Azure-docs: How to apply to an AKS instead of VM?

@sujithq it is possible to do SSL termination with an Application Gateway and AKS, but I am unsure if you can use SSL between an Application Gateway and AKS.

do you just need the SSL offload, or do you want the end to end SSL?

I managed the SSL Termination but I also need end to end SSL termination.

I tried 2 different ways using certificates at AKS side: manual via openssl and via traefik acme and dnsprovider using the cer file at at Application Gateway side (set to HTTPS at httpsettings level). My Backend Health reports this:

Https probe connection error. Check if backend server certificate is whitelisted with Application Gateway. Check for backend certificate validity.

There should be a match between the public keys used at Application Gateway and AKS but I am not sure about that. I guess my certificates should be whitelisted using the cer file?

KInd regards,
Sujith

@sujithq were you able to get your End to End SSL working with AKS? Please let me know if you need further assitance with this issue.

Personally I still would like to see this working but the project is on hold since November.

@sujithq Getting it working with AKS will be a matter of automatically adding the certs to the AKS instances. For assistance with that, your best bet is to ask in the appropriate forums for AKS.

If you would like additional help from the App Gateway side, or if you would like to request that a How-To be made for End-To-End SSL using VMs or AKS, let us know!

@sujithq We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

Sujith and Travis - This worked like a charm, where we dont have touch the APPGW, just defining the ingress rules in YAML file will do the magic behind the scenes.
https://azure.github.io/application-gateway-kubernetes-ingress/

Thanks
Gopinath T

Hi @TravisCragg-MSFT

Like @sujithq, I have a need to implement end to end SSL encryption between AppGw and AKS and have spent many hours trying, both with AppGW V1 and V2, ending up 502s (either failing probes or requests not coming through). I can get AppGW to work with SSL termination, and AKS to work with HTTPS/TLS at the load balancer using host headers. But I can't get the re-encryption between AppGW and AKS LB to work.

So I really need a "How To" on this specific subject.

The setup:
VNet with two subnets - one subnet for AppGW and one subnet for AKS.

AppGW multisite https listeners (SNI required) for sub1.domain.com, sub2.domain.com, and sub3.domain.com.
We currently have a wildcard certificate for *.domain.com which is used on all listeners. This might change to individual certs when we move to production.

All traffic from the listeners are routed to the same backend (AKS internal LB) and must be re-encrypted.

AKS provisioned with advanced networking, RBAC and AAD Authentication.
An internal load balancer is provisioned by AKS inside the AKS Subnet, Nginx ingress controller configured with TLS on sub1.domain.com, sub2.domain.com, and sub3.domain.com.

best regards
Jan

P.S.
Not in scope for the "How-to", but none the less important for the final setup: We do have other subnets (as well as other peered VNETs) with components that also need to talk to the AKS Int. LB via HTTPS - but that is beside the point here.

@janlunddk Have you worked with Azure Support yet to get encryption working between the App Gateway and AKS?

Also, are you using an Azure Load Balancer for your AKS?