Frequently asked questions about Application Gateway for Containers

Application Gateway for Containers offers various layer 7 load-balancing capabilities for your container applications. This service is highly available, scalable, and fully managed by Azure.

Application Gateway for Containers stores and processes data in the region of its deployed resources. Configuration data may be replicated to its region pair, where applicable, for resiliency.

Routine maintenance and updates are designed to not be service impacting and require no customer intervention. For updates that might break existing configurations or cause existing product functionality changes, notifications are published via Azure Service Health. These notifications are also sent via email to subscription service administrators.

Yes, Application Gateway for Containers can run in a FIPS 140-2 approved mode of operation, commonly referred to as FIPS mode. FIPS mode calls a FIPS 140-2 validated cryptographic module that ensures FIPS-compliant algorithms for encryption, hashing, and signing are used. If necessary, open a support case via the Azure portal to request that FIPS mode be enabled.

No, Application Gateway for Containers doesn't support Kubenet in favor of CNI Overlay. Learn more about migrating from Kubenet to CNI Overlay.

Application Gateway for Containers frontends resolve to any anycast IP address. Anycast IP addresses are advertised globally, which may lead to the ASN location being different from Application Gateway for Containers. The resolved location of the IP address is cosmetic and has no bearing on availability or performance in how clients connect.

Application Gateway for Containers automatically ensures underlying components are spread across availability zones for increased resiliency, if the Azure region supports it. If the region doesn't support zones, fault domains and update domains be used to help mitigate impact during planned maintenance and unexpected failures.

Yes. Upgrade of the AKS cluster from CNI to CNI Overlay and Application Gateway for Containers automatically detects the change. It is recommended to schedule this during a maintenance window as it may take a few minutes post-cluster upgrade to detect and configure support for CNI Overlay.

Yes. Application Gateway for Containers supports TLS offloading and end-to-end TLS to backend targets.

No. Application Gateway for Containers supports TLS 1.2; SSL 2.0, 3.0, TLS 1.0, and TLS 1.1 are disabled and not configurable.

Yes, both Application Gateway Ingress Controller (AGIC) and ALB Controller may run at the same time in the same Kubernetes cluster. Updates to AGIC or to ALB Controller don't interfere with each other.

It's possible to install multiple ALB Controllers on the same cluster, however this option isn't recommended or supported as it's not possible to partition gateways, routes, services, etc.

No, user defined replica count is not supported. ALB Controller is automatically provisioned with at least two replicas in active/passive configuration to enable high availability.

No. Each ALB controller must use its own unique managed identity.

No. A frontend should be unique to a single Ingress or Gateway resource. Multiple hostnames and routes can be defined in a given Gateway or Ingress resource to eliminate the need for numerous frontend resources.