Appmesh on Azure Kubernetes (AKS)

This article provides a basic setup of Appmesh on Azure Kubernetes using the API Gateway & Micro Gateway trial images available for public use on docker hub. It provides steps to setup AKS, install Istio service mesh on AKS and then finally configure Appmesh.


  • Basic understanding of API Gateway, Micro gateway, App Mesh and policy enforcement.
  • Basic understanding of Kubernetes and Istio Service Mesh concepts.

Steps to setup Appmesh on Azure Kubernetes (AKS)

  1. Login to with an active subscription

  2. Create a new resource group or choose an existing resource group.

  3. Next in the top search box of the Azure Portal, search for Kubernetes and select Kubernetes services.

  4. Click on Add and select Add Kubernetes cluster.

  5. The Create Kubernetes cluster window opens as shown below
    Select the Resource group, provide the cluster name and choose the Kubernetes version desired.

  6. Next choose the number of nodes, though three is recommended, we use 2 nodes as this is a test setup. The node count can be chosen as per the desired resiliency and workloads.

  7. Next choose the node pools OS Type, size etc. and the virtual nodes and virtual machine scale sets.

  8. Next choose the authentication and encryption methods. One can even choose service principals if needed and connect to Azure Active directory.

  9. Next choose the networking options. Use kubenet to create a new Vnet for cluster and Azure CNI for new or existing Vnet with customizable addresses.

  10. Next enable or disable integrations as shown below. Azure policy & monitor is disabled as this is a test setup. Also, connection can be provided to image registry to pull images from.

  11. Next add any tags if needed and click on “Review +Create”

  12. Once the validation is passed, click on create to create the Kubernetes cluster.

  13. After this step, Kubernetes cluster should be installed successfully.

  14. Next step is to download and install Istio client library
    Here I am using a Windows machine for the client. Below are the steps for Istio client installation in windows power shell –
    #Specify the Istio version that will be leveraged throughout these instructions
    [Net.ServicePointManager]::SecurityProtocol = "tls12"
    $ProgressPreference = 'SilentlyContinue';Invoke-WebRequest -URI "$ISTIO_VERSION/istioctl-$" -OutFile "istioctl-$"
    Expand-Archive -Path "istioctl-$" -DestinationPath.
    #Copy istioctl.exe to C:\Istio
    New-Item -ItemType Directory -Force -Path "C:\Istio"
    Move-Item -Path .\istioctl.exe -Destination "C:\Istio\"
    # Add C:\Istio to PATH.
    # Make the new PATH permanently available for the current User
    $USER_PATH = [environment]::GetEnvironmentVariable("PATH", "User") + ";C:\Istio\"
    [environment]::SetEnvironmentVariable("PATH", $USER_PATH, "User")
    # Make the new PATH immediately available in the current shell
    $env:PATH += ";C:\Istio\"
    Client installation for different OS can be found in the below link –
    Install Istio in Azure Kubernetes Service (AKS) - Azure Kubernetes Service | Microsoft Docs

  15. After the Isitio client is installed, the next step is to install Azure CLI on your machine. More details on usage and download can be found here –
    Install the Azure CLI | Microsoft Docs

  16. Next login to Azure portal from your local machine using the below command using PowerShell
    az login –tenant <tenantId>
    A browser window opens, where you can login to your azure portal. After logging in, you should see the below message
    Tenant ID can be obtained from portal as below –
    • Navigate to
    • Select Azure Active Directory.
    • Select Properties.
    • Then, scroll down to the Tenant ID field.

  17. If you have multiple subscriptions on Azure, then you need to choose your target subscription through the next commands:
    az account list --output table
    az account set --subscription <name or id>

  18. Next connect to AKS cluster from CLI using the below command
    az aks get-credentials --resource-group <ResourceGroupName> --name <AKS clustername>

  19. Next step is to install Istio using the below command
    istioctl operator init

  20. The Istio Operator is installed into the istio-operator namespace. Verify the Istio Operator installed using the below command
    kubectl get all -n istio-operator

  21. Next step is to install Istio components to AKS
    First execute the below command
    istioctl profile dump default
    Copy the contents to a file and name it as istio.aks.yaml
    Simple Istio configuration attached below (530 Bytes)
    Create istio system namespace and apply the configuration using the below commands
    kubectl create ns istio-system
    kubectl apply -f istio.aks.yaml

  22. Verify the Istio installation using the below command
    kubectl get all -n istio-system

  23. Next Create Container Registry in Azure Portal. Search for container registries and create new container registry.
    Finally review and create the container registry

  24. Next attach the created container registry to the AKS cluster using the below command
    az aks update -n <AKS cluster name> -g <ResGrpName> --attach-acr <container Registry Name>

  25. Login to acr and download the API Gateway and Micro Gateway images from docker hub to container registry
    az acr import --name kubeRegistryDemo --source --image microgw-appmesh: --username <docker hub username> --password <docker hub password>
    az acr import --name kubeRegistryDemo --source --image apigw-appmesh: --username <docker hub username> --password <docker hub password>
    Please note that the username used above should have access to API Gateway and Micro Gateway images. They are available for public usage after docker hub login.

  26. Next create Appmesh namespace and enable istio injection
    kubectl create namespace appmesh
    kubectl label namespace appmesh istio-injection=enabled
    kubectl describe namespace appmesh

  27. Set current context to appmesh namespace and install API Gateway
    kubectl config set-context --current --namespace=appmesh
    Create a sample YAML file for API Gateway installation with vm_max_map count needed for elastic search and using the image downloaded to container registry. (473 Bytes)
    Install API Gateway using the below command
    kubectl apply -f apigw.aks.yaml
    Next expose the different ports of API Gateway as given below
    kubectl expose deployment apigw --port 5555 --target-port 5555 --name http-apigw
    kubectl expose deployment apigw --port 9072 --target-port 9072 --name http-apigwui --type=LoadBalancer
    kubectl expose deployment apigw --port 5555 --target-port 5555 --name http-apigwisext --type=LoadBalancer
    kubectl expose deployment apigw --port 9999 --target-port 9999 --name http-apigwdiag --type=LoadBalancer

  28. Next execute the below command to verify the services installed
    kubectl get services
    Use the external IP provided above to connect to API Gateway.

  29. Now let’s deploy a sample api server to the cluster and enable the node port.
    kubectl create deployment apiserver --image apiserver:1.0
    kubectl expose deployment apiserver --port 8080 --target-port 8080 --name=http-apiserver --type=NodePort
    kubectl get services

  30. Next configure Service Mesh properties in the API Gateway under Administration->External Accounts ->Service Mesh
    Use the configuration file exported earlier to the user directory.
    For Windows the path is C:\Users<Username>.kube\config
    Save configuration and navigate to Appmesh tab. Sample API server endpoint should be visible.
    Click on View details to see more details on api server deployed.

  31. Next click on APIfy to enable application context to the service and apply different policies and deploy the policies as a micro gateway side car deployment.
    After clicking on APIfy, navigate to APIs section to see the API for apiserver created.
    Select the API and update the specification and desired policies.

  32. Navigate back to Appmesh, select the api server endpoint, and deploy the changes back to AKS cluster.
    Micro gateway will be deployed as side car. To confirm this, navigate back to CLI and execute kubectl get services again. The service listening on original port 8080 will be not listening via Micro gateway port 4485

  33. Test the API Server from Postman for different scenarios including before and after micro gateway side car deployment and see how Appmesh provides application context to the service.