In a single AZURE Subcription we have a single Application Gateway - managed by AKIC, with AKS Cluster, and a Web App Service Plan for Web App that runs always, the AKS Cluster is elastic.

TL;DR

• We encountered an issue with AzureIngressProhibitedTargetobject that needs to be added to Kubernetes cluster, as otherwise the shared Application GateWay configs are getting deleted.

• Without going into all the details, some of our experts are saying we need an AZURE Subscription with only AKS and a separate AZURE Subscription with only Web Apps.

• I cannot find such a statement on learn.microsoft.

• My view is we should be able to do this in a single Subscription.

• My view is it should be achievable, and if I introduce a 2nd Application Gateway in the Subscription, it should be OK, but that is not part of the Landing Zone Strategy.

Basically, can someone point me to AZURE documentation stating separate Subscriptions needed when AKS and Web App Service Plan needed for a business application?

CodePudding user response：

You do not need to place them in 2 separate subscriptions.

But you cannot attach the same Application Gateway to an Azure App Service and an AKS Cluster at the same time. One integrates via a private endpoint, the other via an ingress controller.

Integration with AKS: https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview

Integration with App Service: https://learn.microsoft.com/en-us/azure/app-service/networking/app-gateway-with-service-endpoints

So your solution with 2 application gateways would work. You could place traffic manager in front of your 2 application gateway instances: https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-load-balancing-azure