背景
Azure AGICはなかなか使うチャンスはないですが、今日は作ってみました。
参考手順は以下です。
https://learn.microsoft.com/ja-jp/azure/application-gateway/tutorial-ingress-controller-add-on-new
主な内容は以下です。
• AKSクラスターの作成:Azure CLIを使用して、AGICアドオンを有効にした新しいAKSクラスターをデプロイ。
• Application Gatewayの設定:既存のApplication Gatewayがない場合、Standard_v2 SKUの新しいインスタンスが自動作成され、AKSクラスターへのトラフィックを処理。
サンプルアプリケーションのデプロイ:AGICを使用してサンプルアプリをデプロイし、イングレス設定を確認。
作業実績
1.リソースグループを作成します。
az group create --name myResourceGroup2 --location japaneast
PS C:\Users\hirtan> az group create --name myResourceGroup2 --location japaneast
{
"id": "/subscriptions/xxxxxxxx/resourceGroups/myResourceGroup2",
"location": "japaneast",
"managedBy": null,
"name": "myResourceGroup2",
"properties": {
"provisioningState": "Succeeded"
},
"tags": null,
"type": "Microsoft.Resources/resourceGroups"
}
2.このコマンドは、AGICを統合したAKSクラスターを迅速にデプロイし、ネットワークと認証を構成します。
az aks create -n myCluster -g myResourceGroup2 --network-plugin azure --enable-managed-identity -a ingress-appgw --appgw-name myApplicationGateway --appgw-subnet-cidr "10.225.0.0/16" --generate-ssh-keys
-
-n myCluster: クラスター名を「myCluster」に設定。 -
-g myResourceGroup2: クラスターを作成するリソースグループを「myResourceGroup2」に指定。 -
--network-plugin azure: Azure CNIネットワークプラグインを使用(Azure統合のネットワーク設定)。 -
--enable-managed-identity: マネージドIDを有効化(認証・アクセス管理を簡素化)。 -
-a ingress-appgw: Application Gateway Ingress Controller(AGIC)アドオンを有効化。 -
--appgw-name myApplicationGateway: 使用するApplication Gatewayの名前を「myApplicationGateway」に指定。 -
--appgw-subnet-cidr "10.225.0.0/16": Application Gateway用のサブネットCIDRを指定(例: 10.225.0.0/16)。 -
--generate-ssh-keys: SSHキーペアを自動生成(クラスターへのセキュアなアクセス用)。
PS C:\Users\hirtan> az aks create -n myCluster -g myResourceGroup2 --network-plugin azure --enable-managed-identity -a ingress-appgw --appgw-name myApplicationGateway --appgw-subnet-cidr "10.225.0.0/16" --generate-ssh-keys
SSH key files 'C:\Users\hirtan\.ssh\id_rsa' and 'C:\Users\hirtan\.ssh\id_rsa.pub' have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage like Azure Cloud Shell without an attached file share, back up your keys to a safe location
docker_bridge_cidr is not a known attribute of class <class 'azure.mgmt.containerservice.v2024_05_01.models._models_py3.ContainerServiceNetworkProfile'> and will be ignored
{
"aadProfile": null,
"addonProfiles": {
"ingressApplicationGateway": {
"config": {
"applicationGatewayName": "myApplicationGateway",
"effectiveApplicationGatewayId": "/subscriptions/xxxxxxx/resourceGroups/MC_myResourceGroup2_myCluster_japaneast/providers/Microsoft.Network/applicationGateways/myApplicationGateway",
"subnetCIDR": "10.225.0.0/16"
},
"enabled": true,
"identity": {
"clientId": "30ded8f2-e9e8-477a-9ea2-d866a40b2786",
"objectId": "05319dd7-61ab-4849-ae70-72f5c4e8f67c",
"resourceId": "/subscriptions/2xxxxxxxx/resourcegroups/MC_myResourceGroup2_myCluster_japaneast/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ingressapplicationgateway-mycluster"
}
}
},
"agentPoolProfiles": [
{
"availabilityZones": null,
"capacityReservationGroupId": null,
"count": 3,
"creationData": null,
"currentOrchestratorVersion": "1.32.5",
"enableAutoScaling": false,
"enableEncryptionAtHost": false,
"enableFips": false,
"enableNodePublicIp": false,
"enableUltraSsd": false,
"gpuInstanceProfile": null,
"hostGroupId": null,
"kubeletConfig": null,
"kubeletDiskType": "OS",
"linuxOsConfig": null,
"maxCount": null,
"maxPods": 30,
"minCount": null,
"mode": "System",
"name": "nodepool1",
"networkProfile": null,
"nodeImageVersion": "AKSUbuntu-2204gen2containerd-202506.16.0",
"nodeLabels": null,
"nodePublicIpPrefixId": null,
"nodeTaints": null,
"orchestratorVersion": "1.32",
"osDiskSizeGb": 128,
"osDiskType": "Managed",
"osSku": "Ubuntu",
"osType": "Linux",
"podSubnetId": null,
"powerState": {
"code": "Running"
},
"provisioningState": "Succeeded",
"proximityPlacementGroupId": null,
"scaleDownMode": "Delete",
"scaleSetEvictionPolicy": null,
"scaleSetPriority": null,
"spotMaxPrice": null,
"tags": null,
"type": "VirtualMachineScaleSets",
"upgradeSettings": {
"drainTimeoutInMinutes": null,
"maxSurge": "10%",
"nodeSoakDurationInMinutes": null
},
"vmSize": "Standard_DS2_v2",
"vnetSubnetId": null,
"windowsProfile": null,
"workloadRuntime": null
}
],
"apiServerAccessProfile": null,
"autoScalerProfile": null,
"autoUpgradeProfile": {
"nodeOsUpgradeChannel": "NodeImage",
"upgradeChannel": null
},
"azureMonitorProfile": null,
"azurePortalFqdn": "mycluster-myresourcegroup2-2b18bb-9443aj96.portal.hcp.japaneast.azmk8s.io",
"currentKubernetesVersion": "1.32.5",
"disableLocalAccounts": false,
"diskEncryptionSetId": null,
"dnsPrefix": "myCluster-myResourceGroup2-2b18bb",
"enablePodSecurityPolicy": null,
"enableRbac": true,
"extendedLocation": null,
"fqdn": "mycluster-myresourcegroup2-2b18bb-9443aj96.hcp.japaneast.azmk8s.io",
"fqdnSubdomain": null,
"httpProxyConfig": null,
"id": "/subscriptions/xxxxxxxxxx/resourcegroups/myResourceGroup2/providers/Microsoft.ContainerService/managedClusters/myCluster",
"identity": {
"delegatedResources": null,
"principalId": "cdc31149-7099-4bd9-9c85-446af92b282e",
"tenantId": "1xxxxxxx",
"type": "SystemAssigned",
"userAssignedIdentities": null
},
"identityProfile": {
"kubeletidentity": {
"clientId": "58a6e69e-e913-40ae-ac32-eb2b2b34a983",
"objectId": "26bff2c2-8477-4321-9373-8fe5820bd8c5",
"resourceId": "/subscriptions/xxxxxxxxx/resourcegroups/MC_myResourceGroup2_myCluster_japaneast/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myCluster-agentpool"
}
},
"ingressProfile": null,
"kubernetesVersion": "1.32",
"linuxProfile": {
"adminUsername": "azureuser",
"ssh": {
"publicKeys": [
{
"keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDYloSBQKMA0pYrHdmYCSG1zWfsdommnvGQaGrkgZRz+Nb+kCk17mwXI8ZnsoYcMGep4ADxv4lGNh9/o73V12kff4Y+ejVxh8rDj5c2Ct5/2XfDhrgoa+JUA1qZLlVF/Zkv1G+XHRxqE/7G5zuarUg9GxKll0cliEfPLAHT3XrvvCWqP/iJ73PgVtnc2X2tgSE47SANKh0GFDgDRQGuQzKE2xGttNK4TS1z+iW0CCX/WOuphK6iFx/nDXHuqV69updYAomRts8/fjesAr9TwRq1uhwgqRn6cM36WnFCWXaVq1Xgl8IdOCfwBaB7JnUX7tlh3h4rkSHCS5lqGy6sNB/"
}
]
}
},
"location": "japaneast",
"maxAgentPools": 100,
"metricsProfile": {
"costAnalysis": {
"enabled": false
}
},
"name": "myCluster",
"networkProfile": {
"dnsServiceIp": "10.0.0.10",
"ipFamilies": [
"IPv4"
],
"loadBalancerProfile": {
"allocatedOutboundPorts": null,
"backendPoolType": "nodeIPConfiguration",
"effectiveOutboundIPs": [
{
"id": "/subscriptions/xxxxxxxxxx/resourceGroups/MC_myResourceGroup2_myCluster_japaneast/providers/Microsoft.Network/publicIPAddresses/7c29b662-27e6-43b3-b71b-c5a7516b08ab",
"resourceGroup": "MC_myResourceGroup2_myCluster_japaneast"
}
],
"enableMultipleStandardLoadBalancers": null,
"idleTimeoutInMinutes": null,
"managedOutboundIPs": {
"count": 1,
"countIpv6": null
},
"outboundIPs": null,
"outboundIpPrefixes": null
},
"loadBalancerSku": "standard",
"natGatewayProfile": null,
"networkDataplane": "azure",
"networkMode": null,
"networkPlugin": "azure",
"networkPluginMode": null,
"networkPolicy": "none",
"outboundType": "loadBalancer",
"podCidr": null,
"podCidrs": null,
"serviceCidr": "10.0.0.0/16",
"serviceCidrs": [
"10.0.0.0/16"
]
},
"nodeResourceGroup": "MC_myResourceGroup2_myCluster_japaneast",
"oidcIssuerProfile": {
"enabled": false,
"issuerUrl": null
},
"podIdentityProfile": null,
"powerState": {
"code": "Running"
},
"privateFqdn": null,
"privateLinkResources": null,
"provisioningState": "Succeeded",
"publicNetworkAccess": null,
"resourceGroup": "myResourceGroup2",
"resourceUid": "686f3edf03e9570001a3498f",
"securityProfile": {
"azureKeyVaultKms": null,
"defender": null,
"imageCleaner": null,
"workloadIdentity": null
},
"serviceMeshProfile": null,
"servicePrincipalProfile": {
"clientId": "msi",
"secret": null
},
"sku": {
"name": "Base",
"tier": "Free"
},
"storageProfile": {
"blobCsiDriver": null,
"diskCsiDriver": {
"enabled": true
},
"fileCsiDriver": {
"enabled": true
},
"snapshotController": {
"enabled": true
}
},
"supportPlan": "KubernetesOfficial",
"systemData": null,
"tags": null,
"type": "Microsoft.ContainerService/ManagedClusters",
"upgradeSettings": null,
"windowsProfile": {
"adminPassword": null,
"adminUsername": "azureuser",
"enableCsiProxy": true,
"gmsaProfile": null,
"licenseType": null
},
"workloadAutoScalerProfile": {
"keda": null,
"verticalPodAutoscaler": null
}
}
3.AGICのマネージドID($agicAddonIdentity)に、指定したサブネット($appGatewaySubnetId)に対する「Network Contributor」ロールを割り当て。
これにより、AGICがApplication Gatewayや関連するネットワークリソースを管理できるようになる。
PS C:\Users\hirtan> $appGatewayId=$(az aks show -n myCluster -g myResourceGroup2 -o tsv --query "addonProfiles.ingressApplicationGateway.config.effectiveApplicationGatewayId")
PS C:\Users\hirtan> $appGatewaySubnetId=$(az network application-gateway show --ids $appGatewayId -o tsv --query "gatewayIPConfigurations[0].subnet.id")
PS C:\Users\hirtan> $agicAddonIdentity=$(az aks show -n myCluster -g myResourceGroup2 -o tsv --query "addonProfiles.ingressApplicationGateway.identity.clientId")
PS C:\Users\hirtan> az role assignment create --assignee $agicAddonIdentity --scope $appGatewaySubnetId --role "Network Contributor"
{
"condition": null,
"conditionVersion": null,
"createdBy": null,
"createdOn": "2025-07-10T04:22:43.733116+00:00",
"delegatedManagedIdentityResourceId": null,
"description": null,
"id": "/subscriptions/2b18bbb8-3bc5-42f1-a0cf-d0e054d62ac4/resourceGroups/MC_myResourceGroup2_myCluster_japaneast/providers/Microsoft.Network/virtualNetworks/aks-vnet-80507374/subnets/myApplicationGateway-subnet/providers/Microsoft.Authorization/roleAssignments/2117ae76-a821-4f92-9bbd-0197b1f0b3de",
"name": "2117ae76-a821-4f92-9bbd-0197b1f0b3de",
"principalId": "05319dd7-61ab-4849-ae70-72f5c4e8f67c",
"principalType": "ServicePrincipal",
"resourceGroup": "MC_myResourceGroup2_myCluster_japaneast",
"roleDefinitionId": "/subscriptions/xxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
"scope": "/subscriptions/xxxxxxxxxx/resourceGroups/MC_myResourceGroup2_myCluster_japaneast/providers/Microsoft.Network/virtualNetworks/aks-vnet-80507374/subnets/myApplicationGateway-subnet",
"type": "Microsoft.Authorization/roleAssignments",
"updatedBy": "0ce05631-f772-459c-a6e7-2f685ca46744",
"updatedOn": "2025-07-10T04:22:44.386136+00:00"
}
4.Azure Kubernetes Service(AKS)クラスターの認証情報を取得し、サンプルアプリケーションをデプロイするものです。
PS C:\Users\hirtan> az aks get-credentials -n myCluster -g myResourceGroup2
Merged "myCluster" as current context in C:\Users\hirtan\.kube\config
PS C:\Users\hirtan> kubectl apply -f https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/aspnetapp.yaml
結果検証
該当Resource group配下に以下のリソースが作成されました。AKSとAppGWの存在もありますね。
AppGWのinsightsでみると、こんな構成ですね。
Backend poolはIP 10.224.0.14となっています。
Listnerは以下:
Backendsetingは以下:
実際にアクセスしてみるとこんな感じです。
