AKS - public Load Balancer / Openfaas - "Cannot connect to OpenFaaS on URL: https://..."

Question

Situation: I have an AKS cluster that I'm trying to load my project into from localhost. When I launch my Ansible scripts to get the project running, I need to log in to openfaas but I encounter this error:

>     ...\nCannot connect to OpenFaaS on URL: https:(...).com/faas. Get \"https://(..).com/faas/system/functions\": dial tcp
> xx.xxx.xxx.xxx:xxx: i/o timeout (Client.Timeout exceeded while
> awaiting headers)", "stdout_lines": ["WARNING! Using --password is
> insecure, consider using: cat ~/faas_pass.txt | faas-cli login -u user
> --password-stdin", "Calling the OpenFaaS server to validate the credentials...", "Cannot connect to OpenFaaS on URL:
> https://(...).com/faas. Get
> \"https://(...).com/faas/system/functions\": dial tcp
> xx.xxx.xxx.xxx:xxx: i/o timeout (Client.Timeout exceeded while awaiting headers)"]}

I have a PUBLIC Load Balancer I created from a yaml file and it's linked to the DNS (...).com / IP address of LB created.

My loadbalancer.yml file:

apiVersion: v1
kind: Service
metadata:
  name: loadbalancer
spec:
  type: LoadBalancer
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

My ingress file:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: openfaas
spec:
  rules:
  - host: (...).com
    http:
      paths:
      - backend:
          service:
            name: openfaas
            port:
              number: 80
        path: /faas
        pathType: Prefix
  tls:
  - hosts:
    - (...).com
    secretName: (...).com
--- 

I haven't found many tutorials that have the same situation or they use internal Load Balancers.

Is this Azure that's blocking the communication? a Firewall problem? Do I need to make my LB internal instead of external?

I saw a source online that stated this:

If you expose a service through the normal LoadBalancer with a public ip, it will not be accessible because the traffic that has not been routed through the azure firewall will be dropped on the way out. Therefore you need to create your service with a fixed internal ip, internal LoadBalancer and route the traffic through the azure firewall both for outgoing and incoming traffic. https://denniszielke.medium.com/setting-up-azure-firewall-for-analysing-outgoing-traffic-in-aks-55759d188039

But I'm wondering if it's possible to bypass that..

Any help is greatly apprecated!

Answer 1

I found out afterwards that Azure already provides a LB, so you do not need to create one. Not a firewall issue. Go to "Load Balancing" -> "Frontend IP Configuration" and choose the appropriate IP.