Skip to article
Containers AKS networking

AKS ingress controller

Microsoft Learn explains AKS ingress through Kubernetes ingress resources and controllers that route HTTP or HTTPS traffic to services in a cluster. AKS application routing options can configure ingress controllers, DNS integration, TLS handling, and related networking components for production applications.

Source: Microsoft Learn - Ingress in Azure Kubernetes Service (AKS) Reviewed 2026-05-30

Exam trap
Creating an Ingress object without a matching controller or ingress class.
Production check
List ingress resources and confirm host, path, service name, port, and class.
Article details and learning context
Aliases
AKS ingress, Ingress controller for AKS, Kubernetes ingress controller
Difficulty
intermediate
CLI mappings
5
Last verified
2026-05-30
Article depth
field-manual-complete

Understand the concept

In plain English

An AKS ingress controller is the traffic router that makes web applications inside a Kubernetes cluster reachable through host names and paths. Developers define Ingress rules, and the controller turns those rules into HTTP or HTTPS routing. Without one, teams often expose every service separately, which becomes messy and expensive. In AKS, ingress may use managed application routing, NGINX-based controllers, or other Azure application networking choices where DNS, TLS, public access, and private access meet.

Why it matters

AKS ingress controllers matter because the first broken symptom users see is often a web outage, but the cause may be routing, certificates, DNS, load balancer health, controller pods, or backend endpoints. A well-designed ingress layer lets services share a controlled entry point, enforce TLS, route by host or path, and keep private workloads private. A poorly understood layer causes public exposure mistakes, certificate expirations, confusing 404 or 502 errors, and duplicated load balancers. The controller gives teams a shared troubleshooting map from client request to pod. A small routing change can redirect or expose production traffic. Tracing must start at hostname and end at ready pods, not stop at the load balancer.

Technical context

Technically, an ingress controller runs in or alongside an AKS cluster and watches Kubernetes Ingress resources, Services, Secrets, ingress classes, and controller configuration. It updates a data plane that accepts HTTP or HTTPS traffic and forwards requests to the right Kubernetes service. AKS designs may involve Azure Load Balancer, Azure DNS, private DNS zones, TLS certificates, Application Gateway, Front Door, or Gateway API migration plans. Operators distinguish the Ingress object from controller pods and Azure resources.

Exam context

What to know

operator-ready

Compare with

Where it is used

Where you see it

  1. In Kubernetes manifests, Ingress resources define hosts, paths, TLS secret names, service backends, annotations, and ingress class selection for each route. for reconciliation decisions for reconciliation decisions
  2. In AKS and CLI output, application routing add-on state, load balancer IPs, DNS configuration, and cluster networking explain how traffic enters. before route changes before route changes
  3. In logs and events, controller pods report certificate issues, invalid backends, rejected annotations, empty endpoints, and routing failures behind 404 or 502 responses. during outage triage

Common situations

  • Expose several AKS services through one HTTPS entry point using host and path routing.
  • Publish private internal applications through internal ingress and private DNS without public IPs.
  • Centralize TLS certificate handling for Kubernetes apps that share domain ownership.
  • Troubleshoot 404, 502, or certificate errors by tracing DNS to service endpoints.
  • Plan migration from older ingress patterns to supported application routing or Gateway API designs.

Illustrative Azure scenarios

These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.

Scenario 01 Consolidating classroom routes Scenario, objectives, solution, measured impact, and takeaway.
Scenario

An online education platform exposed each course service with its own Kubernetes LoadBalancer service. DNS records, certificates, and firewall rules multiplied every semester.

Goals
  • Publish 36 course services through shared HTTPS routing.
  • Reduce public load balancer addresses.
  • Centralize TLS handling for the learning domain.
  • Give instructors stable URLs before classes start.
Approach using AKS ingress controller

The platform team deployed a managed AKS application routing pattern with an ingress controller and standardized Ingress manifests for each course namespace. Host and path rules mapped course URLs to Kubernetes services, while certificate secrets were managed through a controlled process. Azure DNS records pointed to the ingress service address instead of separate service IPs. Admission rules limited which namespaces could claim production hostnames. Operators used CLI to verify AKS add-on state and kubectl to inspect ingress rules, events, services, and endpoints. The team documented owners, rollback steps, monitoring signals, and approval notes so support staff could explain the change during incidents.

Potential outcomes
  • Public load balancer addresses dropped from 36 to 4 shared entry points.
  • New course URL setup time fell from three days to under four hours.
  • Certificate-related launch incidents decreased 81 percent.
  • Broken class-link tickets dropped 57 percent during enrollment.
What to learn

An AKS ingress controller gives many services a governed web entry point without making every service a network project.

Scenario 02 Keeping dashboards private Scenario, objectives, solution, measured impact, and takeaway.
Scenario

An industrial IoT team hosted equipment dashboards in AKS for several factories. Early prototypes accidentally exposed internal dashboards through public IP addresses during vendor testing.

Goals
  • Route dashboard traffic through private ingress only.
  • Use private DNS names inside factory and corporate networks.
  • Prevent namespace owners from creating public ingress accidentally.
  • Improve troubleshooting for operator-reported 502 errors.
Approach using AKS ingress controller

Network engineers replaced public LoadBalancer services with an internal ingress controller tied to a private load balancer address. Private DNS zones resolved dashboard hostnames to the internal address, and network rules limited access to approved corporate and plant networks. Kubernetes policy blocked public service exposure in dashboard namespaces. Runbooks taught operators to check DNS resolution, ingress class, controller pods, service endpoints, and readiness probes before escalation. CLI evidence captured the AKS network profile, while kubectl output proved backend health. Before-and-after command output was attached to the ticket, giving auditors a clear view of scope, permissions, and expected behavior.

Potential outcomes
  • Unapproved public dashboard exposure was eliminated across 14 namespaces.
  • Average 502 troubleshooting time fell from 52 minutes to 11 minutes.
  • Vendor testing continued through approved private access without code changes.
  • Security findings dropped from nine ingress issues to one documentation correction.
What to learn

Ingress design is a security boundary when internal AKS applications must stay internal and operable.

Scenario 03 Planning ingress modernization Scenario, objectives, solution, measured impact, and takeaway.
Scenario

A city digital services group used an older community ingress controller for permit and licensing portals. Support changes forced a planned modernization instead of an emergency migration.

Goals
  • Inventory every public host, TLS secret, ingress class, and backend service.
  • Move high-risk citizen portals to a supported routing path first.
  • Avoid downtime during hostname cutovers.
  • Create ownership records for certificates and routing rules.
Approach using AKS ingress controller

The platform team exported all Ingress resources across namespaces and grouped them by host, certificate, service owner, and traffic criticality. They deployed a supported AKS ingress path in parallel, then migrated one low-risk portal and one high-traffic permit service using monitored DNS cutovers and rollback records. Certificate secrets were rotated into a managed process with owner tags and expiration alerts. Each route documented ingress class, controller address, DNS record, backend service, readiness probe, and monitoring dashboard before the old route was removed. The runbook included validation commands, rollback timing, and owner contacts so the handoff remained clear after the project team left.

Potential outcomes
  • Seventy-two public routes were inventoried, and 19 stale routes were removed.
  • Two critical portals moved with zero downtime during DNS cutovers.
  • Certificate ownership coverage improved from 46 percent to 100 percent.
  • Ingress-related emergency changes dropped 60 percent the following quarter.
What to learn

Lifecycle-managing ingress controllers prevents routing technology changes from becoming emergency migrations.

Azure CLI

I use Azure CLI for AKS ingress work because problems cross Azure and Kubernetes boundaries. CLI tells me whether application routing is enabled, which resource group and network profile are in use, and which managed add-ons are active. Kubernetes commands then show ingress classes, controller pods, services, endpoints, secrets, and events. In production, I want evidence for add-on state, load balancer address, DNS record, TLS secret, and backend endpoints before changing routing. CLI retrieves the AKS cluster profile before kubectl checks inspect ingress resources. Evidence is stronger when Azure and Kubernetes output tell the same route story. Scripts can compare controller deployments, services, certificates, and endpoints across clusters.

Useful for

  • Show AKS add-on and network state before enabling or changing application routing.
  • List ingress objects, classes, services, and endpoints to verify live backends.
  • Inspect controller pods and events during a web outage.
  • Confirm load balancer IP and DNS alignment before hostname cutover.
  • Export ingress inventory for review of public hosts, TLS secrets, and annotations.

Before you run a command

  • Confirm tenant, subscription, resource group, cluster name, namespace, ingress class, hostname, and exposure type.
  • Check Azure and Kubernetes permissions because diagnosis may require secrets or events.
  • Review DNS, certificate ownership, WAF routing, and backend dependencies before changing paths.
  • Estimate cost before adding load balancers, gateways, public IPs, logs, or replicas.
  • Use read-only commands first and save current manifests before applying routing changes.

What the output tells you

  • Ingress class fields show which controller should reconcile a rule.
  • Address fields show the public or private IP or hostname clients should reach.
  • Service and endpoint output proves whether the route has healthy backend pods.
  • Events and logs explain rejected annotations, missing TLS secrets, invalid services, and timeouts.

Mapped commands

AKS ingress controller operational commands

adjacent
az aks show --resource-group <resource-group> --name <cluster-name>
az aksdiscoverContainers
az aks update --resource-group <resource-group> --name <cluster-name> --enable-app-routing
az aksconfigureContainers
kubectl describe ingress <ingress-name> -n <namespace>
kubectl get svc,endpoints,pods -n <namespace>

Architecture context

Architecturally, the AKS ingress controller is where cluster networking becomes application access. I decide early whether ingress should be public, private, protected by Front Door or Application Gateway, or replaced by a Gateway API pattern for newer designs. That decision affects certificates, DNS ownership, WAF placement, source IP preservation, path routing, health probes, and who can publish routes. Shared ingress is efficient, but it needs governance so one namespace cannot hijack another team's host name. Ingress design decides whether teams share controllers or isolate traffic paths. The route model becomes part of the platform contract. Architects should align controller choice with WAF, TLS, private access, and DNS needs.

Security
Security impact is direct because ingress controls how clients reach workloads. Mistakes can expose private APIs, terminate TLS incorrectly, accept weak host rules, or route traffic to the wrong namespace. Teams should restrict who can create Ingress resources, review annotations, automate certificate management, and decide where WAF protection belongs. Private ingress should use internal load balancers and private DNS rather than accidental public IPs. TLS secrets must be protected, rotated, and separated by environment. TLS termination, allowed hostnames, source restrictions, and WAF placement all matter. Controller permissions should be limited to the namespaces and resources it needs. A wildcard route or stale certificate can expose services unexpectedly.
Cost
Cost impact is usually indirect but noticeable. A shared ingress controller can reduce public IPs and load balancers created for individual services. Adding Application Gateway, Front Door, private DNS, WAF, extra controller replicas, or verbose access logs can increase cost. Poor routing design can create unnecessary data transfer or duplicate edge layers. FinOps reviews should check LoadBalancer services, unused controllers, log retention, private versus public routing, and ownership tags. Ingress cost often comes from adjacent load balancers, public IPs, WAF, and logging. Dedicated controllers may be justified for regulated or high-traffic workloads. Sharing controllers can lower cost but increases coordination overhead.
Reliability
Reliability depends on controller health, replica count, load balancer behavior, DNS, certificates, backend services, and pod readiness. If controller pods crash, endpoints are empty, or certificates expire, many applications can fail together. Shared ingress creates shared blast radius, so operators monitor controller pods, service IPs, status codes, backend latency, certificate expiration, and DNS changes. Rolling changes to ingress classes or controller configuration need canary testing and rollback. Controller replicas, load balancer health, DNS TTL, and backend readiness affect uptime. A broken shared controller can impact many services at once. Rollback plans should include ingress objects and controller configuration. AKS ingress controller reliability evidence should be captured before approval 1.
Performance
Performance depends on the full ingress path, not just the application pod. Controller capacity, TLS termination, request buffering, path matching, backend endpoints, network hops, WAF inspection, and upstream timeouts influence response time. A single under-resourced controller can throttle many services. Operators should monitor request rate, latency, connection counts, 502 and 504 rates, controller CPU and memory, and backend readiness before changing application code. Routing latency depends on controller health, backend readiness, TLS, and load balancer behavior. Performance checks should include ingress metrics and pod-level response time. Misconfigured timeouts or buffers can look like application slowness. AKS ingress controller performance evidence should be captured before approval 1.
Operations
Operators troubleshoot ingress by following the request path: DNS name, public or private IP, load balancer or gateway, ingress controller service, Ingress rule, Kubernetes service, endpoints, and pods. Common tasks include listing ingress objects, checking controller pods, validating TLS secrets, reviewing events, confirming DNS records, and comparing expected host rules with live configuration. Change records should name hostname, path, namespace, ingress class, certificate, address, and rollback command. Operators should inspect ingress, service, endpoint, certificate, and controller pod state together. Ownership labels help route incidents to the right application team. Runbooks must show how to test each hostname before and after a change. AKS ingress controller operations evidence should be captured before approval 1.

Common mistakes

  • Creating an Ingress object without a matching controller or ingress class.
  • Pointing DNS to an old load balancer address after recreating the controller service.
  • Storing TLS secrets in the wrong namespace or letting certificates expire.
  • Assuming a 502 means the controller is broken when the service has no endpoints.
  • Allowing any namespace owner to claim shared production host names.