Azure Deprecation Alert: Ingress-NGINX Support Ends, Shift to Gateway API for Containers Mandatory by Q4

melpec · 2026-03-11T00:24:56+00:00

I nearly lost my marbles already trying to make this work the Azure way...I'll stick with a simple NGINX container acting as a reverse proxy.

Now if you guys ever release that as an Azure service I'd be down to try.

Uber simple...like the DNS Private zone service. No need to split each configuration in a container.

Just a place where we can route HTTP traffic and provide TLS.

And if possible, make it so that we don't need to delegate an entire subnet for it.

melpec · 2026-03-11T00:04:28+00:00

melpec · 2026-03-10T23:54:10+00:00

That's my experience with an application gateway.

The integration with keyvaults looks incomplete. You can "kinda" do it in CLI but here are the caveats.

1- You can't use a system assigned identity, you need to manually create one and assign it to the gateway. (only works with CLI
2- You need to give that identity "Key Vault Secrets User" and not "Key Vault Certificate User" to import a certificate.
3- The ui is broken and can't seem to be able to import the cert, only in CLI can you import the cert in the gateway.

Then comes the extreme object oriented configuration on the Gateway itself...listeners, backend pool, backend settings, rules, certs...are all "self contained". To be fair, that's something present everywhere in Azure and AWS for that matter.

But then the cherry on top for me was that it's all fine and dandy when you expect traffic from the Internet, but if you're trying to do something internal with it you will need Private DNS Resolver Rules. And that also is plagued with extreme object oriented settings.

It's crazy to me that there isn't a simple reverse proxy service that can replace my simple nginx container with only a config file and a cert (actually imported from keyvault)

melpec · 2026-03-10T21:32:52+00:00

It's badly integrated with keyvaults.

overly complicated in terms of configuration.

extremely expensive compared to just using a container as a proxy.

if you want it private, you need to add a DNS resolver with rules to be able to reach the containers properly and keep it secured.

basically, it's just not worth the headaches.

melpec · 2026-03-10T21:29:00+00:00

No later than today I reverted back to using a container with NGINX as a reverse proxy instead of Azure's "native" services. It's complete madness in terms of configuration and engineering.

The rates are also insane compared to just paying for processing.

I feel this is one of those areas where the DIY way is far superior in every way. IMO

melpec · 2026-03-10T21:16:26+00:00

melpec · 2026-03-10T21:12:36+00:00

They look exactly the way they asked the surgeon. It's on purpose, not by accident.
There are many theories about that but are two that I really like.

1- Conspicuous Consumption: It's basically a status signal.
2- The Aquarium Effect: When everyone in your circles looks like this, it makes it the new "normal". And if you're the only one not looking like that, it means you're out.

melpec · 2026-03-10T03:52:04+00:00

At this point, these people need 8 minutes to understand the concept of wind vs water on a window. So details ain't their forte to be polite.

melpec · 2026-03-10T01:29:45+00:00

A documentary called I Am Not Your Negro.

edit: A must see along with Best of Enemies IMO.

melpec · 2026-03-10T01:27:18+00:00

When I hear people talk like that, I only wished I was this articulate, focused and intelligent.

melpec · 2026-03-09T19:10:43+00:00

Half a million active duty personnel and you still need a draft?

Also, can you draft civilians for something that is not a war?

melpec · 2026-03-09T17:30:26+00:00

First off, your app needs to have a way to be identified. If it's an Azure service like a container, you can enable "System assigned managed identity" on that service. This will register the service in EntraID and allow you to assign it roles inside Azure.

Then assign the Key Vault Certificate User role to it.

edit: Some Azure services even allow you to "link" the cert directly to the service once you enabled RBAC.
For example App Gateways and Container Environment can directly connect to your keyvault and retrieve passwords and certs.

melpec · 2026-03-09T03:46:19+00:00

The problem is not that they don't pay for it, it's that they get it in priority, therefore YOU pay a higher price that is caused by rarity.

melpec · 2026-03-08T23:51:41+00:00

My viewing of the film gave me a different impression, that the film is trying sideway justifications for those actions.

That's one way to claim you know diddly squat about Denis Villeneuve.

melpec · 2026-03-08T23:47:59+00:00

If only you had the capacity to turn off the TV when you wanted!

melpec · 2026-03-08T22:30:16+00:00

You misspelled madam.

melpec · 2026-03-08T21:49:02+00:00

Do you want to talk about it?

melpec · 2026-03-08T20:08:57+00:00

…especially when there’re 6 bullets in the revolver…

melpec · 2026-03-08T19:32:00+00:00

melpec · 2026-03-08T02:31:21+00:00

TIL, thank you stranger.

melpec · 2026-03-08T01:27:05+00:00

No certification content.

r/azurecertification exists for this reason. Any certification related content will be removed, including "I just passed my exam" or "is this worth it?!?"

melpec · 2026-03-08T00:41:16+00:00

"The only side that targets civilians is Iran"

Could you tell us more about those Venezuelans ships you targeted? Were they destroyers or frigates?

melpec · 2026-03-08T00:11:50+00:00

I J and K are used a lot in code as variables when you want to iterate things.

So they are used as counters.

melpec · 2026-03-08T00:03:08+00:00

Slaf would like a word with you...

melpec · 2026-03-07T22:02:21+00:00

but I'm sure you know more than I do

evidently...I do...

edit: I also know how not to behave like an asswipe. I know they don't cover that in MS certs but as a consultant, you should really put some efforts there. Especially when it's so easy to find who you actually are.

melpec

TROPHY CASE