Application Gateway vs Public Load Balancer for an Ingress in case WAF is not needed

[kamilzzz]

I'm wondering about a scenario where WAF is not required or it's configured using external service (like the Cloudflare, Akamai, etc.).
Does Application Gateway in this architecture brings any benefit in such case?

I could just create my ingress controller as a public service and AKS will create Public Load Balancer. Then this public address could be used as an origin for Cloudflare/Akamai. TLS would be terminated in cluster by ingress controller.

Assuming I host all my workloads on AKS and do not need L7 load balancing outside the cluster (routing to VMs, App Services, Storage Accounts, etc.) I do not see any benefit.
It also looks like Application Gateway here slightly lowers SLA as it has 99,95% SLA while for AKS nodepools and standard load balancers 99,99% is guaranteed.

[DavidWHarvey]

In the past, I did exactly this with EKS. The behavior is not fundamentally different from hosting a noncontainer app behind a l4 LB.

…

On Sun, Jun 26, 2022, 8:09 AM kamilzzz ***@***.***> wrote: I'm wondering about a scenario where WAF is not required or it's configured using external service (like the Cloudflare, Akamai, etc.). Does Application Gateway in this architecture brings any benefit in such case? I could just create my ingress controller as a public service and AKS will create Public Load Balancer. Then this public address could be used as an origin for Cloudflare/Akamai. TLS would be terminated in cluster by ingress controller. Assuming I host all my workloads on AKS and do not need L7 load balancing outside the cluster (routing to VMs, App Services, Storage Accounts, etc.) I do not see any benefit. It also looks like Application Gateway here slightly lowers SLA as it has 99,95% SLA while for AKS nodepools and standard load balancers 99,99% is guaranteed. — Reply to this email directly, view it on GitHub <#332>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADFKD67XBVYRN5ZAJYUK3ULVRBCBHANCNFSM5Z33CWXQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[kamilzzz]

Without Application Gateway here, I would say filtering only egress traffic originating from cluster via Azure Firewall may be problematic.

With Application Gateway, return traffic in response to user request flows through Application Gateway subnet using one of the AppGw's private IP address which takes precedence over 0.0.0.0/0 -> Firewall configured for cluster subnet. Application Gateway subnet can then egress to Internet without any Firewalls/NVAs.

Without Application Gateway, return traffic in response to user request would flow through Firewall as 0.0.0.0/0 -> Firewall has precedence over default Internet route. This would be asymmetric routing as ingress traffic didn't pass Azure Firewall. In the result, Azure Firewall would drop such traffic.