Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
Application Gateway Ingress Controller helm chart not working as expected with Azure CNI Overlay.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 99%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Demian Sciessere
25
Reputation points
Hello,
we want to use the AGIC in a cluster with Overlay CNI enabled. We are deploying version 1.9.2 of the AGIC Helm chart.
Although documentation says that using AGIC in a cluster with overlay CNI is working, we cannot make it work.
https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview#container-networking-and-agic
WE have our aks cluster deploy in a Vnet and the appgw in another vnet. Both of them are peered.
AGIC is communicating with the appgw successfully, but as a backend it is configuring ip:port of ingress pods, although pods ips are not reachable in overlay network. If we manually configure nodeport:nodeip then the health probe is green (but then AGIC overrides it, of course).
Can you help to make AGIC helm chart work in our environment? Is this an internal issue in the Service?
Thank you
Azure Kubernetes Service
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 87%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Satish Mada 350 Reputation points Microsoft External Staff Moderator2025-08-21T16:01:14.1733333+00:00 Hi Demian Sciessere,
Welcome to Microsoft Q&A Platform.
To successfully configure the Application Gateway Ingress Controller (AGIC) with an overlay CNI in Azure Kubernetes Service (AKS), there are a few key considerations to make sure your setup works correctly.
Steps to Troubleshoot and Configure AGIC with Overlay CNI:
1.Network Configuration:
- Ensure that your AKS cluster and Application Gateway (AppGW) are correctly peered, which you have mentioned is in place.
- Verify that the overlay CNI is set up correctly, especially with respect to routing and IP address availability.
2.Service Annotations:
- Use specific annotations in your Kubernetes service to inform AGIC how to handle traffic routing. Make sure that your services expose the proper NodePort for the backend Pods. Example annotations include: service.beta.kubernetes.io/azure-load-balancer-mode: "overlay"
3.Backend Pools Configuration:
- Since you're having issues with the Pod IPs being unreachable due to overlay networking, consider keeping the backend pools aligned with Node IPs instead:
- Use the
node-ip:node-portapproach, but create a custom Helm value that avoids AGIC from overriding this configuration. - Refer to this Helm value when installing AGIC:
# Custom-values.yaml backendPools: - name: <backend-pool-name> backendIPConfiguration: - ipAddress: <node-ip> - port: <node-port>4.Health Probes:
- Make sure that health probes are configured to match your service’s NodePorts; set them correctly to ensure the health checks are returning a successful status when using NodePorts.
- Verify your configuration parameters for health probes in AGIC. You may want to modify the health probe in your Application Gateway to check against NodePorts instead of pod IPs:
- Use Azure CLI or AZ commands to configure:
az network application-gateway probe create --resource-group <resource-group> --gateway-name <appgw-name> --name <probe-name> --protocol http --host <node-ip> --path /health --interval 30 --timeout 30 --threshold 2 --enable-http25.AGIC Version:
- Since you’re using version 1.9.2, ensure that this version does provide the compatibility you need with overlay networking. If not, consider upgrading to a later version, if possible, as there might be patches or fixes for known issues related to your setup.
Please refer : https://learn.microsoft.com/en-us/azure/aks/configure-azure-cni?tabs=configure-networking-powershell
https://learn.microsoft.com/en-us/azure/aks/azure-cni-overview
https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview#container-networking-and-agic -
Demian Sciessere 25 Reputation points
2025-08-22T06:49:55.69+00:00 Hello @Satish Mada , thank you for your response.
About point 2:
I don't know which annotations in particular do you mean. We have configured AGIC according to it's annotations which are very limited and no reference to Overlay, not backend configurations:
https://github.com/Azure/application-gateway-kubernetes-ingress/blob/master/docs/annotations.md3:
Where can I get that configuration from ?
Looking at the Helm Chart, there is no configuration at all that mentions the backendpools are you suggested:4:
It is impossible on doing what you say as AGIC removes the manual configuration. That's why we ask how to configure using AGIC
5:
1.9.2 is the last version:
https://github.com/Azure/application-gateway-kubernetes-ingress/releases
Thank you
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Sign in to comment
Sign in to answer