Azure - AKS integration with API Manager for JWT authentication

I am trying to implement the following workflow to setup in the Azure:

• Private AKS cluster to deploy my applications - Already provisioned

• An ingress controller (AGIC preferably) for routing traffic to pods - Already provisioned

• An APIM for generating JWT tokens - Not provisioned yet until I figure out it is possible What I need is, when a user tries to access a URL (eg: test.example.de), the traffic flow should be as follows:

a. A user Hits the DNS and that DNS is routed to the Application Gateway created by the AGIC

b. Then APP Gateway, without sending the traffic to the Ingresss and then to services and pods, it SHOULD authenticate with APIM to generate a JWT token or to validate if the user has permissions.

c. If user has permissions ,the traffic will be routed to the ingress and then to the service and the pods.

d. If user doesn't have permissions, don't route the traffic

I looked into this azure doc [1], but it seems like it doesn't perform JWT authentication.

Can someone please help me?

[1] - https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/apis/protect-apis

What you have won't achieve this. When using App Gateway in AGIC mode, it is the ingress for your AKS cluster, there is no "not sending to ingress", one traffic hits App Gateway, it is hitting the AKS ingress, they are the same thing.

To do what you want you need to either put APIM in front of App Gateway (which I assume you are not doing currently to handle WAF?), or you would need to have App Gateway not in AGIC mode in front or APIM, and then have either another App Gateway providing ingress in AGIC mode, or a separate ingress service like Nginx.

In the diagram you mention, App Gateway is not in AGIC mode, and is just passing traffic to APIM, which in turn sends traffic to the AKS ingress (which is not App Gateway)