AGIC (Application Gateway Ingress Controller) errors occur when the controller fails to synchronize Kubernetes ingress resources with Azure Application Gateway. This results in ingress resources not being applied to the gateway, causing 502 Bad Gateway errors. Common causes include permission issues, incorrect ingress annotations, or AGIC pod failures.
This error indicates that AGIC, the controller responsible for bridging Kubernetes ingress resources and Azure Application Gateway, encountered a problem. AGIC watches your cluster for ingress resource changes and automatically configures the Application Gateway to route traffic accordingly. When AGIC fails, ingress definitions are not applied to the gateway, meaning traffic routes are not created and your applications become unreachable.
First, verify the AGIC controller pod is running:
kubectl get pods -n kube-system | grep agic
kubectl logs -n kube-system <agic-pod-name>Ensure your ingress resources have the correct AGIC annotation:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
annotations:
kubernetes.io/ingress.class: azure/application-gatewayVerify the Application Gateway is in Running state:
az network application-gateway show --name <GATEWAY_NAME> --resource-group <RG_NAME> --query "operationalState"If using managed identity, verify it has required roles:
IDENTITY_ID=$(az aks show --resource-group <RG> --name <CLUSTER> --query "identity.principalId" -o tsv)
az role assignment list --assignee $IDENTITY_IDVerify AGIC is configured to watch your namespaces:
helm get values ingress-azure -n kube-systemEnable verbose logging to see what AGIC is doing:
kubectl set env deployment/ingress-azure -n kube-system APPGW_LOG_LEVEL=DebugTest that your ingress endpoints work:
AG_IP=$(az network public-ip show --name <AG_PUBLIC_IP_NAME> --resource-group <RG_NAME> --query ipAddress -o tsv)
curl -I -H "Host: myapp.example.com" http://$AG_IPAGIC can be deployed as an AKS cluster add-on or via Helm. Switching between methods requires removing all existing resources to prevent conflicts. Managed identity replication in Entra ID can take up to 1 minute; wait before assigning roles. AAD Pod Identity (deprecated) can cause version conflicts with AGIC versions before 1.2.0-rc2.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
error: invalid configuration
How to fix "error: invalid configuration" in Kubernetes
etcdserver: cluster ID mismatch
How to fix "etcdserver: cluster ID mismatch" in Kubernetes
running with swap on is not supported
How to fix "running with swap on is not supported" in kubeadm