This chapter covers the Application Gateway Ingress Controller (AGIC) for Azure Kubernetes Service (AKS), a critical integration for exposing AKS workloads to external traffic. For the AZ-104 exam, this topic appears in approximately 5-10% of questions within the networking domain, often in scenarios requiring hybrid connectivity, SSL termination, or web application firewall (WAF) integration. Understanding AGIC is essential for Azure Administrators who manage AKS clusters and need to provide secure, scalable ingress with Azure-native load balancing.
Jump to a section
Think of an Application Gateway Ingress Controller (AGIC) as a smart traffic dispatcher stationed at the entrance of a large office building (your AKS cluster). The dispatcher has a constantly updated list of which tenant (microservice) occupies which floor (service endpoint) and what kind of visitors (HTTP/HTTPS traffic) each tenant expects. When a visitor arrives, the dispatcher checks the visitor's badge (request headers, path, hostname) against the list, then directs them to the correct elevator (backend pool) that goes to the right floor. The dispatcher also handles SSL termination (like a security desk that opens sealed envelopes), session affinity (ensuring a visitor always talks to the same receptionist), and can block unwanted visitors (WAF). Crucially, the dispatcher's instructions are updated automatically whenever the building manager (Kubernetes) adds a new tenant or changes a floor plan, without any manual reconfiguration of the physical lobby. This is exactly how AGIC works: it watches Kubernetes Ingress resources and automatically updates the Azure Application Gateway's routing rules, backend pools, listeners, and health probes. The dispatcher doesn't need to know the internal layout of each floor—it just knows which door to point to.
What is the Application Gateway Ingress Controller (AGIC)?
The Application Gateway Ingress Controller (AGIC) is a Kubernetes pod that bridges Azure Application Gateway with an AKS cluster. It allows you to use Application Gateway as the ingress point for traffic entering the cluster, rather than deploying a software-based ingress controller (like NGINX). AGIC monitors Kubernetes Ingress resources and updates the Application Gateway configuration accordingly, enabling features like SSL termination, URL-based routing, multi-site hosting, and Web Application Firewall (WAF) at the edge.
Why AGIC Exists
Traditional Kubernetes ingress controllers run as pods inside the cluster, meaning traffic must first reach the cluster's node network before being routed. This introduces latency and complexity, especially for enterprises that require centralized SSL offloading, WAF, or integration with Azure DDoS Protection. AGIC moves these responsibilities to a managed Azure service (Application Gateway), which operates at the network edge. This reduces the load on cluster nodes, simplifies certificate management, and provides a single point of policy enforcement.
How AGIC Works Internally
AGIC runs as a pod in the AKS cluster, typically in the azure-system namespace. It uses the Azure Resource Manager API to read and modify the Application Gateway's configuration. The controller watches Kubernetes resources such as:
- Ingress: Defines routing rules (host, path, backend service, port).
- Service: Defines the target pods.
- Pod: Used for health probing and endpoint discovery.
When an Ingress resource is created or updated, AGIC performs the following:
1. Read: AGIC reads the Ingress spec, which includes rules like host: app.contoso.com, path: /api, and backend: service: api-service port: 80.
2. Translate: It converts these rules into Application Gateway configuration objects:
- Listeners: One per host:port combination (e.g., HTTP/443 for app.contoso.com).
- Routing Rules: Maps listener to backend pool with path-based rules.
- Backend Pools: Contains the IP addresses of the pods backing the service.
- Health Probes: Configured based on the service's readiness probe.
3. Apply: AGIC uses the Azure SDK to call ApplicationGateway.Update() or CreateOrUpdate() to push changes to the Application Gateway resource.
Key Components and Defaults
- AGIC Version: As of 2025, the latest stable version is 1.8.x. Always check the official Microsoft documentation for the latest.
- Deployment Modes:
- Add-on mode: Managed by AKS, automatically deployed when you enable the AGIC add-on. Recommended for most scenarios.
- Helm mode: Manual deployment via Helm chart. Offers more configuration control.
- Default Namespace: azure-system for add-on mode.
- Health Probe Defaults: Interval: 30 seconds, Timeout: 30 seconds, Unhealthy threshold: 3 consecutive failures.
- SSL Termination: AGIC can reference Azure Key Vault for SSL certificates via Key Vault secrets or certificates.
- WAF: Application Gateway WAF v2 is supported. AGIC configures WAF policies per listener or per rule.
- Scaling: Application Gateway supports auto-scaling (if configured) and can handle up to 125 backend pool members per pool.
Configuration and Verification Commands
To enable AGIC add-on on an existing AKS cluster:
az aks enable-addons --addons ingress-appgw --name myAKSCluster --resource-group myResourceGroupThis creates an Application Gateway in the same node resource group (MC_*). To specify an existing Application Gateway:
az aks enable-addons --addons ingress-appgw --name myAKSCluster --resource-group myResourceGroup --appgw-id /subscriptions/.../applicationGateways/myAppGatewayTo verify AGIC is running:
kubectl get pods -n azure-system -l app=ingress-appgwTo check logs:
kubectl logs -n azure-system deployment/ingress-appgw-deploymentExample Ingress resource that AGIC processes:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
spec:
rules:
- host: app.contoso.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80Interaction with Related Technologies
AKS Cluster: AGIC runs as a pod inside the cluster, requiring outbound connectivity to Azure Management APIs.
Azure Application Gateway: The target resource that AGIC configures. Must be in the same virtual network as the AKS cluster (or peered).
Azure Key Vault: Used for SSL certificate storage. AGIC can reference Key Vault via a User Managed Identity or Service Principal.
Azure DNS: For custom domain names. The Ingress host must resolve to the Application Gateway's frontend IP (public or private).
Azure Policy: Can enforce that all Ingress resources must use AGIC by auditing the ingress.class annotation.
Performance and Limitations
Configuration Update Latency: AGIC polls for changes every 30 seconds by default. Changes to Ingress resources may take up to 1-2 minutes to propagate to Application Gateway.
Backend Pool Limit: Application Gateway supports up to 125 backend pool members per pool. If your service has more pods, you need to split across multiple pools or use a higher-tier SKU.
Path-Based Routing: Supports exact and prefix path matching. Wildcard paths are not supported in Application Gateway; use prefix matching instead.
Multi-Site Hosting: Each host requires a separate listener. Application Gateway supports up to 100 listeners per gateway (depending on SKU).
Private IP: AGIC supports Application Gateway with a private frontend IP only, allowing internal-only ingress.
Troubleshooting Common Issues
AGIC Not Updating Gateway: Check AGIC pod logs for authentication errors. Ensure the managed identity has Contributor access to the Application Gateway resource.
Backend Health Unhealthy: Verify pods are running and readiness probes are correctly configured. Application Gateway health probes must match the service's probe path.
SSL Certificate Errors: Ensure the certificate is uploaded to Application Gateway or referenced in Key Vault with proper access policies.
Ingress Not Working: Confirm the Ingress resource has the annotation kubernetes.io/ingress.class: azure/application-gateway. Without it, AGIC ignores the resource.
Enable AGIC add-on on AKS
Use Azure CLI or portal to enable the ingress-appgw add-on. This creates a managed identity (if not specified) and deploys the AGIC pod in the azure-system namespace. The add-on also creates an Application Gateway in the AKS node resource group, unless an existing gateway is specified. This step is irreversible without manual cleanup.
Define Kubernetes Ingress resources
Create Ingress YAML definitions with appropriate host, path, and backend service references. Ensure the annotation `kubernetes.io/ingress.class: azure/application-gateway` is present. The Ingress must reference Services that exist in the same namespace or across namespaces (if using externalName). AGIC will watch for these resources via the Kubernetes API.
AGIC detects Ingress changes
AGIC runs an informer loop that watches Ingress, Service, and Pod resources. When a new Ingress is created, the controller receives an event and enqueues the resource for reconciliation. This happens within seconds, but the actual update to Application Gateway may take up to 30 seconds due to polling interval.
AGIC translates to Gateway config
AGIC converts the Ingress rules into Application Gateway configuration: listeners (one per host:port), routing rules (path-based), backend pools (IPs of pods from the Service's endpoints), and health probes (derived from the Service's readiness probe or defaults). The translation logic handles TLS settings, path prefixes, and backend port mapping.
AGIC pushes config to Application Gateway
AGIC calls the Azure Resource Manager API to update the Application Gateway resource. This is a PUT operation that replaces the entire gateway configuration. The update is asynchronous and can take 1-5 minutes for large configurations. During this time, the gateway remains operational with the previous settings.
Traffic flows through Application Gateway
Once the configuration is applied, external traffic hits the Application Gateway's frontend IP. The gateway terminates SSL (if configured), evaluates WAF rules, and routes the request to the appropriate backend pool based on host and path. The backend pool contains the pod IPs, and traffic goes directly from the gateway to the pod (not through a service proxy).
Monitor and troubleshoot AGIC
Use kubectl logs and Azure Monitor to verify AGIC health. Check Application Gateway backend health via portal or Azure CLI. Common issues include authentication failures (missing RBAC on managed identity), pod readiness probe mismatches, and network connectivity between gateway and pods (ensure NSGs allow traffic from gateway subnet).
Enterprise Scenario 1: E-commerce Platform with WAF
A large retailer runs a microservices-based e-commerce platform on AKS. They need to expose public-facing APIs with SSL termination and a Web Application Firewall to protect against SQL injection and cross-site scripting. They deploy AGIC with an Application Gateway WAF v2 SKU. The Ingress resources define paths for /api, /checkout, and /products, each routing to different services. SSL certificates are stored in Azure Key Vault and referenced by AGIC via a managed identity. In production, the cluster handles 10,000 requests per second, and the Application Gateway auto-scales to handle spikes during Black Friday. The team monitors backend health using Application Gateway's built-in probes and sets up alerts for unhealthy backends. A common misconfiguration is forgetting to update the health probe path when the service's readiness probe changes, causing the gateway to mark all pods as unhealthy. The fix is to either align the health probe with the readiness probe or override it using AGIC annotations.
Enterprise Scenario 2: Internal Microservices with Private Ingress
A financial institution uses AKS for internal microservices that should not be exposed to the internet. They deploy AGIC with an Application Gateway that has a private frontend IP only, attached to the same VNet as the AKS cluster. The Ingress resources use internal DNS names (e.g., api.internal.bank.com). AGIC configures the gateway's private listeners and backend pools. Traffic from internal applications (e.g., a legacy .NET app) hits the private IP, and the gateway routes to the appropriate pod. A challenge is that the Application Gateway must be in the same VNet or a peered VNet as the AKS cluster. The team also uses Azure Private DNS zones for name resolution. They learned that AGIC's health probes must be able to reach the pods; if the gateway is in a different subnet, NSG rules must allow traffic from the gateway subnet to the pod subnet on the health probe port.
Enterprise Scenario 3: Multi-Tenant SaaS with Host-Based Routing
A SaaS provider hosts multiple customer applications on a single AKS cluster, each with a custom domain (e.g., customer1.contoso.com, customer2.contoso.com). They use AGIC with multi-site hosting: each customer gets a separate listener on the Application Gateway. The Ingress resources specify the host header, and AGIC creates separate listeners and backend pools. This allows the provider to apply different WAF policies per customer. The main performance consideration is the Application Gateway's listener limit (100 for Standard_v2, 50 for WAF_v2). As they onboard more customers, they need to upgrade the SKU or use a wildcard certificate with a single listener and path-based routing. A common mistake is forgetting to update DNS records to point each customer domain to the Application Gateway's frontend IP, causing traffic to never reach the gateway.
What AZ-104 Tests on AGIC (Objective 4.2)
The exam focuses on understanding AGIC's role in integrating AKS with Azure Application Gateway, specifically: - Deployment methods: Add-on vs. Helm, and when to use each. - Configuration: How Ingress resources map to Application Gateway components (listeners, rules, pools, probes). - Authentication: Managed identity vs. service principal for AGIC to access Application Gateway. - SSL/TLS: Certificate management via Key Vault. - WAF: Enabling WAF policies via AGIC annotations. - Troubleshooting: Common issues like backend health failures, authentication errors, and update latency.
Common Wrong Answers and Why Candidates Choose Them
1. "AGIC requires an Application Gateway in the same subnet as the AKS nodes." - Why wrong: The gateway can be in any subnet, as long as it's in the same VNet or a peered VNet. It does not need to be in the node subnet. - Trap: Candidates confuse AGIC with the standard Azure Load Balancer that sits in the node subnet.
2. "AGIC automatically creates an Application Gateway when you create an Ingress resource." - Why wrong: AGIC does not create the gateway; it configures an existing one. The gateway must exist beforehand (or be created by the add-on during enablement). - Trap: The add-on creates a gateway, but that's a one-time action, not per-Ingress.
3. "You need to open ports on the AKS node's NSG to allow traffic from the internet." - Why wrong: Traffic goes directly from the Application Gateway to the pod IP, bypassing the node's NSG. The gateway's subnet NSG must allow traffic to the pod subnet, but the node NSG is irrelevant. - Trap: Candidates think of traditional ingress controllers where traffic hits the node port.
4. "AGIC supports only HTTP/HTTPS, not TCP." - Why wrong: Application Gateway itself supports HTTP/HTTPS only (Layer 7). AGIC inherits this limitation. For TCP, you need Azure Load Balancer or other ingress controllers. - Trap: Candidates may think AGIC can do TCP because Kubernetes Ingress can (with custom controllers).
Specific Numbers and Terms
Default polling interval: 30 seconds (for Helm mode; add-on mode uses a different mechanism but similar latency).
Backend pool max members: 125 per pool.
Listener limit: 100 for Standard_v2, 50 for WAF_v2.
Health probe defaults: Interval 30s, timeout 30s, unhealthy threshold 3.
Annotation to specify ingress class: kubernetes.io/ingress.class: azure/application-gateway.
Managed identity name: ingressapplicationgateway-<cluster-name> (for add-on mode).
Edge Cases and Exceptions
Multiple Ingress resources with overlapping hosts/paths: The last one applied wins (no merging).
Cross-namespace Ingress: AGIC supports referencing services in other namespaces via externalName services, but not directly via Ingress rules.
Private Application Gateway: AGIC works with private-only gateways, but the AKS cluster must be able to reach the gateway's private IP for health probes.
Helm mode vs. Add-on: The exam may ask which mode supports custom configuration. Helm mode allows more control (e.g., custom probes, multiple gateways).
How to Eliminate Wrong Answers
If the question mentions "automatically creating a gateway" or "no prior gateway needed," it's likely wrong unless referring to the add-on's initial setup.
If the question says "AGIC runs on the Application Gateway," it's wrong; AGIC runs as a pod in AKS.
If the question says "AGIC supports TCP or UDP," it's wrong; Application Gateway is Layer 7 only.
If the question says "you must manually update the gateway when Ingress changes," it's wrong; AGIC does this automatically.
AGIC bridges AKS and Azure Application Gateway, enabling Layer 7 ingress with WAF and SSL offloading.
AGIC watches Kubernetes Ingress resources and automatically updates the Application Gateway configuration.
Deploy AGIC via AKS add-on (recommended) or Helm chart for custom configurations.
AGIC requires a managed identity with Contributor access to the Application Gateway resource.
Application Gateway must be in the same VNet or a peered VNet as the AKS cluster.
Health probe defaults: interval 30s, timeout 30s, unhealthy threshold 3.
AGIC supports only HTTP/HTTPS traffic; for TCP/UDP, use Azure Load Balancer or other ingress controllers.
Common exam trap: AGIC does not create the gateway; it configures an existing one.
These come up on the exam all the time. Here's how to tell them apart.
AGIC (Application Gateway Ingress Controller)
Runs as a pod in AKS but configures an external Azure Application Gateway.
Provides native SSL termination at the edge, offloading the cluster.
Integrates with Azure WAF for managed rule sets.
Supports up to 100 listeners per gateway (Standard_v2).
Configuration changes take 30 seconds to minutes to propagate.
NGINX Ingress Controller
Runs entirely inside the AKS cluster as a pod.
SSL termination occurs within the cluster, consuming node resources.
No built-in WAF; requires third-party solutions or manual configuration.
Listener limit depends on pod resources; can handle more with scaling.
Configuration changes apply almost instantly (seconds).
Mistake
AGIC can automatically create an Application Gateway when you apply an Ingress resource.
Correct
AGIC does not create the gateway; it only updates the configuration of an existing gateway. The gateway must be provisioned separately or via the add-on during enablement.
Mistake
AGIC requires the Application Gateway to be in the same subnet as the AKS nodes.
Correct
The gateway can be in any subnet within the same VNet or a peered VNet. It does not need to share the node subnet.
Mistake
AGIC supports TCP and UDP traffic because it's an ingress controller.
Correct
AGIC only supports HTTP/HTTPS (Layer 7) because it relies on Azure Application Gateway, which is a Layer 7 load balancer. TCP/UDP traffic requires Azure Load Balancer or a different ingress controller.
Mistake
You must manually update the Application Gateway configuration when you change Ingress resources.
Correct
AGIC automatically detects changes to Ingress resources and updates the Application Gateway configuration via the Azure API. No manual intervention is needed.
Mistake
AGIC can only be deployed using the AKS add-on.
Correct
AGIC can be deployed either via the AKS add-on (managed) or manually via Helm chart. The Helm mode offers more customization.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The AGIC add-on is a managed deployment option integrated with AKS. It automatically creates a managed identity and deploys the controller in the azure-system namespace. It simplifies setup but offers limited customization. Helm deployment gives you full control over AGIC configuration, such as custom health probes, multiple gateways, and advanced logging. The exam expects you to know that the add-on is the recommended method for most scenarios, but Helm is used for advanced needs.
AGIC uses a managed identity (in add-on mode) or a service principal (in Helm mode) to authenticate to Azure. The identity must have at least Contributor permissions on the Application Gateway resource. The managed identity is automatically created when you enable the add-on and is named `ingressapplicationgateway-<cluster-name>`. In Helm mode, you provide the service principal credentials in the Helm values.
Yes, AGIC fully supports Application Gateways with only a private frontend IP. This is common for internal-facing services. The gateway must be in the same VNet or a peered VNet as the AKS cluster. Health probes from the gateway to the pods will use private IPs. Ensure that the gateway subnet can reach the pod subnet via NSG rules.
If the Ingress resource does not have the annotation `kubernetes.io/ingress.class: azure/application-gateway`, AGIC will ignore it. The Ingress may be processed by another ingress controller (e.g., NGINX) if present, or it will remain unconfigured. This is a common exam scenario: the question might describe an Ingress that is not working, and the fix is to add the annotation.
AGIC detects changes within seconds, but the actual update to the Application Gateway can take 1-5 minutes. This is because the Azure API requires a full PUT operation that replaces the gateway configuration. During this time, the gateway continues to serve traffic with the previous configuration. The exam may test this latency in troubleshooting scenarios.
No, Application Gateway does not support wildcard hostnames in listeners. You must specify exact hostnames. For multi-site hosting, you need a separate listener per host. If you need wildcard support, consider using a single listener with a wildcard certificate and path-based routing, or use a different ingress controller.
No, Application Gateway supports only exact and prefix path matching. Regex is not supported. For complex path matching, you may need to use a different ingress controller or implement routing within the application.
You've just covered Application Gateway Ingress Controller for AKS — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?