- Sample Test App for AKS
There are multiple use cases in this repo.
Check manifest folder for yaml files. Check api-call-app folder for the sample app, and check external-api-app folder for the external api app.
Example of application gateway ingress controller with kubenet. Calls external api. Track down what is the source ip address of the request.
Example of Istio Gateway(ServiceMesh) integrated with AKS. Configured with Internal Load Balancer + Istio Gateway + Istio VirtualService. For more information about Istio Gateway, check this page.
This demo used Azure App Service with Python 3.11 runtime.
Deploy external-api with SCM_DO_BUILD_DURING_DEPLOYMENT set to 1 & pip install -r requirements.txt && python -m uvicorn main:app --host 0.0.0.0 as startup command.
After deployment, try curl <YOUR_URL> to see if it works.
It needs to reply with {"message":"Hello World"}.
Since python applications need additional settings within code level for the Application Insights & Loggings, this app is using
opencensus-ext-azurelibrary to automatically send logs to Application Insights.
Update main.py request url to the external api app.
response = requests.get(<YOUR_URL>)cd api-call-app
docker build -t outbound-test-app .
docker run -p 80:80 outbound-test-appGo to localhost:80 in browser.
Press Click me button to see Hello World.
- Create Azure Container Registry
az acr create --resource-group myResourceGroup --name <acrName> --sku Basic- Login to the registry
az acr login --name <acrName>- Get ACR server name.
az acr list --resource-group myResourceGroup --query "[].{acrLoginServer:loginServer}" --output table- Change the image name & tag
docker tag outbound-test-app <acrLoginServer>/outbound-test-app:v1- Push images to registry
docker push <acrLoginServer>/outbound-test-app:v1- Create AKS
az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 1 --enable-addons monitoring --generate-ssh-keys --attach-acr <acrName>- Get AKS credentials
az aks get-credentials --resource-group myResourceGroup --name myAKSCluster- Update manifest file
vi outbound-test-app.yamlReplace image name with your ACR image name.
containers:
- name: outbound-test-app
image: <acrLoginServer>/outbound-test-app:v1-
Deploy app
i)
outbound-test-config.yml: Example ofapplication gateway ingress controllerwithkubenetkubectl apply -f outbound-test-config.yml
ii)
internal-lb-test-config.yml: Example ofinternal load balancerwithapplication gatewayinfrontkubectl apply -f internal-lb-test-config.yml
Go to the Web App you deployed earlier. Click Logs in the left menu. Check the HTTP requests logs.
-
Check Internal LB
kubectl get service
Get detail info.
kubectl describe service internal-app
The
CLUSTER-IPshows internal ip address from the service CIDR. TheEXTERNAL-IPis from the subnet where AKS is actually placed, and it is not a real public ip address. It is the internal ip address of the load balancer which is used to access the backend pools.
-
CURL internal load balancer.
- Create temporary pod to test.
kubectl run tmp-shell --rm -i --tty --image nicolaka/netshoot -- /bin/bash
curl http://<INTERNAL LB's EXTERNAL IP>/callapi- Result
Hello World! -
Check AKS logs. Look for container logs.
Follow this document to enable Service Mesh add-on and deploy sample application with sidecar injection enabled.
istio-internal-config.yml
- Choose HTTP/HTTPS. Open
istio-internal-config.ymland uncomment the protocol you want to use.
- port:
# HTTPS protocol uses TLS passthrough
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: https-secret
# HTTP
# number: 80
# name: http
# protocol: HTTP- If you want to make it HTTPS, you need to create a secret called
https-secret. This should be a TLS certificate and key pair. If it is signed by a certified CA, such as Google, the CA certificate should be included in the secret along with the server certificate and key pair. - If it is not signed by a CA and you want to make your own CA, you should set CA certificate & key pair first. This procedure can use AKS custom CA add-on.
- After that, create a server certificate and key pair signed by the CA. Then, create a secret with the CA certificate, server certificate and key pair.
kubectl create -n aks-istio-ingress secret tls https-secret --key=<KEYFILE> --cert=<CERTFILE>
If you deployed
privateAKS cluster, follow this step. If its public, skip to this step.
- Use
invoke commandto get the ip address of the internal load balancer.
az aks command invoke -g $RESOURCE_GROUP -n $CLUSTER --command "kubectl get svc aks-istio-ingressgateway-internal -n aks-istio-ingress"This step is for
publicAKS cluster.
-
Use
kubectl get svcto get the ip address of the internal load balancer.kubectl get svc aks-istio-ingressgateway-internal -n aks-istio-ingress
Retreive the EXTERNAL_IP address.
- For private cluster, use additional VM inside the same VNet with AKS cluster to make curl.
curl -v "https://10.1.1.8:443"OR
curl -v "http://10.1.1.8:80"- For public cluster, just make a curl anywhere you want.
curl -v "https://10.1.1.8:443"OR
curl -v "http://10.1.1.8:80"