Application Gateway Ingress Controller, BackEnd pools are not been created automatically when you deploy new pods in AKS.

Question

Application Gateway Ingress Controller, BackEnd pools are not been created automatically when you deploy new pods in AKS.

Ely Saul Vicente Espinal 5

I am creating a new architecture using Bicep Templates, I am creating an Application Gateway to be used as Ingress Controller by an AKS cluster, I have added all the permissions posted in the tutorials, but everytime I deploy new pods and the ingress controller, the Application Gateway's backend pool is no updated automatically, I have tried lot of different options and nothing works. Can you help with this problem.

Durga Reshma Malthi 11,400 Reputation points Microsoft External Staff Moderator

2025-08-08T13:34:43.55+00:00
Hi Ely Saul Vicente Espinal

When using Azure Application Gateway as an Ingress Controller for an Azure Kubernetes Service (AKS) cluster, it is essential to ensure that the Application Gateway is correctly configured to automatically update its backend pool with the IP addresses of the pods.

Ensure that your Ingress resources and the Application Gateway Ingress Controller (AGIC) are correctly annotated.

Ensure that the Application Gateway Ingress Controller is deployed correctly in your AKS cluster.
kubectl get pods -n kube-system -l app=ingress-azure

Ensure you have Contributor role on the Application Gateway. It has Reader role on the AKS cluster's resource group.

Ensure that your Ingress resource is correctly defined and that it points to the correct services and paths

Bicep Template Sample: Refer to this document - https://learn.microsoft.com/en-us/azure/templates/microsoft.network/applicationgateways?pivots=deployment-language-bicep

Hope this helps!

Please Let me know if you have any queries.
Akram Kathimi 1,986 Reputation points Microsoft Employee

2025-08-10T12:08:08.94+00:00

you need to check the appgw controller pod logs in kube-system. The log should clearly show you what the problem is.
Anusree Nashetty 6,225 Reputation points Microsoft External Staff Moderator

2025-08-19T04:50:10.5833333+00:00

Hi Ely Saul Vicente Espinal,

Thanks for posting the solution here.

2 answers

Your answer

Durga Reshma Malthi 11,400 Reputation points Microsoft External Staff Moderator

2025-08-08T13:34:43.55+00:00

Hi Ely Saul Vicente Espinal

When using Azure Application Gateway as an Ingress Controller for an Azure Kubernetes Service (AKS) cluster, it is essential to ensure that the Application Gateway is correctly configured to automatically update its backend pool with the IP addresses of the pods.

Ensure that your Ingress resources and the Application Gateway Ingress Controller (AGIC) are correctly annotated.

Ensure that the Application Gateway Ingress Controller is deployed correctly in your AKS cluster.
kubectl get pods -n kube-system -l app=ingress-azure

Ensure you have Contributor role on the Application Gateway. It has Reader role on the AKS cluster's resource group.

Ensure that your Ingress resource is correctly defined and that it points to the correct services and paths

Bicep Template Sample: Refer to this document - https://learn.microsoft.com/en-us/azure/templates/microsoft.network/applicationgateways?pivots=deployment-language-bicep

Hope this helps!

Please Let me know if you have any queries.
Akram Kathimi 1,986 Reputation points Microsoft Employee

2025-08-10T12:08:08.94+00:00

you need to check the appgw controller pod logs in kube-system. The log should clearly show you what the problem is.
Anusree Nashetty 6,225 Reputation points Microsoft External Staff Moderator

2025-08-19T04:50:10.5833333+00:00

Hi Ely Saul Vicente Espinal,

Thanks for posting the solution here.

Answer 1

Hello, after trying many things to make this work, I will drop here the solution, thanks @Malthi Durga Reshma and @Akram Kathimi for your help:

1.- Once you deploy your AKS cluster, you need to get the Kubelete Managed Identity (Not the user managed identity for your bicep deployment).
2.- You need to assign the next roles to the Kubelet Identity:

Contributor Role with scope: Application Gateway.
Reader role with Scope: Application Gateway's Resource Group.
Network Contributor with scopes: App Gateway's Subnet and your BackEnd Services Subnet.
Managed Identity Operator with scope: User Managed Identity used for your Bicep Deployment.

I hope this is helpful for others in the future.

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Application Gateway Ingress Controller, BackEnd pools are not been created automatically when you deploy new pods in AKS.

2 answers

Your answer