> ## Documentation Index
> Fetch the complete documentation index at: https://arize-ax.mintlify.site/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Ingress on Azure (Azure load balancer)

> Expose the Arize AX UI with Azure NLB or Application Gateway for Containers using the bundled examples under examples/endpoints/azure.

## Overview

Azure installs use one of **four** bundled patterns under **`examples/endpoints/azure/`**:

| Pattern                    | Path                                           | Notes                                                                                          |
| -------------------------- | ---------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| **NLB — single endpoint**  | `azure/nlb/single-endpoint/app-services.yaml`  | Layer 4 `Service` `LoadBalancer`; TCP to pods; TLS often terminated on pods (see file header). |
| **NLB — multi endpoint**   | `azure/nlb/multi-endpoint/app-services.yaml`   | Same NLB style with separate hostnames per role.                                               |
| **AGFC — single endpoint** | `azure/agfc/single-endpoint/app-services.yaml` | Application Gateway for Containers; read file header for gRPC caveats.                         |
| **AGFC — multi endpoint**  | `azure/agfc/multi-endpoint/app-services.yaml`  | **Preferred for AGFC** when using OTLP gRPC and Arrow Flight (separate routes per hostname).   |

Static IPs are recommended so DNS stays stable across cluster rebuilds; they are often created via the bundled Terraform (see [cluster Terraform](/ax/selfhosting/installation/azure/cluster-terraform)).

## Terraform and static IPs

Review `terraform/README.md` in your extracted distribution for parameters that reserve static IP names. Re-apply Terraform if you change those resources. For NLB, Service annotations such as **`service.beta.kubernetes.io/azure-load-balancer-ipv4`** must match addresses Terraform created, when used. For AGFC, align resource IDs and frontend settings with Terraform outputs and the sample manifest comments.

## NLB — single endpoint

From the extracted distribution root:

```bash theme={null}
cp ./examples/endpoints/azure/nlb/single-endpoint/app-services.yaml my-app-services.yaml
```

Confirm annotations match your design (internal vs public load balancer, optional static IP):

```yaml theme={null}
annotations:
  service.beta.kubernetes.io/azure-load-balancer-internal: "true"
  # service.beta.kubernetes.io/azure-load-balancer-ipv4: "10.0.0.100"
```

Follow the **TLS** options in the file header (`internalEndpointsAppTlsCert` / `internalEndpointsAppTlsKey` in `values.yaml`, or cert-manager secret `internalendpoints-app-tls`).

## NLB — multi endpoint

```bash theme={null}
cp ./examples/endpoints/azure/nlb/multi-endpoint/app-services.yaml my-app-services.yaml
```

Edit hostnames and TLS material per the file comments, then apply the same way as single-endpoint.

## AGFC — single endpoint

```bash theme={null}
cp ./examples/endpoints/azure/agfc/single-endpoint/app-services.yaml my-agfc-services.yaml
```

The sample documents **gRPC limitations** when one hostname mixes HTTP and gRPC; prefer **multi-endpoint** AGFC or **NLB** if you need reliable OTLP gRPC and Flight.

## AGFC — multi endpoint (recommended for AGFC)

```bash theme={null}
cp ./examples/endpoints/azure/agfc/multi-endpoint/app-services.yaml my-agfc-services.yaml
```

Prerequisites (high level): AGFC available in your region, ALB Controller installed, and an AGFC resource created per Microsoft’s documentation. Replace placeholder resource IDs, hostnames, and certificates before apply.

## DNS, apply, and verify

Replace placeholder hostnames with your organization’s domain and ensure DNS points at the load balancer IP (NLB) or AGFC frontend. Verify resolution:

```bash theme={null}
nslookup arize-app.<my-organization-domain>
```

Apply (example for NLB single-endpoint copy named `my-app-services.yaml`):

```bash theme={null}
kubectl -n arize apply -f my-app-services.yaml
kubectl -n arize describe svc arize-app-services
```

For AGFC, use the resource kinds in your edited file (`kubectl describe` the Gateway/HTTPRoute/GRPCRoute objects the sample defines).

## Browser check

Open `https://arize-app.<my-organization-domain>`. Pod-terminated or private CA certificates can take time to trust in the browser; if you see a temporary TLS error, confirm `internalEndpointsAppTlsCert` / `internalEndpointsAppTlsKey` or your cert-manager secret, then retry.

## Configure app URLs in values.yaml

Set the URLs your deployment advertises (`appBaseUrl`, `expBaseUrl`):

```yaml theme={null}
appBaseUrl: "https://arize-app.<my-organization-domain>"
expBaseUrl: "arize-app.<my-organization-domain>"
```

Re-apply Helm values if you change them after the initial install.

## Set ingressMode

Set `ingressMode` in `values.yaml` to match your pattern (NLB with TLS on pods vs AGFC TLS termination). See the **Ingress Controllers** table in [Configuring ingress endpoints](/ax/selfhosting/installation/ingress/configuring-endpoints) for gRPC and OTLP considerations.
