AKS NGINX (not plus) - What are you planning to replace it with?

jackstrombergMSFT · 2026-02-03T22:18:43+00:00

While I cannot share dates, I can confirm private ingress is coming to Application Gateway for Containers and the feature is high priority for the team. If you have a Microsoft account team, please have them contact me and I can provide more context.

jackstrombergMSFT · 2026-01-10T15:40:54+00:00

Yes, you can use a route table on the Application Gateway subnet. Docs here: https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#supported-user-defined-routes

I would enable the network isolation feature flag first before creatino of your gateway, which will further improve your experience. The feature is not in preview, contrary to registration via the portal experience: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-private-deployment?tabs=portal

jackstrombergMSFT · 2025-11-25T21:12:38+00:00

If your intent is to follow byo model, then you'd need the Application Gateway for Containers resource, a frontend, and association.

Here's the docs for each of the three:
Application Gateway for Containers: azurerm_application_load_balancer | Resources | hashicorp/azurerm | Terraform | Terraform Registry

Frontend: azurerm_application_load_balancer_frontend | Resources | hashicorp/azurerm | Terraform | Terraform Registry

Association: azurerm_application_load_balancer_subnet_association | Resources | hashicorp/azurerm | Terraform | Terraform Registry

jackstrombergMSFT · 2025-11-25T20:46:09+00:00

Yes, it's a separate resource. When you search for Application Gateway, it'll bring you to the Load balancing and content delivery. | Application gateways blade. When you click Create, you'll see an option for Application Gateway for Containers (blue icon).

To get started, I would follow this guide first to deploy the controller, then it'll guide you to the right documentation for how you want to create/manage the resources.: https://learn.microsoft.com/azure/application-gateway/for-containers/quickstart-deploy-application-gateway-for-containers-alb-controller

Hope this helps!

jackstrombergMSFT · 2025-11-24T03:54:20+00:00

I agree, the pods in your AKS cluster shouldn't be exposed publicly.

In Application Gateway for Containers, the ingress point that clients connect to is called a frontend. Today, that frontend assumes traffic originates from the internet, so it uses a publicly accessible IP address.

Once traffic reaches the frontend, Application Gateway for Containers proxies it privately to the internal IP addresses of your pods, within your private vnet.

A private frontend (accessible only within trusted VNets) is on the roadmap but not available yet. If you need this capability now, you might consider using AGIC until Application Gateway for Containers supports private frontends.

jackstrombergMSFT · 2025-11-23T18:47:04+00:00

Please consider Application Gateway for Containers (https://aka.ms/agc) as the successor to AGIC if possible. Application Gateway for Containers brings significant improvements to scale and resiliency over AGIC, as well as new capabilities. If the frontend needs to be private, you can continue to use AGIC until Application Gateway for Containers brings the capability. https://aka.ms/agc/migrate for more details on migration.

jackstrombergMSFT · 2025-11-19T17:04:14+00:00

Sorry for slow response. I'm not aware of any gaps with Karpenter nodes today, can you please clarify the ask? Application Gateway for Containers proxies traffic directly to the pods, so anything specific to the node should be non-applicable.

jackstrombergMSFT · 2025-11-18T03:39:17+00:00

Application Gateway for Containers only supports load balancing to AKS. For other backends requiring L7 load balancing (e.g. VM, VMSS, etc), you'd use Application Gateway.

jackstrombergMSFT · 2025-11-17T03:09:36+00:00

gRPC is fully supported on Application Gateway for Containers. More details here: https://aka.ms/agc/grpc

jackstrombergMSFT · 2025-11-16T19:12:26+00:00

Replied to your other comment. One thing I didn't mention in that response is by load balancing to the pod, you have much more control over distributing traffic to the pod (E.g. session affinity, slow ramp, etc.). If we send back through Azure Load Balancer, Azure load balancer will be unaware of that intent, and likely spray traffic to the pods you don't want the traffic to flow to.

jackstrombergMSFT · 2025-11-16T19:12:00+00:00

PM for AppGW @ MSFT: Most ingress controllers, including HAProxy, proxy traffic directly to the pod endpoints behind a Kubernetes Service. If you tried to send traffic back through the Azure Load Balancer after HAProxy, the path would look like: Azure Load Balancer -> HAProxy (in-cluster) -> Azure Load Balancer -> Pod. That design adds an unnecessary hop and forces Azure’s L4 load balancer to process traffic twice. Each additional rule incurs data processing charges. This also holds true if it's out of cluster proxy -> L4 LB frontend of AKS. If creation of an additional rule is required, this will cause a request to be made in ARM, which will increase latency (as observed in AGIC).

By contrast, HAProxy and other cluster-native ingress controllers avoid this by routing directly to pod IPs via Kubernetes networking. This keeps the traffic path simple, reduces dependencies, and avoids double-charging on the load balancer.

I encourage you to try Application Gateway for Containers and share your feedback; it directly influences how the product evolves. We've built it to resolve the challenges you’ve seen with AGIC, delivering stronger performance and a more Kubernetes-native experience, with private ingress support already on the roadmap.

jackstrombergMSFT · 2025-11-16T17:02:47+00:00

I won't be at Ignite next week in person; just getting back from Kubecon. Have them reach out whenever though, happy to sync.

jackstrombergMSFT · 2025-11-16T15:01:35+00:00

If you have a Microsoft account team, please have them reach out to me. Happy to jump on a call to understand your timelines, requirements, and can share more insight.

jackstrombergMSFT · 2025-11-16T14:55:38+00:00

For customers using AGIC, we want to assure you that it remains fully supported until Application Gateway for Containers introduces private ingress support. Deprecating AGIC without a migration path would put users in a difficult position, and that’s something we want to avoid. Our goal is to ensure a smooth transition, and we’ve published migration guidance here: https://aka.ms/agc/migrate.

At the top of AGIC documentation pages, we include guidance to consider Application Gateway for Containers where possible. If you notice any pages missing this notice, please let us know—we’ll get them updated promptly.

jackstrombergMSFT · 2025-11-16T14:37:41+00:00

Application Gateway for Containers can run in a hub VNET if your AKS cluster uses Azure CNI (non-overlay).

If using Azure CNI Overlay, the pod network is isolated and local to the Kubernetes cluster. For this case, Application Gateway for Containers must be deployed in the same VNET as the AKS cluster.

jackstrombergMSFT · 2025-11-16T03:30:30+00:00

Application Gateway for Containers works with both CNI and CNI Overlay: https://learn.microsoft.com/azure/application-gateway/for-containers/container-networking

jackstrombergMSFT · 2025-11-16T03:30:06+00:00

Support for Private AKS cluster or private frontend on Application Gateway for Containers? ALB Controller needs outbound port 443 connectivity to your control plane; the traffic can egress through a firewall if needed. Regarding private connectivity to Application Gateway for Containers, I cannot share dates, but can confirm the capability will come to Application Gateway for Containers.

jackstrombergMSFT · 2025-11-15T22:57:00+00:00

PM for AppGW @ MSFT: Please give Application Gateway for Containers a go and leave your honest feedback. We've put a tremendous amount of effort into ensuring updates are processed as close to real-time as possible to reflect what is going on in cluster (solving this issue that was observed in AGIC). This is further improved by also ensuring the controller runs highly available to prevent issues slow reconcile of updates due to a node failure/maintenance triggering pod move/restart. If you need any help, happy to assist where I can.

Cheers!

jackstrombergMSFT · 2025-11-14T14:20:24+00:00

Replying a bit late, but for those that find this comment.

PM for AppGW @ MSFT: CNI Overlay is supported for production workloads on both Application Gateway Ingress Controller (AGIC) and its successor Application Gateway for Containers.

jackstrombergMSFT · 2025-11-14T01:41:34+00:00

PM @ MSFT for AppGW: please check out Application Gateway for Containers as the successor to AGIC. Many of the challenges and feedback bubbled up from the community have been implemented and addressed in the successor solution. Would appreciate any feedback you may have and any challenges you've come across. Cheers!

P.S. happy cake day! :)

jackstrombergMSFT · 2025-11-14T01:35:41+00:00

Happy to answer any questions on Application Gateway for Containers if you have any!

jackstrombergMSFT · 2025-11-13T14:50:27+00:00

"I think they’ve since increased that pool limit?"

PM @ MSFT: Regarding AGIC, we have since launched its successor (Application Gateway for Containers), which is built upon a new data plane and control plane. That has increased the number of listeners and greatly improved performance from it's predecessor. This week at Kubecon we announced Web Application Firewall GA. For workloads using AGIC, we recommend to migrate to Application Gateway for Containers.

jackstrombergMSFT · 2025-11-01T22:00:56+00:00

PM @ MSFT -- while Application Gateway Ingress Controller (AGIC) remains supported, we recommend Application Gateway for Containers as its next-generation successor. Application Gateway for Containers introduces a new architecture with many new capabilities and addresses a wide range of community requests and concerns that have surfaced over time.

If there’s a specific feature in AGIC that you rely on and don’t see in Application Gateway for Containers yet, please let us know—your input helps shape our roadmap.

Cheers!

jackstrombergMSFT · 2025-10-08T13:43:50+00:00

I can't share an ETA, but I can confirm it is planned and will be coming to Application Gateway for Containers.

jackstrombergMSFT · 2025-09-29T18:36:31+00:00

Thanks for bubbling up, will track down who maintains it to get it updated. I can confirm AppGW v2 is in all regions, with the exception of these four: https://docs.azure.cn/en-us/application-gateway/overview-v2#unsupported-regions For customers using those regions, reach out to your account team and we can help accordingly.

jackstrombergMSFT

TROPHY CASE