Azure

 2 minute read     page test

Follow these instructions to prepare an Azure cluster for Istio.

You can deploy a Kubernetes cluster to Azure via AKS or Cluster API provider for Azure (CAPZ) for self-managed Kubernetes or AKS which fully supports Istio.

AKS

You can create an AKS cluster via numerous means such as the az cli, the Azure portal, az cli with Bicep, or Terraform

For the az cli option, complete az login authentication OR use cloud shell, then run the following commands below.

  1. Determine the desired region name which supports AKS

    $ az provider list --query "[?namespace=='Microsoft.ContainerService'].resourceTypes[] | [?resourceType=='managedClusters'].locations[]" -o tsv

  2. Verify the supported Kubernetes versions for the desired region

    Replace my location using the desired region value from the above step, and then execute:

    $ az aks get-versions --location "my location" --query "orchestrators[].orchestratorVersion"

  3. Create the resource group and deploy the AKS cluster

    Replace myResourceGroup and myAKSCluster with desired names, my location using the value from step 1, 1.28.3 if not supported in the region, and then execute:

    $ az group create --name myResourceGroup --location "my location"
$ az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 3 --kubernetes-version 1.28.3 --generate-ssh-keys

  4. Get the AKS kubeconfig credentials

    Replace myResourceGroup and myAKSCluster with the names from the previous step and execute:

    $ az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

Using Gateway API with Azure

If you are using Gateway API with AKS, you might also need add the following configuration to the Gateway resource:

infrastructure:
  annotations:
    service.beta.kubernetes.io/port_<http[s] port>_health-probe_protocol: tcp

where <http[s] port> is the port number of your HTTP(S) listener. If you have multiple HTTP(S) listeners, you need to add an annotation for each listener. This annotation is required for Azure Load Balancer health checks to work when the / path does not respond with a 200.

For example, if you are following the Ingress Gateways example using Gateway API, you will need deploy the following Gateway instead:

$ kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  infrastructure:
    annotations:
      service.beta.kubernetes.io/port_80_health-probe_protocol: tcp
  gatewayClassName: istio
  listeners:
  - name: http
    hostname: "httpbin.example.com"
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same
EOF
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!