Skip to main content

Private application exposition with Nginx

Context

When a team is beginning a development, the component may not be secured enough. Exposing this application on internet during the development phase is not a good practice.

K8Saas provides a private ingress that allow you to expose your application internally. It means that your containers will be exposed using an ingress, but the IP will be private (meaning, the IP will be part of the AKS vnet).

To access to your internal containers, you should:

  • use a VPN (such as Zscaler provided by trustnest platform)
  • use a peered Vnet to AKS

Use case

  • PoC with a low security level
  • Hybrid architecture (on-prem & cloud)
  • MFA not supported by a containerized application

Architecture

Kubernetes Landing Zone offers several ways to expose an application:

  • a default nginx ingress controller (in orange)
  • an internal nginx ingress controller (in light green)

Alt text

The default nginx ingress controller uses an azure load balancer to expose your application to internet. Here the network flow of an enduser who access to the application.

Alt text

During the development, It may happen to have unsecured applications (default password, testing mode etc...). In this case, it is recommended to exposed your application internally. With this configuration you must have a correct VPN setup to access to the shared services.

If you're part of the Thales Digital Factory:

Alt text

Or part of the Thales Corporate network:

Alt text

HOWTO

Configure your application to use the right nginx ingress controller ?

The 2 controllers are deployed with a specific class:

  • nginx for the default controller
  • nginx-internal for the internal controller

Let's take an example: https://gitlab.thalesdigital.io/platform-team-canada/k8saas-innersource/hello-world-k8saas/-/blob/master/Basic-helloworld/hello-world-ingress.yaml

The ingress of the hello world uses the default class:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-world-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - hello-world-ingress.demo.kaas.thalesdigital.io
    secretName: tls-hellow-world

to use the internal ingress, you just have to update the ingressClassName (and redeploy your ingress), like:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-world-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: nginx-internal
  tls:
  - hosts:
    - hello-world-ingress.demo.kaas.thalesdigital.io
    secretName: tls-internal-hello-world

Next steps

  • Look at the all in one publication service: here