Update your microservices to use an internal loadbalancer

As a first step you will remove the public access to your microservices so they will only be accessible within your Virtual Network. For this you will need to recreate the services of the api-gateway and admin-server to now use an internal-loadbalancer. You can use the following guidance to implement these changes:

• Use an internal load balancer with Azure Kubernetes Service (AKS)

Step by step guidance

1. Navigate to the kubernetes directory and update the spring-petclinic-api-gateway.yml and spring-petclinic-admin-server.yml files to use an internal loadbalancer. To do this, add an annotation between the metadata name and spec elements below line 75.

     annotations:
       service.beta.kubernetes.io/azure-load-balancer-internal: "true"
   

   The service element of the api-gateway should now look like this:

   apiVersion: v1
   kind: Service
   metadata:
     labels:
       app: api-gateway
     name: api-gateway
     annotations:
       service.beta.kubernetes.io/azure-load-balancer-internal: "true"
   spec:
     ports:
     - port: 8080
       protocol: TCP
       targetPort: 8080
     selector:
       app: api-gateway
     type: LoadBalancer
   

   The service element for the admin-server will look similar.

2. You can now re-apply these 2 yaml files.

   cd kubernetes
   kubectl apply -f spring-petclinic-api-gateway.yml
   kubectl apply -f spring-petclinic-admin-server.yml
   

3. Double check that these services are now using a private IP address.

   kubectl get services
   

   Additionaly if in the Azure portal you navigate to the MC resource group of your cluster, you will notice the public IP’s that were there will disappear after a while.

   In case you don’t want any public IP’s being created by services in any of your AKS clusters, you can limit their creation by applying a specific policy for this at resource group, subscription or even management group level. Take a look at the Kubernetes clusters should use internal load balancers policy in the Azure Policy built-in definitions for Azure Kubernetes Service.

4. In one of the next steps you will need the newly private IP addresses of these 2 services to configure the backend of the Application Gateway. Use the below statements to store these 2 IP addresses in environment variables for now:

   AKS_MC_RG=$(az aks show -n $AKSCLUSTER -g $RESOURCE_GROUP | jq -r '.nodeResourceGroup')
      
   echo $AKS_MC_RG
      
   AKS_MC_LB_INTERNAL=kubernetes-internal
      
   az network lb frontend-ip list -g $AKS_MC_RG --lb-name=$AKS_MC_LB_INTERNAL -o table
      
   AKS_MC_LB_INTERNAL_FE_IP1=$(az network lb frontend-ip list -g $AKS_MC_RG --lb-name=$AKS_MC_LB_INTERNAL | jq -r '.[0].privateIPAddress')
   AKS_MC_LB_INTERNAL_FE_IP2=$(az network lb frontend-ip list -g $AKS_MC_RG --lb-name=$AKS_MC_LB_INTERNAL | jq -r '.[1].privateIPAddress')
      
   echo $AKS_MC_LB_INTERNAL_FE_IP1
   echo $AKS_MC_LB_INTERNAL_FE_IP2