Quickstart: Create Application Gateway for Containers managed by ALB Controller
This guide assumes you're following the managed by ALB controller deployment strategy, where all the Application Gateway for Containers resources are managed by ALB controller. Lifecycle is determined the resources defined in Kubernetes. ALB Controller creates the Application Gateway for Containers resource when an ApplicationLoadBalancer custom resource is defined on the cluster. The Application Gateway for Containers lifecycle is based on the lifecycle of the custom resource.
Ensure you have first deployed ALB Controller into your Kubernetes cluster. See Quickstart: Deploy Application Gateway for Containers ALB Controller if you haven't already deployed the ALB Controller.
If you don't have a subnet available with at least 250 available IP addresses and delegated to the Application Gateway for Containers resource, use the following steps to create a new subnet and enable subnet delegation. The new subnet address space can't overlap any existing subnets in the VNet.
If you wish to deploy Application Gateway for Containers into the virtual network containing your AKS cluster, run the following command to find and assign the cluster's virtual network. This information is used in the next step.
AKS_NAME='<your cluster name>'
RESOURCE_GROUP='<your resource group name>'
MC_RESOURCE_GROUP=$(az aks show --name $AKS_NAME --resource-group $RESOURCE_GROUP --query "nodeResourceGroup" -o tsv)
CLUSTER_SUBNET_ID=$(az vmss list --resource-group $MC_RESOURCE_GROUP --query '[0].virtualMachineProfile.networkProfile.networkInterfaceConfigurations[0].ipConfigurations[0].subnet.id' -o tsv)
read -d '' VNET_NAME VNET_RESOURCE_GROUP VNET_ID <<< $(az network vnet show --ids $CLUSTER_SUBNET_ID --query '[name, resourceGroup, id]' -o tsv)
Run the following command to create a new subnet containing at least 250 available IP addresses and enable subnet delegation for the Application Gateway for Containers association resource:
SUBNET_ADDRESS_PREFIX='<network address and prefix for an address space under the vnet that has at least 250 available addresses (/24 or larger subnet)>'
ALB_SUBNET_NAME='subnet-alb' # subnet name can be any non-reserved subnet name (i.e. GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet would all be invalid)
az network vnet subnet create \
--resource-group $VNET_RESOURCE_GROUP \
--vnet-name $VNET_NAME \
--name $ALB_SUBNET_NAME \
--address-prefixes $SUBNET_ADDRESS_PREFIX \
--delegations 'Microsoft.ServiceNetworking/trafficControllers'
ALB_SUBNET_ID=$(az network vnet subnet show --name $ALB_SUBNET_NAME --resource-group $VNET_RESOURCE_GROUP --vnet-name $VNET_NAME --query '[id]' --output tsv)
ALB Controller needs the ability to provision new Application Gateway for Containers resources and to join the subnet intended for the Application Gateway for Containers association resource.
In this example, we delegate the AppGW for Containers Configuration Manager role to the resource group containing the managed cluster and delegate the Network Contributor role to the subnet used by the Application Gateway for Containers association subnet, which contains the Microsoft.Network/virtualNetworks/subnets/join/action permission.
If desired, you can create and assign a custom role with the Microsoft.Network/virtualNetworks/subnets/join/action permission to eliminate other permissions contained in the Network Contributor role. Learn more about managing subnet permissions.
IDENTITY_RESOURCE_NAME='azure-alb-identity'
MC_RESOURCE_GROUP=$(az aks show --name $AKS_NAME --resource-group $RESOURCE_GROUP --query "nodeResourceGroup" -otsv | tr -d '\r')
mcResourceGroupId=$(az group show --name $MC_RESOURCE_GROUP --query id -otsv)
principalId=$(az identity show -g $RESOURCE_GROUP -n $IDENTITY_RESOURCE_NAME --query principalId -otsv)
# Delegate AppGw for Containers Configuration Manager role to AKS Managed Cluster RG
az role assignment create --assignee-object-id $principalId --assignee-principal-type ServicePrincipal --scope $mcResourceGroupId --role "fbc52c3f-28ad-4303-a892-8a056630b8f1"
# Delegate Network Contributor permission for join to association subnet
az role assignment create --assignee-object-id $principalId --assignee-principal-type ServicePrincipal --scope $ALB_SUBNET_ID --role "4d97b98b-1d4f-4787-a291-c67834d212e7"
- Define the Kubernetes namespace for the ApplicationLoadBalancer resource
kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
name: alb-test-infra
EOF
- Define the ApplicationLoadBalancer resource, specifying the subnet ID the Application Gateway for Containers association resource should deploy into. The association establishes connectivity from Application Gateway for Containers to the defined subnet (and connected networks where applicable) to be able to proxy traffic to a defined backend.
Note
When the ALB Controller creates the Application Gateway for Containers resources in ARM, it'll use the following naming conventions for its resources:
- alb-<8 randomly generated characters> to define the Application Gateway for Containers resource
- as-<8 randomly generated characters> to define the association resource
If you would like to change the name of the resources created in Azure, consider following the bring your own deployment strategy.
Run the following command to create the Application Gateway for Containers resource and association.
kubectl apply -f - <<EOF
apiVersion: alb.networking.azure.io/v1
kind: ApplicationLoadBalancer
metadata:
name: alb-test
namespace: alb-test-infra
spec:
associations:
- $ALB_SUBNET_ID
EOF
Once the ApplicationLoadBalancer resource has been created, you can track deployment progress of the Application Gateway for Containers resources. The deployment transitions from InProgress to Programmed state when provisioning has completed. It can take 5-6 minutes for the Application Gateway for Containers resources to be created.
You can check the status of the ApplicationLoadBalancer resource by running the following command:
kubectl get applicationloadbalancer alb-test -n alb-test-infra -o yaml -w
Example output of a successful provisioning of the Application Gateway for Containers resource from Kubernetes.
status:
conditions:
- lastTransitionTime: "2023-06-19T21:03:29Z"
message: Valid Application Gateway for Containers resource
observedGeneration: 1
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: "2023-06-19T21:03:29Z"
message: alb-id=/subscriptions/xxx/resourceGroups/yyy/providers/Microsoft.ServiceNetworking/trafficControllers/alb-zzz
observedGeneration: 1
reason: Ready
status: "True"
type: Deployment
Congratulations, you have installed ALB Controller on your cluster and deployed the Application Gateway for Containers resources in Azure!
Try out a few of the how-to guides to deploy a sample application, demonstrating some of Application Gateway for Container's load balancing concepts.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for