2

I am a little confused while reading an article on AKS Application Gateway Ingress Controller. With this addon, we can leverage native azure application gateway layer 7 capability and that is a good thing. However, the confusion is where it says that the application Gateway talks to pods using their private IP directly. Moreover, they have added the flow picture, and here is the difference of those two pictures. One with Kubernetes which uses the ingress to service and service to the pod. whereas AKS gateway which flows the traffic to pod directly.

So, where is the Kubernetes services come into play when we use AKS Application Gateway Ingress Controller? because it has the pod private ip directly and it sends the traffic there. Also when the pod dies or new pod is added, the gateway backend pool list is also auto-updated. so what is the use of Kubernetes Service then?

enter image description here enter image description here

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
Brijesh Shah
  • 573
  • 6
  • 18

1 Answers1

2

Kubernetes is a highly extensible and customization platform. Bring in the cloud providers, they will extend and customize it more so. There are tens of options you can use to implement the ingress in Kubernetes. AGIC being one such option provided by Azure (which actually makes lot of sense for their existing app gateway customers).

When you implement AGIC on Azure AKS, it uses Azure CNI networking which allocates IP address to the pods directly from Azure vnet. Hence the App gateway is able to reach the pods directly.

Kubernetes services abstract a set of Pods as a network service and load balances among them. You are absolutely right, with AGIC, the App Gateway performs the job of Kubernetes Services for the north/south traffic, hence services are redundant in this case, which is your first diagram. The second diagram is more generic and applicable to wide varieties of ingress controllers.

However, keep in mind, the cluster will also have east/west traffic, where the pods talk to each other and/or other components within the cluster to solve a business problem. This traffic should always go via services and not through pod IP addresses.

YK1
  • 7,327
  • 1
  • 21
  • 28
  • Thanks, TK1 for the link reference and yes, It's a wide variety of options available at Kubernetes which makes it more flexible. Again thanks for reminding east/west traffic which still requires communication through service rather than pod IP. – Brijesh Shah Sep 08 '22 at 12:53