Share via

Application Gateway for Containers internal load balancer support

HASAN HUSEYIN AKKOCA 0 Reputation points
2026-03-31T13:32:00.1766667+00:00

Hello,

We are currently evaluating the use of Application Gateway for Containers within our AKS environment.

Based on our current understanding, the service appears to support only external load balancing scenarios at this time. We would like to confirm whether internal load balancer (private endpoint / internal exposure) support is on the product roadmap.

Could you please provide any information regarding:

  • Planned support for internal load balancing capabilities
  • Expected timelines, if available
  • Recommended alternatives or best practices for internal-only ingress scenarios in the meantime

This capability is critical for our architecture, as we require private, internal traffic routing within our virtual network.

Thank you in advance for your support.
User's image

Best regards,
Hasan Akkoca

Azure Application Gateway
Azure Application Gateway

An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ravi Varma Mudduluru 9,200 Reputation points Microsoft External Staff Moderator
    2026-03-31T14:59:26.6733333+00:00

    Hello @ HASAN HUSEYIN AKKOCA,

    Thanks for reaching out to Microsoft Q&A.

    You're correct Application Gateway for container currently supports external load balancing only. It provisions public FQDN frontends and does not support private IPs or internal frontends at this time.

    There’s no public roadmap or timeline available yet for internal load-balancer support. The best place to watch for future updates is the Azure updates page.

    Recommended solution for internal-only ingress:

    • Azure Application Gateway v2 with Application Gateway Ingress Controller (AGIC) This option fully supports internal (private) frontends and is commonly used for internal‑only or hybrid ingress scenarios in AKS. It allows you to deploy Application Gateway with a private IP and expose AKS services internally, while still benefiting from Layer‑7 routing, TLS termination, and WAF capabilities
    • Use the Application Routing add-on (managed NGINX). It’s fully supported in AKS, gives you both internal and external options, and is the cleanest managed alternative when you need private traffic inside your VNet.

    It also supports Azure Key Vault certificates, Azure DNS (including private zones), and works great with Gateway API if you prefer that syntax.

    Reference Documents:

    Planned support for internal load balancing capabilities: You can share this idea in this feedback link: https://feedback.azure.com/

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

  2. Q&A Assist
    2026-03-31T13:32:44.7+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The available documentation describes Application Gateway for Containers as an Azure‑hosted, layer‑7 ingress/load balancer for AKS that exposes workloads via frontends associated with an anycast IP, and it explicitly calls out support for HTTP/HTTPS ingress using Ingress and Gateway API resources. However, the documentation in the provided context does not state support for an internal‑only (private) mode, nor does it provide a roadmap or timelines for such a feature.

    Because no roadmap or timeline information is published in the referenced documentation, there is no supported statement available here about:

    • Planned support for internal load balancer / private endpoint exposure
    • Expected delivery timelines

    For internal‑only ingress scenarios today, the AKS networking guidance in the context recommends using either:

    • A layer‑4 Load Balancer Service for non‑HTTP traffic, or
    • An ingress controller for HTTP‑like traffic. Managed options called out include:
      • The application routing add‑on with managed ingress‑nginx
      • Istio ingress gateway
      • Azure Application Gateway for Containers (recommended managed ingress option overall)

    Since internal/private mode for Application Gateway for Containers is not documented in the provided material, the documented alternatives for internal‑only access are:

    1. Use a Kubernetes LoadBalancer Service with an internal Azure Load Balancer for private, in‑VNet access to services.
    2. Use another ingress controller option that supports internal exposure as documented in AKS application networking guidance (for example, managed NGINX via the application routing add‑on or Istio ingress gateway) while planning long‑term migration to Gateway API–based solutions.

    For feature roadmap details (such as future internal mode support) and timelines, the documentation directs to:

    • Submit or upvote ideas on the Azure feedback channel for Application Gateway for Containers.
    • Open a support request in the Azure portal on the Application Gateway for Containers resource for product‑team–backed guidance.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.