From f634f332da55c735e13daf43819c60d8566258c0 Mon Sep 17 00:00:00 2001 From: Rohan Kasture Date: Thu, 30 Apr 2026 13:19:38 -0700 Subject: [PATCH 1/6] docs(blog): add internal load balancer example for approuting-istio Gateway API Add a new 'Internal load balancer' section to the app routing Gateway API blog post showing how to configure an internal (private) Gateway using spec.infrastructure.annotations with Azure load balancer annotations. Includes: - Complete Gateway YAML with internal LB and subnet annotations - Commands to verify the internal IP assignment - Links to networking prerequisites and annotation reference docs Closes #5748 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../index.md | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/website/blog/2026-03-18-app-routing-gateway-api/index.md b/website/blog/2026-03-18-app-routing-gateway-api/index.md index 20e7e9d48..80a642db7 100644 --- a/website/blog/2026-03-18-app-routing-gateway-api/index.md +++ b/website/blog/2026-03-18-app-routing-gateway-api/index.md @@ -178,6 +178,42 @@ curl -s -I -H "Host: httpbin.example.com" "http://$INGRESS_HOST/get" You should see an `HTTP 200` response. +### Internal load balancer + +By default, AKS assigns a public IP to the Gateway's underlying Service. To expose the Gateway on an internal (private) IP instead, add Azure load balancer annotations to the Gateway's `spec.infrastructure.annotations` field. You can also target a specific subnet for the internal IP address. + +```yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: internal-gateway +spec: + gatewayClassName: approuting-istio + infrastructure: + annotations: + service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # Optional: place the internal LB on a dedicated subnet + service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "my-ilb-subnet" + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same +``` + +AKS propagates these annotations onto the Kubernetes Service it creates for the Gateway. After the Gateway is programmed, its `status.addresses` will contain a private IP from the specified subnet (or the cluster's default subnet if the subnet annotation is omitted): + +```bash +kubectl wait --for=condition=programmed gateways.gateway.networking.k8s.io internal-gateway --timeout=120s +kubectl get gateways.gateway.networking.k8s.io internal-gateway -ojsonpath='{.status.addresses[0].value}' +``` + +> **Note**: The subnet must exist in the cluster's virtual network and must be delegated or available for Azure Load Balancer use. See [Use an internal load balancer with AKS](https://learn.microsoft.com/azure/aks/internal-lb) for networking prerequisites. + +Any annotation supported by the Azure load balancer controller can be used in `spec.infrastructure.annotations`. For the full list of supported annotations, see the [Azure load balancer annotations reference](https://learn.microsoft.com/azure/aks/load-balancer-standard#additional-customizations-via-kubernetes-annotations). + ### Upgrades The Istio control plane version is tied to your AKS cluster's Kubernetes version — AKS automatically reconciles the latest supported Istio revision that is compatible with your cluster's Kubernetes version. Patch version upgrades happen automatically as part of AKS releases. Minor version upgrades happen in-place when you upgrade your cluster's Kubernetes version, or automatically when a new Istio minor version is released for your AKS version. To see which Istio revision your cluster will receive, consult the [service mesh add-on release calendar](https://learn.microsoft.com/azure/aks/istio-support-policy#service-mesh-add-on-release-calendar). You can also follow the [AKS release notes](https://github.com/azure/aks/releases) to stay current. From 225457a14ff2804fedad1907990befd777983415 Mon Sep 17 00:00:00 2001 From: rkasture <93558858+rkasture@users.noreply.github.com> Date: Thu, 30 Apr 2026 13:42:14 -0700 Subject: [PATCH 2/6] Update website/blog/2026-03-18-app-routing-gateway-api/index.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- website/blog/2026-03-18-app-routing-gateway-api/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/blog/2026-03-18-app-routing-gateway-api/index.md b/website/blog/2026-03-18-app-routing-gateway-api/index.md index 80a642db7..2a0f03390 100644 --- a/website/blog/2026-03-18-app-routing-gateway-api/index.md +++ b/website/blog/2026-03-18-app-routing-gateway-api/index.md @@ -180,13 +180,13 @@ You should see an `HTTP 200` response. ### Internal load balancer -By default, AKS assigns a public IP to the Gateway's underlying Service. To expose the Gateway on an internal (private) IP instead, add Azure load balancer annotations to the Gateway's `spec.infrastructure.annotations` field. You can also target a specific subnet for the internal IP address. +By default, AKS assigns a public IP to the Gateway's underlying Service. To expose the existing `httpbin-gateway` on an internal (private) IP instead, add Azure load balancer annotations to the Gateway's `spec.infrastructure.annotations` field. You can also target a specific subnet for the internal IP address. ```yaml apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: - name: internal-gateway + name: httpbin-gateway spec: gatewayClassName: approuting-istio infrastructure: From dbe71adcef322a7127d74f72e05f79dc9f3b58ed Mon Sep 17 00:00:00 2001 From: rkasture <93558858+rkasture@users.noreply.github.com> Date: Thu, 30 Apr 2026 13:42:22 -0700 Subject: [PATCH 3/6] Update website/blog/2026-03-18-app-routing-gateway-api/index.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- website/blog/2026-03-18-app-routing-gateway-api/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/blog/2026-03-18-app-routing-gateway-api/index.md b/website/blog/2026-03-18-app-routing-gateway-api/index.md index 2a0f03390..4fac9a64b 100644 --- a/website/blog/2026-03-18-app-routing-gateway-api/index.md +++ b/website/blog/2026-03-18-app-routing-gateway-api/index.md @@ -212,7 +212,7 @@ kubectl get gateways.gateway.networking.k8s.io internal-gateway -ojsonpath='{.st > **Note**: The subnet must exist in the cluster's virtual network and must be delegated or available for Azure Load Balancer use. See [Use an internal load balancer with AKS](https://learn.microsoft.com/azure/aks/internal-lb) for networking prerequisites. -Any annotation supported by the Azure load balancer controller can be used in `spec.infrastructure.annotations`. For the full list of supported annotations, see the [Azure load balancer annotations reference](https://learn.microsoft.com/azure/aks/load-balancer-standard#additional-customizations-via-kubernetes-annotations). +Any Azure Load Balancer annotation supported by AKS can be used in `spec.infrastructure.annotations`. For the full list of supported annotations, see the [Azure Load Balancer annotations reference](https://learn.microsoft.com/azure/aks/load-balancer-standard#additional-customizations-via-kubernetes-annotations). ### Upgrades From 51ead14ad49263a10a012feb40d61780987cf659 Mon Sep 17 00:00:00 2001 From: rkasture <93558858+rkasture@users.noreply.github.com> Date: Thu, 30 Apr 2026 15:01:05 -0700 Subject: [PATCH 4/6] Update website/blog/2026-03-18-app-routing-gateway-api/index.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- website/blog/2026-03-18-app-routing-gateway-api/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/blog/2026-03-18-app-routing-gateway-api/index.md b/website/blog/2026-03-18-app-routing-gateway-api/index.md index 4fac9a64b..a18064ba5 100644 --- a/website/blog/2026-03-18-app-routing-gateway-api/index.md +++ b/website/blog/2026-03-18-app-routing-gateway-api/index.md @@ -206,8 +206,8 @@ spec: AKS propagates these annotations onto the Kubernetes Service it creates for the Gateway. After the Gateway is programmed, its `status.addresses` will contain a private IP from the specified subnet (or the cluster's default subnet if the subnet annotation is omitted): ```bash -kubectl wait --for=condition=programmed gateways.gateway.networking.k8s.io internal-gateway --timeout=120s -kubectl get gateways.gateway.networking.k8s.io internal-gateway -ojsonpath='{.status.addresses[0].value}' +kubectl wait --for=condition=programmed gateways.gateway.networking.k8s.io httpbin-gateway --timeout=120s +kubectl get gateways.gateway.networking.k8s.io httpbin-gateway -ojsonpath='{.status.addresses[0].value}' ``` > **Note**: The subnet must exist in the cluster's virtual network and must be delegated or available for Azure Load Balancer use. See [Use an internal load balancer with AKS](https://learn.microsoft.com/azure/aks/internal-lb) for networking prerequisites. From da411c9cb304923c7a7c777a946bbb6938d54026 Mon Sep 17 00:00:00 2001 From: rkasture <93558858+rkasture@users.noreply.github.com> Date: Mon, 4 May 2026 17:24:58 -0700 Subject: [PATCH 5/6] Update website/blog/2026-03-18-app-routing-gateway-api/index.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- website/blog/2026-03-18-app-routing-gateway-api/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/blog/2026-03-18-app-routing-gateway-api/index.md b/website/blog/2026-03-18-app-routing-gateway-api/index.md index a18064ba5..be9355904 100644 --- a/website/blog/2026-03-18-app-routing-gateway-api/index.md +++ b/website/blog/2026-03-18-app-routing-gateway-api/index.md @@ -206,7 +206,7 @@ spec: AKS propagates these annotations onto the Kubernetes Service it creates for the Gateway. After the Gateway is programmed, its `status.addresses` will contain a private IP from the specified subnet (or the cluster's default subnet if the subnet annotation is omitted): ```bash -kubectl wait --for=condition=programmed gateways.gateway.networking.k8s.io httpbin-gateway --timeout=120s +kubectl wait --for=condition=Programmed gateways.gateway.networking.k8s.io httpbin-gateway --timeout=120s kubectl get gateways.gateway.networking.k8s.io httpbin-gateway -ojsonpath='{.status.addresses[0].value}' ``` From 00a30d98fb4337158984d406d656fe9e66f6ae86 Mon Sep 17 00:00:00 2001 From: rkasture <93558858+rkasture@users.noreply.github.com> Date: Tue, 5 May 2026 09:06:04 -0700 Subject: [PATCH 6/6] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- website/blog/2026-03-18-app-routing-gateway-api/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/blog/2026-03-18-app-routing-gateway-api/index.md b/website/blog/2026-03-18-app-routing-gateway-api/index.md index be9355904..a18064ba5 100644 --- a/website/blog/2026-03-18-app-routing-gateway-api/index.md +++ b/website/blog/2026-03-18-app-routing-gateway-api/index.md @@ -206,7 +206,7 @@ spec: AKS propagates these annotations onto the Kubernetes Service it creates for the Gateway. After the Gateway is programmed, its `status.addresses` will contain a private IP from the specified subnet (or the cluster's default subnet if the subnet annotation is omitted): ```bash -kubectl wait --for=condition=Programmed gateways.gateway.networking.k8s.io httpbin-gateway --timeout=120s +kubectl wait --for=condition=programmed gateways.gateway.networking.k8s.io httpbin-gateway --timeout=120s kubectl get gateways.gateway.networking.k8s.io httpbin-gateway -ojsonpath='{.status.addresses[0].value}' ```