Connect Azure Front Door with AKS services within the private VNet network
Dive into a straightforward guide on linking Azure Front Door with AKS services inside a private VNET. Improve web app delivery and boost Azure security with these simple steps.
Introduction
In this blog, I will show you how to set up Azure Front Door with AKS within a private VNet network. The main objective of this blog is to show you how you can connect Azure Front Door with privately deployed AKS services. In this blog, I will guide you with an example using a basic Nginx image and Kubernetes service.
On a high level, these are necessary steps considering you have deployed your private AKS cluster.
- Deploy nginx and corresponding private nginx service
- Deploy Azure Front Door and connect Azure Front Door with private nginx service
- Test everything
Deploy nginx and corresponding private nginx service
Deploy simple Nginx deployment
<pre class="codeWrap"><code>cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy
spec:
selector:
matchLabels:
app: deploy
replicas: 1
template:
metadata:
labels:
app: deploy
spec:
containers:
- name: deploy
image: nginx
ports:
- containerPort: 80
EOF
</code></pre>
Deploy private nginx Kubernetes service
<pre class="codeWrap"><code>cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: nginx-lb
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-pls-create: "true"
service.beta.kubernetes.io/azure-pls-name: nginx-pls
service.beta.kubernetes.io/azure-pls-ip-configuration-subnet: aks-subnet
spec:
selector:
app: deploy
ports:
- protocol: TCP
port: 80
type: LoadBalancer
EOF
</code></pre>
With this yaml file, we are creating a private link service called “nginx-pls”. We need to create a private link service in order to connect Azure Front Door with private service within the private network. To learn more about private link service and how it works, check out this blog.
<span id="test" class="kool-class" style="color: #E4474C; background-color: #E9E9E6; border-radius: 5px; padding: 5px;" fs-test-element="test">service.beta.kubernetes.io/azure-pls-ip-configuration-subnet: aks-subnet</span> is referring to a subnet where a private IP address of Kubernetes nginx service will be deployed. You can choose any subnets inside your virtual network where is your AKS deployed for this.
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f975ad514fe89ff00f2a_Azure-Front-Door-with-AKS-1.png" alt="Azure-Front-Door-with-AKS-1">
You can check in “Private Link Center” by clicking “Private link services” if your nginx private link service was successfully deployed.
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f9757eb6fd8866772f6a_Azure-Front-Door-with-AKS-2.png" alt="Azure-Front-Door-with-AKS-2">
Deploy Azure Front Door
For this tutorial, we will deploy Azure Front Door with the Custom Create option
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f975df89487c47957621_Azure-Front-Door-with-AKS-3.png" alt="Azure-Front-Door-with-AKS-3">
We need to use the “Premium” Tier option because it supports private links while the “Standard” option does not support it. We are using private links while we are creating Kubernetes yaml file for an nginx service since it will be a private service within the private network.
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f975df89487c47957624_Azure-Front-Door-with-AKS-4.png" alt="Azure-Front-Door-with-AKS-4">
We will skip the “Secrets” option in this tutorial
In the following screenshots, we will create Endpoint, add a route, create an origin group, create an origin, and connect our nginx service with Azure Front Door.
Also, in order to have a working Nginx, a few things need to be taken care of. The liveliness probe should be the “GET” method, and “Forwarding protocol” should be “HTTP only”.
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f975ad1be5bbb9123865_Azure-Front-Door-with-AKS-5.png" alt="Azure-Front-Door-with-AKS-5">
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f9759c49f5f514e77f31_Azure-Front-Door-with-AKS-6.png" alt="Azure-Front-Door-with-AKS-6">
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f975e7bf9cbe24fa05bf_Azure-Front-Door-with-AKS-7.png" alt="Azure-Front-Door-with-AKS-7">
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f97577c28e945e0ed9c5_Azure-Front-Door-with-AKS-8.png" alt="Azure-Front-Door-with-AKS-8">
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f97506312450d4005677_Azure-Front-Door-with-AKS-9.png" alt="Azure-Front-Door-with-AKS-9">
You can find a “Host name” with following steps. Go to “Private Link Center” → “Private link services” → “Alias”. “Origin host header” should be left as default auto-completion.
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f9754bcc78d63c261d86_Azure-Front-Door-with-AKS-10.png" alt="Azure-Front-Door-with-AKS-10">
After that, create an Azure Front Door Service and wait for a while to be deployed.
When Azure Front Door is successfully deployed, you need to approve the private link service. You can do it by following these steps:
- go to “Private Link Center”
- Choose your private link services
- Select “Private endpoint connection” in the menu, and select “Approve”
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f975b31a397763d3f210_Azure-Front-Door-with-AKS-11.png" alt="Azure-Front-Door-with-AKS-11">
Testing
To see if everything is properly working, we need to copy the URL address of an endpoint and we should see the default nginx page.
- go to Azure Front Service you deployed
- “Front Door manager”
- copy an URL of the endpoint
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f97506312450d40056de_Azure-Front-Door-with-AKS-12.png" alt="Azure-Front-Door-with-AKS-12">
<img src="https://assets-global.website-files.com/64d4f32bbf4bcd247875f1b1/6539f975bbd9309fc96a3ff4_Azure-Front-Door-with-AKS-13.png" alt="Azure-Front-Door-with-AKS-13">
Conclusion
In this tutorial, we deployed Azure Front Door Service which had a public endpoint that is connected to the private endpoint of a sample Kubernetes nginx application.
Azure Front Door is a powerful managed service and you can leverage a lot of its functionalities such as:
- Global Load Balancing: Azure Front Door distributes incoming traffic across multiple backends in different regions, ensuring high availability and low-latency access for users worldwide.
- Traffic Routing and URL-based Routing: Front Door allows you to route traffic to different backends based on various criteria such as URL path, host, or headers. It enables you to define flexible routing rules to direct traffic to specific endpoints.
- SSL/TLS Termination: Front Door terminates SSL/TLS connections, allowing you to offload the encryption and decryption workload from your backend servers. It simplifies the management of SSL certificates and improves the performance of your application.
- Web Application Firewall (WAF): Azure Front Door integrates with Azure Web Application Firewall, providing protection against common web vulnerabilities and attacks such as SQL injection, cross-site scripting (XSS), and more. WAF rules can be customized to meet your application's security requirements.
- Application Performance Optimization: Front Door includes features like connection pooling, dynamic site acceleration, and content caching to enhance the performance of your web applications. It caches static content closer to end-users, reducing latency and improving response times.
- SSL Policy Management: You can define and enforce SSL/TLS protocols and cipher suites to ensure secure communication between Front Door and your backend services. It allows you to configure security policies to meet compliance requirements.
- Health Probes and Monitoring: Front Door continuously monitors the health of your backend services by sending probes to check their availability. It automatically reroutes traffic away from unhealthy endpoints, ensuring high reliability.
- Session Affinity: Front Door supports session affinity, allowing you to maintain user sessions by routing subsequent requests from the same client to the same backend. It is useful for stateful applications that require session persistence.
- Scalability and Autoscaling: Azure Front Door scales automatically based on incoming traffic patterns and can handle high-volume workloads. It dynamically adjusts capacity to ensure optimal performance and minimize costs.
- Analytics and Logging: Front Door provides detailed analytics and logging capabilities, giving you insights into traffic patterns, performance metrics, and potential security threats. You can monitor and analyze data to make informed decisions.
- Custom Domain and SSL Certificate Management: You can associate custom domain names with Azure Front Door and manage SSL certificates for secure connections.
- Front Door simplifies the process of certificate management and renewal.
- High Availability and Disaster Recovery: Azure Front Door is designed for high availability and provides redundancy across multiple Azure regions. It offers built-in failover capabilities to ensure continuous operation in case of failures or disasters.
Facing Challenges in Cloud, DevOps, or Security?
Let’s tackle them together!
get free consultation sessions
We will contact you shortly.
