Configuring the Load Balancer

As part of the load balancer configuration , access must be granted to ports 443, 32080 and 32081 for product deployment. To achieve this, a health probe and load balancing rule for each port must be added to the AKS load balancer

These steps are explained below.

To add a health probe for each port using the Azure Portal:

In the Azure portal, locate the Azure Kubernetes resource group. The AKS resource group name is in the format MC_<your_resource_group>_<aks_name>_<location>.

Open the Kubernetes resource group.
On the Kubernetes load balancer resource, click Health probes.
Click + Add for Kubernetes load balancer health probes and specify values for the following:
- Name: Assign a name to the probe.
- Protocol: Select TCP.
- Port: Specify 443.
Repeat the steps above for ports 32080 and 32081.

To add a health probe for each port using the Azure Cloud Shell:

Run the following command for each port:

az network lb probe create -g <AKS RESOURCE GROUP> --lb-name kubernetes-internal -n <Port_Number>-hp --protocol tcp --port <Port_Number>

Where <Port_Number> will be replaced by 443, 32080 and 32081 each time the command is executed.

For example:

az network lb probe create -g mc_srg-demo_srg-demo-aks_westeurope --lb-name kubernetes-internal -n 443-hp --protocol tcp --port 443

To add a load balancing rule for each port using the Azure Portal:

Open the Kubernetes load balancing rule and click Load balancing rules.
Click + Add for the Kubernetes load balancer load balancing rules and specify values for the following:
- Name: assign a name to the probe.
- Port: Specify 443.
- Backend port: Specify 443.
- Health probe: Select the probe you previously created for port 443.
- Session Persistence: select Client IP and Protocol.

Open the Kubernetes resource group.
Repeat the steps above for ports 32080 and 32081.

To add a load balancing rule for each port using the Azure Cloud Shell:

Run the following command:

az network lb rule create -g <AKS RESOURCE GROUP> --lb-name kubernetes-internal -n <Port_Number>-lb-rule --protocol Tcp --frontend-port <Port_Number> --backend-port <Port_Number> --probe-name <Port_Number>-hp --backend-pool-name kubernetes --load-distribution SourceIPProtocol

Where <Port_Number> will be replaced by 443, 32080 and 32081 each time the command is executed.

For example:

az network lb rule create -g mc_srg-demo_srg-demo-aks_westeurope --lb-name kubernetes-internal -n 443-lb-rule --protocol Tcp --frontend-port 443 --backend-port 443 --probe-name 443-hp  --backend-pool-name kubernetes --load-distribution <SourceIPProtocol>

Static Versus Dynamic IP Address

After installation, new load balancer rules you have created will be shown with a dynamic IP address in the Azure interface. However, this can be misleading. Since the service has been patched with the PUBLIC_IP you specified earlier, that IP is set statically in Kubernetes and is not actually dynamic. The PUBLIC_IP address you set during patching is the one used for load balancing, not the one necessarily shown in the interface.

To add a health probe for port 5443 using the Azure Portal:

This probe may already exist if capabilities have been deployed previously. If the health probe does not exist, add it. If it already exists, then verify that the backend port is correct.

On your jump host, run the following command to get the value of portal-ingress-controller-svc for port 5443:
kubectl get svc -n core | grep portal-ingress-controller-svc

Example output, showing NodePort as 31249:
portal-ingress-controller-svc NodePort 10.0.146.63 5443:31249/TCP,5444:31036/TCP 21m

Open the Azure Portal and locate the Azure Kubernetes resource group. (The AKS resource group name is in format MC_<your_resource_group>_<aks_name>_<location>.)

Open the Kubernetes resource group.
Locate the Kubernetes load balancer, and then open it.

On the Kubernetes load balancer resource, click Health probes.
Add a health probe for 5443. Port Value should be the value obtained for the service NodePort in step 1.

Conditional - A health probe and load balancing rule for port 5443

The rules for port 5443 should have been added automatically. However, if you cannot access the OMT portal, perform the steps below to manually add the health probe and rules for the port.

To add a health probe for port 5443 using the Azure Cloud Shell:

Get the AKS resource group and store it in an environment variable for later usage:
CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group <RESOURCE GROUP> --name <AKS NAME> --query nodeResourceGroup -o tsv)

For example, for AKS srg-demo-aks from resource group srg-demo:
CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group srg-demo --name srg-demo-aks --query nodeResourceGroup -o tsv)

Create the health probe by running the command:
az network lb probe create -g $CLUSTER_RESOURCE_GROUP --lb-name kubernetes-internal -n 5443-hp --protocol tcp --port <NODE PORT>

<NODE PORT> is the value obtained for the service NodePort in step 1

Example:

az network lb probe create -g $CLUSTER_RESOURCE_GROUP --lb-name kubernetes-internal -n 5443-hp  --protocol tcp --port 31249

To add a load balancing rule for port 5443 using the Azure Portal:

Open the Kubernetes load balancer, and then click Load balancing rules.

Add a rule for port 5443. The backend port is the value for portal-ingress-controller-svc obtained previously and the health probe you just created.

To add a load balancing rule for port 5443 using the Azure Cloud Shell:

Run the following command:
az network lb rule create -g <AKS RESOURCE GROUP> --lb-name kubernetes-internal -n 5443-lb-rule --protocol Tcp --frontend-port 5443 --backend-port <SERVICE PORT> --probe-name 5443-hp --backend-pool-name kubernetes

For example:
az network lb rule create -g mc_srg-demo_srg-demo-aks_westeurope --lb-name kubernetes-internal -n 5443-lb-rule --protocol Tcp --frontend-port 5443 --backend-port 31249 --probe-name 5443-hp --backend-pool-name kubernetes

Next Step: Labeling Azure Kubernetes Service Nodes