Update your microservices to use an internal loadbalancer

As a first step you will remove the public access to your microservices so they will only be accessible within your Virtual Network. For this you will need to recreate the services of the api-gateway and admin-server to now use an internal-loadbalancer. You can use the following guidance to implement these changes:

• Use an internal load balancer with Azure Kubernetes Service (AKS)

Step by step guidance

1. Navigate to the kubernetes directory and update the spring-petclinic-api-gateway.yml and spring-petclinic-admin-server.yml files with the contents from the spring-petclinic-api-gateway.yml and spring-petclinic-admin-server.yml files respectively. You can again curl the updates for these files and then fill out the correct container registry name.

   cd kubernetes
   curl -o spring-petclinic-api-gateway.yml https://raw.githubusercontent.com/Azure-Samples/java-microservices-aks-lab/main/docs/07_lab_security/spring-petclinic-api-gateway.yml
   
   IMAGE=${MYACR}.azurecr.io/spring-petclinic-api-gateway:$VERSION
   sed -i "s|#image#|$IMAGE|g" spring-petclinic-api-gateway.yml
   
   curl -o spring-petclinic-admin-server.yml https://raw.githubusercontent.com/Azure-Samples/java-microservices-aks-lab/main/docs/07_lab_security/spring-petclinic-admin-server.yml
   
   IMAGE=${MYACR}.azurecr.io/spring-petclinic-admin-server:$VERSION
   sed -i "s|#image#|$IMAGE|g" spring-petclinic-admin-server.yml  
   

2. Inspect the new contents of these files. The files have:

   • An additional annotation for service.beta.kubernetes.io/azure-load-balancer-internal on line 77.

3. You can now re-apply these 2 yaml files.

   kubectl apply -f spring-petclinic-api-gateway.yml
   kubectl apply -f spring-petclinic-admin-server.yml
   

4. Double check that these services are now using a private IP address.

   kubectl get services
   

   Additionally if in the Azure portal you navigate to the MC resource group of your cluster, you will notice the public IP’s that were there will disappear after a while.

   In case you don’t want any public IP’s being created by services in any of your AKS clusters, you can limit their creation by applying a specific policy for this at resource group, subscription or even management group level. Take a look at the Kubernetes clusters should use internal load balancers policy in the Azure Policy built-in definitions for Azure Kubernetes Service.

5. In one of the next steps you will need the newly private IP addresses of these 2 services to configure the backend of the Application Gateway. Use the below statements to store these 2 IP addresses in environment variables for now:

   AKS_MC_RG=$(az aks show -n $AKSCLUSTER -g $RESOURCE_GROUP | jq -r '.nodeResourceGroup')
      
   echo $AKS_MC_RG
      
   AKS_MC_LB_INTERNAL=kubernetes-internal
      
   az network lb frontend-ip list -g $AKS_MC_RG --lb-name=$AKS_MC_LB_INTERNAL -o table
      
   AKS_MC_LB_INTERNAL_FE_IP1=$(az network lb frontend-ip list -g $AKS_MC_RG --lb-name=$AKS_MC_LB_INTERNAL | jq -r '.[0].privateIPAddress')
   AKS_MC_LB_INTERNAL_FE_IP2=$(az network lb frontend-ip list -g $AKS_MC_RG --lb-name=$AKS_MC_LB_INTERNAL | jq -r '.[1].privateIPAddress')
      
   echo $AKS_MC_LB_INTERNAL_FE_IP1
   echo $AKS_MC_LB_INTERNAL_FE_IP2