配置AKS负载均衡器以进行HTTPS访问 [英] Configuring an AKS load balancer for HTTPS access
问题描述
我要将最初为AWS Fargate容器服务开发的应用程序移植到Azure下的AKS.在AWS实施中,将创建一个应用程序负载平衡器,并将其放置在UI微服务的前面.该负载平衡器配置为使用签名证书,从而允许https访问我们的后端.
I'm porting an application that was originally developed for the AWS Fargate container service to AKS under Azure. In the AWS implementation an application load balancer is created and placed in front of the UI microservice. This load balancer is configured to use a signed certificate, allowing https access to our back-end.
我已经对此主题进行了一些搜索,以及如何在AKS中配置类似的内容.对于各种相似的问题,我已经找到了许多不同的答案,但没有一个正是我所要寻找的.据我了解,Azure中没有与AWS方法完全相同的方法.AWS解决方案的不同之处在于,您可以预先创建一个应用程序负载平衡器,并将其配置为使用证书,然后为后端UI微服务配置一个https侦听器.
I've done some searches on this subject and how something similar could be configured in AKS. I've found a lot of different answers to this for a variety of similar questions but none that are exactly what I'm looking for. From what I gather, there is no exact equivalent to the AWS approach in Azure. One thing that's different in the AWS solution is that you create an application load balancer upfront and configure it to use a certificate and then configure an https listener for the back-end UI microservice.
在Azure情况下,当您发出" az aks create "命令时,将自动创建负载均衡器.似乎没有办法进行大量配置,尤其是与证书有关的配置.我的印象是,AKS创建的默认负载均衡器最终不是用于此目的的机制.如此处.我不确定如何使此讨论适应AKS.UI窗格必须成为通过应用程序网关的任何流量的最终目标,但是网关使用的子网与AKS集群中用于Pod的子网不同.
In the Azure case, when you issue the "az aks create" command the load balancer is created automatically. There doesn't seem be be a way to do much configuration, especially as it relates to certificates. My impression is that the default load balancer that is created by AKS is ultimately not the mechanism to use for this. Another option might be an application gateway, as described here. I'm not sure how to adapt this discussion to AKS. The UI pod needs to be the ultimate target of any traffic coming through the application gateway but the gateway uses a different subnet than what is used for the pods in the AKS cluster.
所以我不确定如何继续.我的问题是:应用程序网关是提供HTTP访问AKS集群中运行的UI的正确解决方案,还是我需要使用另一种方法?
So I'm not sure how to proceed. My question is: Is the application gateway the correct solution to providing https access to a UI running in an AKS cluster or is there another approach I need to use?
推荐答案
是的,由AKS创建的默认负载均衡器是第4层LB,不支持SSL卸载.应用程序网关.到目前为止,AKS中没有选项可以选择应用程序网关,而不是经典的负载均衡器,但是就像alev所说的那样,有一个
You are right, the default Load Balancer created by AKS is a Layer 4 LB and doesn't support SSL offloading. The equivalent of the AWS Application Load Balancer in Azure is the Application Gateway. As of now there is no option in AKS which allows to choose the Application Gateway instead of a classic load balancer, but like alev said, there is an ongoing project that still in preview which will allow to deploy a special ingress controller that will drive the routing rules on an external Application Gateway based on your ingress rules. If you really need something that is production ready, here are your options :
- 部署一个Ingress控制器,例如 NGINX ,
- Deploy an Ingress controller like NGINX, Traefik, etc. and use cert-manager to generate your certificate.
- Create an Application Gateway and manage your own routing rule that will point to the default layer 4 LB (k8s LoadBalancer service or via the ingress controller)
我们最近实现了类似的操作,因此决定管理自己的Application Gateway,因为我们想在集群外部进行SSL卸载,并且因为我们需要Application Gateway的WAF功能.我们能够自动管理部署管道中的路由规则.当生产准备就绪时,我们可能会将Application Gateway用作入口项目.
We implemented something similar lately and we decide to managed our own Application Gateway because we wanted to do the SSL offloading outside the cluster and because we needed the WAF feature of the Application Gateway. We were able to automatically manage the routing rules inside our deployment pipeline. We will probably use the Application Gateway as an ingress project when it will be production ready.
这篇关于配置AKS负载均衡器以进行HTTPS访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
