This guide walks you through launching a new cluster with Azure Kubernetes Service (AKS) and a demo app, then adding the ngrok Kubernetes Operator to route public traffic to your demo app through an encrypted tunnel.
It covers the ngrok Kubernetes Operator and AKS (a managed Kubernetes environment from Microsoft that simplifies deployment, health monitoring, and maintenance of cloud native applications in Azure, on-premises, or at the edge).
What you’ll need
- An Azure account with permissions to create new Kubernetes clusters.
- An ngrok account.
- kubectl and Helm 3.0.0+ installed on your local workstation.
- The ngrok Kubernetes Operator installed on your cluster.
- A reserved domain from the ngrok dashboard or API; this guide refers to it as
<NGROK_DOMAIN>.
Create your cluster in AKS
Start by creating a new managed Kubernetes cluster in AKS.
If you already have one, you can skip to Add ngrok’s Kubernetes ingress to your demo app.
-
In your Azure console, go to Kubernetes services and click Create, then Create a Kubernetes cluster.
-
Configure your new cluster with the wizard.
Default options are generally fine; you can adjust cluster configuration (production vs dev/test), region, and AKS pricing tier (the Free tier works well with fewer than 10 nodes).
-
Click Review + create and wait for Azure to validate your configuration.
If you see a Validation failed warning, check the errors (often related to quota limits).
When ready, click Create; deployment can take a while.
-
When AKS completes the deployment, click Go to deployment, then Connect for kubectl connection options.
Use the Cloud shell or Azure CLI as instructed, then verify your cluster’s services:
Deploy a demo microservices app
To showcase this integration, deploy the AKS Store demo app (a microservices architecture connecting frontend UI to API-like services with RabbitMQ and MongoDB) directly in the Azure Portal.
If you prefer the CLI, save the YAML below to a .yaml file on your local workstation and deploy with kubectl apply -f ....
-
Click Create, then Apply a YAML.
-
Copy and paste the YAML below into the editor.
showLineNumbers collapsible
-
Click Add to deploy the demo app.
To double-check services deployed successfully, click Workloads in the Azure Portal and look for
store-front, rabbitmq, product-service, and order-service in the default namespace.
If you prefer the CLI, you can run kubectl get pods for the same information.
Add ngrok’s Kubernetes ingress to your demo app
Next, you’ll configure and deploy the ngrok Kubernetes Operator to expose your demo app to the public internet through ngrok.
-
In the Azure Portal, click Create, then Apply a YAML.
-
Copy and paste the YAML below into the editor.
This manifest defines how the ngrok Kubernetes Operator should route traffic arriving on
NGROK_DOMAIN to the store-front service on port 80, which you deployed in the previous step.
Edit line 9 of the YAML below (the NGROK_DOMAIN variable) with the ngrok subdomain you created earlier.
-
Click Add to deploy the ingress configuration.
Check ingress status in the Azure Portal under Services and ingresses, then Ingresses; you should see
store-ingress and your ngrok subdomain.
To edit the ingress later, click the ingress and open the YAML tab.
-
Navigate to your ngrok subdomain (for example,
https://NGROK_DOMAIN.ngrok.app) in your browser to see the demo app.
ngrok routes requests to the ngrok Kubernetes Operator, which forwards them to the store-front service.
Add OAuth authentication to your demo app
Now that your demo app is publicly accessible through ngrok, you can quickly layer on additional capabilities, like authentication, without configuring and deploying complex infrastructure.
The process for restricting access to individual Google accounts or any Google account under a specific domain name is outlined below.
With the Traffic Policy system and the oauth action, ngrok manages OAuth protection entirely at ngrok.
This means you don’t need to add any additional services to your cluster, nor alter any routes, to ensure ngrok’s network authenticates and authorizes all requests before allowing ingress and access to your endpoint.
To enable the oauth action, you’ll create a new NgrokTrafficPolicy custom resource and apply it to your entire Ingress with an annotation.
You can also apply the policy to just a specific backend or as the default backend for an Ingress—see the doc on using the Operator with Ingresses.
-
Edit your existing ingress YAML with the following.
Note the new
annotations field and the NgrokTrafficPolicy CR.
-
When you open your demo app again, you’ll be asked to log in via Google.
That’s a start, but what if you want to authenticate only yourself or colleagues?
-
You can use expressions and CEL interpolation to filter out and reject OAuth logins that don’t contain
example.com.
Update the NgrokTrafficPolicy portion of your manifest after changing example.com to your domain.
-
Check out your deployed app once again.
If you log in with an email that doesn’t match your domain, ngrok rejects your request.
What’s next?
You’ve now used the open source ngrok Kubernetes Operator to add public ingress to a demo app on a cluster managed in AKS without having to worry about complex Kubernetes networking configurations.
Because ngrok handles ingress and middleware execution, you can follow a similar process to route public traffic to your next production-ready app.
For next steps, explore the Kubernetes docs for more details on how the Operator works, different ways you can integrate ngrok with an existing production cluster, or use more advanced features like bindings or endpoint pooling.