which is different than just creating a base AKS install.  This guarantees cross-cluster communication, but would still require extra configuration for mTLS.

 

By default with the MS scripts from some of the reference architectures, it's by design that all inbound communication go through the API Gateway, so some of your behaviour may be expected/by default.