Hi, I have a question regarding one of the security best practices I read on https://www.the-aks-checklist.com/, though it is specific to Azure, but I am bit confused with the statement. It may not be in the CKS exam scope, if someone could help me understand better it would be great. It is stated that “There is almost no reason to directly expose the ingress entry point to Internet but by default AKS create a public one. Tell it to create an internal one only.” If this is the case, why do we need ingress and ingress controller in the first place. Any guidance would highly be appreciated. Thanks, Megha
Most corporations use another firewall to forward the (external) traffic to the (internal) ingress controller.
In AKS when you deploy Ingress, you can often provide an annotation so that the loadbalancer service uses an internal IP.
You will still need that Ingress to route your traffic to the internal services and deployments and or to provide TLS termination
controller: service: loadBalancerIP: 10.240.0.42 annotations: <http://service.beta.kubernetes.io/azure-load-balancer-internal|service.beta.kubernetes.io/azure-load-balancer-internal>: "true"
Thanks Ted, appreciate your response…