Azure 55: Front Door + APIM + AKS Ingress — north-south traffic path
easy⏱ 5 mincourseazure
Front Door — edge
Front Door (Standard/Premium) terminates TLS at Azure's edge POPs (closest to the user), strips out obviously-bad traffic with WAF rules, and caches static assets. Lythia uses managed rules (OWASP Top 10) plus a small custom ruleset for /healthz-style abuse patterns. Origins are pinned to APIM hostnames, never AKS directly.
APIM — gateway
Azure API Management is where each API gets a public contract: rate limits (e.g., 100 req/min/subscription), product groupings (Customer, Internal, Partner), and OAuth/JWT validation against Entra ID. APIM proxies to AKS over a private endpoint; AKS node IPs are never exposed.
<!-- APIM policy snippet -->
<inbound>
<validate-jwt header-name="Authorization" require-scheme="Bearer">
<openid-config url="https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration"/>
<audiences><audience>{api-app-id-uri}</audience></audiences>
</validate-jwt>
<rate-limit-by-key calls="100" renewal-period="60"
counter-key="@(context.Subscription.Id)" />
</inbound>
Istio Ingress Gateway — mesh entry
Inside AKS, Istio's Ingress Gateway receives APIM's request, applies any per-service VirtualService matches (e.g., /api/v1/cart), and forwards into the mesh — at which point the request is mTLS-protected end-to-end. The ingress gateway has its own AuthorizationPolicy that allows only APIM's private IP range.
Trace the request
Write trace(request, policies) where request has { ip, path, hasJWT, jwtScope, subscriptionKey } and policies has the rules from Front Door (WAF block list), APIM (audience, rate limit per subscription), Istio (allowed source IP range). Return { allowed: boolean, blockedAt?: 'frontdoor'|'apim'|'istio', reason? }. Log traces for: a normal cart-api call, a call with an expired JWT, a call from an unallowed IP, a call exceeding rate limit.
Always tag traffic at every hop
Front Door adds X-Azure-FDID. APIM adds X-APIM-RequestId. Istio adds x-request-id. By the time the request reaches cart-api, you have three correlation IDs; the universal chart's middleware logs all three. Datadog stitches them into one trace, and on-call can pinpoint the failing hop in seconds.
Quiz: can a client bypass APIM?
Q: A developer with kubectl port-forward can hit a service directly. Does that mean prod is open? A: No. prod AKS doesn't grant kubectl to developers; the Istio AuthorizationPolicy on the ingress gateway denies any source IP that isn't APIM's private range; node IPs are inside a VNet with no public association. Three independent guardrails — defense in depth.