![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 28.000000000000004%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 74%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Hello @Biswajit Sahu,
Hope you're doing well!
Thank you for your patience and time. Please find below the detailed step-by-step instructions for the setup.
I have set up the configuration using only the HTTP route. If you want to enable HTTPS, you need to add the TLS/SSL certificates in Azure Front Door. Additionally, you must configure HTTPS listeners in the gateway.yaml file on the AKS cluster, as demonstrated in Step 8. Only then will HTTPS requests be handled properly.
Step 1: Creating an AKS Cluster Using Azure Portal
Please refer to the document below for setting up an AKS cluster.
https://learn.microsoft.com/en-us/azure/aks/learn/quick-kubernetes-deploy-portal?tabs=azure-cli
Step 2: Create a Subnet for Application Gateway for Containers (AGC)
Next, we need to create a dedicated subnet that will be used by AGC. This subnet must be delegated to the correct Azure service to enable integration.
- In the Azure portal, navigate to Virtual Networks and select the VNet you used while creating the AKS cluster.
- Go to the Subnets section and click “+ Subnet” to add a new one.
- Enter the following details:
- Name: subnet-alb
- Address range: 10.0.1.0/24
- Subnet delegation: Choose Microsoft.ServiceNetworking/trafficControllers
Refer to the screenshot below for a visual reference:
- Click Save to create the subnet.
Note: Delegating the subnet is a required step for AGC to function properly. Without it, the controller won't be able to provision network resources.
Step 3: Create a User-Assigned Managed Identity for AGC
To do this securely, we assign it a user-assigned managed identity. This identity is then granted specific IAM roles so it can perform only the actions it needs — following least privilege principles.
The Application Gateway for Containers (AGC) controller requires a managed identity to authenticate securely with Azure resources.
- In the Azure portal, search for Managed Identities and click “+ Create”.
- Provide the required details:
- Resource Group: Use the same one you used for your AKS cluster (e.g., myRG01).
- Region: Choose the same region as your AKS cluster.
- Name: Give the identity a clear name, such as alb-identity.
Refer to the screenshot below for a visual reference:
- Click Review + Create to provision the identity.
Once the managed identity is created:
- Navigate to its Overview section.
- Copy the Client ID and Object ID — you will need these later when installing the AGC (ALB) controller via Helm.
Refer to the screenshot below for a visual reference:
Tip: It is a good practice to store the Client ID and Object ID somewhere safe for quick reference during the setup.
Step 4: Assign IAM Roles to the Managed Identity
To allow the AGC controller to configure and access network resources, we need to assign the required IAM roles to the managed identity created in the previous step.
Assign Role on the Resource Group:
- Go to the Resource Group used for your AKS and AGC resources (e.g., myRG01).
- Navigate to Access Control (IAM) and click “+ Add > Add role assignment”.
- Choose the following:
- Role: App Gateway for Containers Configuration Manager
- Assign access to: Managed Identity
- Select: Choose the managed identity you created earlier in Step 3 (e.g., alb-identity).
- Click Review + Create to provision the Role Assignment
Refer to the screenshot below for a visual reference:
Assign Role on the Subnet:
- Now go to the Virtual Network, and then open the Subnets section.
- Select the subnet created for AGC (e.g., subnet-alb).
- Click on Access Control (IAM) > Add role assignment.
- Use the following:
- Role: Network Contributor
- Assign access to: Managed Identity
- Select: Choose the same identity (alb-identity).
- Click Review + Create to provision the Role Assignment
- Select: Choose the same identity (alb-identity).
- Assign access to: Managed Identity
Refer to the screenshot below for a visual reference:
Note: These roles allow the AGC controller to manage traffic routing and network configuration within the designated subnet.
Step 5: Add a Federated Credential to the Managed Identity
To allow the AGC controller running in AKS to securely authenticate as the managed identity, we’ll configure a federated credential.
- Go to the Managed Identity you created earlier (e.g., alb-identity).
- In the left-hand menu, select Federated credentials, then click “+ Add”.
- Choose the following settings:
- Scenario: Kubernetes accessing Azure resources
- Cluster Issuer URL : (Ex:[https://oidc.prod-aks.azure.com/<unique-id>/)]") - You will get it in AKS cluster (AKS--> Security Configurations --> OIDC --> Issuer URL)
- Namespace: azure-alb-system
- Service Account: alb-controller-sa
- Name: federated-alb
- Service Account: alb-controller-sa
- Namespace: azure-alb-system
- Cluster Issuer URL : (Ex:[https://oidc.prod-aks.azure.com/<unique-id>/)]") - You will get it in AKS cluster (AKS--> Security Configurations --> OIDC --> Issuer URL)
Refer to the screenshot below for a visual reference:
- Click Save to create the trust relationship.
Tip: This setup links the controller's Kubernetes identity to Azure AD using OIDC federation — allowing it to use the assigned roles without managing credentials.
Connect to AKS using Azure Cloud Shell
- In the Azure Portal, navigate to your AKS Cluster → Click “Connect” from the top menu.
- In the "Connect to AKS" panel, choose the Cloud Shell tab.
- Click “Open Cloud Shell” – this will automatically open a terminal at the bottom of the portal.
- The required commands will be auto-populated. You can simply copy and run them to authenticate and configure access:
Refer to the screenshot below for a visual reference:
Installation Steps :
1) Get AKS Cluster Credentials
First, connect your local CLI to the AKS cluster using the following command. Replace the placeholders with your actual values:
az aks get-credentials --resource-group <your-resource-group> --name <your-aks-cluster-name>
This command downloads the cluster config so that you can interact with AKS using kubectl.
2) Register Resource Providers & Enable Extensions
Make sure your subscription includes the necessary Azure resource providers and the alb CLI extension:
az provider register --namespace Microsoft.ContainerService
az provider register --namespace Microsoft.Network
az provider register --namespace Microsoft.ServiceNetworking
az extension add --name alb
Output: No stable version of 'alb' to install. Preview versions allowed
The installed extension 'alb' is in preview
This is normal and expected. The alb CLI extension for managing Application Gateway for Containers (AGC) is still in preview, and Azure shows this notice by default.
Your command was successful, the extension is now installed correctly.
3. Install the ALB Controller from the OCI Helm Chart
Next, install the AGC (ALB) controller using the official OCI-based Helm chart from Microsoft:
helm install alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller \
--version 1.0.0 \
--namespace azure-alb-system \
--create-namespace \
--set albController.podIdentity.clientID=<your-managed-identity-client-id>
Replace <your-managed-identity-client-id> with the "Client ID" of the managed identity you created earlier(e.g., alb-identity). You can find this in the (Managed Identity --> Overview --> Client) in the Azure portal.
4. Verify the ALB Controller is Running
After the Helm installation, run the following command to verify that the ALB controller pods are up and running:
kubectl get pods -n azure-alb-system
You should see output similar to this:
alb-bootstrap-xxxxxxxx Running
alb-controller-xxxxxxxx Running
This confirms that the AGC controller has been deployed successfully into your AKS cluster.
Refer to the screenshot below for a visual reference:
5. Confirm Deployment & Component Status
kubectl get pods -n azure-alb-system
You should see:
- alb-controller pods (typically 2 replicas)
- alb-bootstrap pod
Also validate the GatewayClass:
kubectl get gatewayclass azure-alb-external
- Run to verify:
kubectl get pods -n azure-alb-system -l app=alb-controller
Refer to the screenshot below for a visual reference:
to be continued in the comments to follow..
Kindly let us know if the above helps or you need further assistance on this issue. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.