application-gateway-kubernetes-ingress: Can't assign port fp-443 to Private IP Listener already assigned to Public IP Listener
Describe the bug A clear and concise description of what the bug is.
I have Ingress resources on a AKS cluster which needs using PrivateIp or PublicIp as their front end IP. I have configured one Ingress using public IP, which was fine, however, when using private IP annotation (appgw.ingress.kubernetes.io/use-private-ip: “true”) in another Ingress resource, I am getting the bellow error on AGIC:
E0715 15:13:23.665442 1 frontend_listeners.go:46] Can't assign port fp-443 to Private IP Listener fl-d84d98ab259764775ce8700847d97b66; already assigned to Public IP Listener fl-4db314dd864524bfe3bbc9786686cce0; Will not create listener {FrontendPort:443 HostNames:[ myapp-private.mydomain.com ] UsePrivateIP:true} E0715 15:13:23.665476 1 frontend_listeners.go:46] Can't assign port port_80 to Private IP Listener fl-7ad98dd3ce13c2997644bffc6708100d; already assigned to Public IP Listener fl-658b918ffa5ca2a4cab5e0d72e383d46; Will not create listener {FrontendPort:80 HostNames:[ myapp-private.mydomain.com ] UsePrivateIP:true}
And it did not assign any Listeners on Private IP.
Please advise is this possible using Public and Private frontend IP at the same time for same ports on one AppGW?
Ingress1 apiVersion: extensions/v1beta1 kind: Ingress metadata: name: aspnetapp namespace: ns1 annotations: kubernetes.io/ingress.class: azure/application-gateway appgw.ingress.kubernetes.io/appgw-ssl-certificate: rbccert appgw.ingress.kubernetes.io/ssl-redirect: “true” appgw.ingress.kubernetes.io/use-private-ip: “true” spec: rules:
- host: myapp-private.mydomain.com
http:
paths:
- path: / backend: serviceName: aspnetapp servicePort: 80
Ingress2
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: kyvos-network-utility namespace: kyvos-network-utility annotations: kubernetes.io/ingress.class: azure/application-gateway appgw.ingress.kubernetes.io/appgw-ssl-certificate: rbccert appgw.ingress.kubernetes.io/ssl-redirect: “true” spec: rules:
- host: myapp.mydomain.com
http:
paths:
- backend: serviceName: myapp servicePort: 80 path: /
AGIC version: 1.2.0-rc2 AppGW: WAF V2
To Reproduce Steps to reproduce the behavior:
Ingress Controller details
- Output of
kubectl describe pod <ingress controller> . The <ingress controller> pod name can be obtained by runninghelm list. - Output of `kubectl logs <ingress controller>.
- Any Azure support tickets associated with this issue.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 11
- Comments: 55 (18 by maintainers)
This is a limitation on AppGW that we’re still working on. I’ve added this feature request to the roadmap as “In Progress”.
Hey Team,
Yes, there is a check in AGIC today on the same port. I apologize I was not clear; the changes have been made available for Application Gateway and can begin to be used as-is today. In parallel, we have been working on publishing v1.7 stable for both helm and add-on (helm already available); the changes for same port public/private listener in AGIC will be made available in the next release.
Thank you for your patience, Jack
+1 for having the possibility to use the same port on private and public listeners. We are in the middle of a huge deployment and we stumbled on this. For the time being we will use AppGateway only for public endpoints, but this limitation is quite strong for us and we’d really need to solve this quickly… otherwise we’ll have to fall back to competitor services
Bump - Curious if there are any updates on this?
We’re actively working on allowing the same port to be used with the public and private IP. We’ll update the thread as we continue to make progress on this capability.
This feature is not officially released yet. Please do not assume it should be available in all regions. We will provide another update this month.
Jack
Hey @emibcn,
Yes, we are invested in bringing this feature forward and have made progress internally. We will be able to share a more detailed update near end of next month.
Appreciate the patience; we understand the importance of getting this unblocked.
Happy new year! Jack
Hey Team,
Apologies for the delay on a much overdue update. We have made some more progress internally, but unfortunately don’t have a release announcement to make quite yet. I can absolutely confirm this is on our radar and are actively working to unblock this. I will update this once we have more news to share – please continue to hold us accountable and feel free to keep on “@ing” me.
Thank you for your patience, Jack
Hey folks!
Appreciated all the patience on this. We are pleased to announce this is now available in AGIC v1.7.1, which can be deployed via helm today. https://github.com/Azure/application-gateway-kubernetes-ingress/releases/tag/1.7.1
Cheers! Jack
@JackStromberg I am still getting the same issue as others in this post. However, this is erratic.
I have had Public and Private HTTPS working during development. However, this morning all Private services have failed when I tried to deploy a new API Service.
Do I need to update the Cluster/Ingress?
UPDATE I have updated the Cluster to the latest version but I am still getting the same issue.
I am using AKS Plugin to deploy Ingress controller automatically from the Portal. This is giving me version: 1.5.3
UPDATE / UPDATE So Azure Application Gateway support Public and Private listeners using the same Port (for example HTTPS).#
However, this Ingress Controller does not support it.
Reviewing the latest code for the listener (0794fdc61c213), it clearly checks and error if both
So does this Ingress Controller needs updating before this AAG feature can be used?
Am I correct, and if so, how long will it take to get an update to this Controller?
Hey folks,
We appreciate your patience on this. As you can tell, this feature is in the process of its release, targeting completion early March. There are some changes that are still rolling out, so we do recommend holding off from attempting configuration prior to official release. We will post a service announcement once this functionality is ready here: https://azure.microsoft.com/updates/
I will update this issue with a link to the announcement once available and we can close this one out.
Thank you, Jack
Hey Team,
We are introducing an additional improvement related to the feature configuration and so the broader Azure Updates communication has been delayed this month. The documentation for the feature is out and you can begin to use this directly on Application Gateway via Portal, CLI, PS, Terraform, etc today. Please take note of the NSG rule requirements (if the subnet uses NSG) as creating same port for public and private listeners changes the incoming flow for all the listeners. https://learn.microsoft.com/azure/application-gateway/configuration-listeners#frontend-port
Feel free to try this out, looking forward to hearing how it goes!
Thank you, Jack
@JackStromberg, Have there been any developments on the availability of this feature?
Do you ETA on preview @mscatyao?
Thanks @mhsh64 , that’s exactly the feature we will release soon to make the ingress class configurable.