Share via

Which is better for private AKS app exposure: Ingress vs LoadBalancer Service?

Savindu Shehan 20 Reputation points
2025-08-07T03:48:34.77+00:00

I'm currently working on a private AKS (Azure Kubernetes Service) deployment within a private VNet. The setup involves a single web application, and I'm exploring the best way to expose it internally over HTTPS (port 443) via Azure Front Door and Azure Firewall.

I’ve tested two architecture scenarios, and I’d love your input on which is considered best practice — especially for private workloads with no routing complexity.

🔹 Scenario 1: Using NGINX Ingress Controller Web app is exposed via a private Ingress (NGINX).

TLS is terminated at the Ingress layer (with default cert).

Traffic flow: Client → Azure Front Door → Azure Firewall (Public LB) → Azure Firewall → Azure Firewall (Private LB) → NGINX Ingress → Web App

Observed result: 5000 virtual users over 4 hours = 87% success rate

🔹 Scenario 2: Using Kubernetes Service of type LoadBalancer Web app is exposed using a Kubernetes LoadBalancer service with a private IP.

TLS is terminated at the application level (custom cert).

Traffic flow: Client → Azure Front Door → Azure Firewall (Public LB) → Azure Firewall → Azure Firewall (Private LB) → AKS LoadBalancer Service → Web App

Observed result: 5000 virtual users over 4 hours = 99% success rate

Notes: No path-based or host-based routing is needed.

Only one web app is being deployed.

Both architectures are running in the same private VNet, behind Azure Front Door and Azure Firewall.

All traffic is over HTTPS (443).

My Questions: In a private AKS setup like this, is it better to use a LoadBalancer service rather than an Ingress controller when no routing is needed?

Are there any downsides to terminating TLS at the application level instead of at Ingress?

Is there a recommended pattern for private HTTPS exposure that balances performance, security, and simplicity?

I deployed a web app to AKS using two methods:

NGINX Ingress with private IP and default TLS

LoadBalancer service with private IP and app-level TLS In both cases, the cluster is behind Azure Front Door and Azure Firewall. I expected similar performance between both approaches, but LoadBalancer service had significantly better results (99% success vs. 87%). I’m trying to understand if this performance difference is expected, and whether using a LoadBalancer service is the better design for private AKS with no routing needs.

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
Accepted answer
  1. Durga Reshma Malthi 9,595 Reputation points Microsoft External Staff Moderator
    2025-08-07T07:54:17.13+00:00

    Hi Savindu Shehan

    Since you have only one web application and no complex routing, using a LoadBalancer service is better and requires less configuration.

    As you mentioned, the LoadBalancer service has a higher success rate (99%). This could be due to reduced overhead in processing requests compared to the Ingress controller.

    But if you want path-based or host-based routing, then LoadBalancer services may not provide these.

    In case of Ingress, as you mentioned it has lower success rate, this will increase your latency and if you can handle complex routing scenarios then ingress controllers are more flexible.

    Additional References:

    https://stackoverflow.com/questions/50966300/whats-the-difference-between-exposing-nginx-as-load-balancer-vs-ingress-control

    Hope this helps!

    Please Let me know if you have any queries.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.