Skip to main content

Documentation Index

Fetch the complete documentation index at: https://arize-ax.mintlify.dev/docs/llms.txt

Use this file to discover all available pages before exploring further.

Overview

If you are not using the Google Cloud HTTP(S) load balancer path, you can expose Arize with NGINX Ingress (NGINX Inc), NGINX Gateway Fabric, ingress-nginx (community), Istio, Kong, or another controller that supports TLS, long-lived connections, and gRPC where needed.

Pick your controller

You already run (or plan to run)…Start here
NGINX Ingress Controller (F5 NGINX Inc, Ingress API)NGINX Ingress Controller (NGINX Inc)nginx/.../nginx-ingress.yaml
NGINX Gateway Fabric (Gateway API)NGINX Gateway Fabric (Gateway API)nginx/.../nginx-gateway-fabric.yaml
ingress-nginx (Kubernetes community chart)Community ingress-nginx (legacy) — migration path to NGINX Inc
Istio ingress gatewayIstioistio/app-services.yaml
Kong Ingress ControllerKongkong/app-services.yaml
All examples assume:
  • The Arize operator has created the internalendpoints-app Service in the arize namespace (TLS on port 443).
  • You replace placeholder domains and TLS material before kubectl apply.
  • You align appBaseUrl / expBaseUrl (and ingressMode) in values.yaml with your hostname plan—see Configuring ingress endpoints, especially the Ingress Controllers table for ingressMode and optional pod TLS fields.
Example sources live in the extracted distribution under: 
examples/endpoints/
├── nginx/
│   ├── single-endpoint/
│   │   ├── nginx-ingress.yaml          # NGINX Inc — Ingress API
│   │   ├── nginx-gateway-fabric.yaml   # NGINX Inc — Gateway API
│   │   └── nginx-legacy.yaml           # Community ingress-nginx (deprecated path)
│   └── multi-endpoint/
│       ├── nginx-ingress.yaml
│       ├── nginx-gateway-fabric.yaml
│       └── nginx-legacy.yaml
├── istio/
│   ├── app-services.yaml               # Gateway + VirtualService + EnvoyFilter
│   └── envoy-filter-http2.yaml         # Same EnvoyFilter recipe, standalone
└── kong/
    └── app-services.yaml               # Kong Ingress
Copy the file you need into a working file, edit placeholders, then apply from the extract root, for example: 
kubectl apply -n arize -f my-nginx-ingress.yaml
Adjust ingressClassName (or Gateway gatewayClassName) to match the class installed in your cluster.

NGINX Ingress Controller (NGINX Inc)

Paths: nginx/single-endpoint/nginx-ingress.yaml and nginx/multi-endpoint/nginx-ingress.yaml
Docs: NGINX Ingress Controller (OSS or NGINX Plus) These manifests use the networking.k8s.io/v1 Ingress API with ingressClassName: nginx. Traffic is forwarded to internalendpoints-app:443. TLS is terminated at the ingress using a kubernetes.io/tls secret in arize (for example arize-app-services-tls in the single-endpoint file). Single host (nginx/single-endpoint/nginx-ingress.yaml):
  • One hostname ({{CUSTOMER_DOMAIN}}) for UI, GraphQL, REST, OTLP, and Arrow Flight through the unified internal endpoint service.
  • ConfigMap nginx-ingress in your NGINX install namespace (default comment uses nginx-ingress) sets http2: "true" so gRPC and HTTP/2 behave correctly—rename the ConfigMap or namespace if your Helm release differs (for example NGINX Plus chart defaults).
  • Key Ingress annotations: nginx.org/ssl-services and nginx.org/grpc-services set to internalendpoints-app, plus long proxy-read-timeout / proxy-send-timeout (7200s) for large exports and streams.
Multiple hosts (nginx/multi-endpoint/nginx-ingress.yaml):
  • Separate Ingress objects per role: arize-app (UI / GraphQL), arize-api (REST), arize-otlp (OTLP), arize-flight (Arrow Flight), each with its own TLS secret and host ({{CUSTOMER_APP_DOMAIN}}, {{CUSTOMER_API_DOMAIN}}, etc.).
  • OTLP and Flight ingresses include nginx.org/grpc-services: "internalendpoints-app"; app/API ingresses rely on nginx.org/ssl-services for HTTPS to the backend.
values.yaml alignment (from file headers):
  • Single-endpoint: appBaseUrl: "https://{{CUSTOMER_DOMAIN}}", expBaseUrl: "{{CUSTOMER_DOMAIN}}".
  • Multi-endpoint: appBaseUrl: "https://{{CUSTOMER_APP_DOMAIN}}", expBaseUrl: "{{CUSTOMER_FLIGHT_DOMAIN}}" (Flight host for export-related settings).
After apply, point DNS at the NGINX Service / LoadBalancer IP and verify with kubectl -n arize describe ingress <name>.

NGINX Gateway Fabric (Gateway API)

Paths: nginx/single-endpoint/nginx-gateway-fabric.yaml and nginx/multi-endpoint/nginx-gateway-fabric.yaml
Docs: NGINX Gateway Fabric These examples use the Kubernetes Gateway API (Gateway, HTTPRoute, GRPCRoute) with gatewayClassName: nginx. Client TLS is terminated on the Gateway using arize-app-services-tls. The backend is still internalendpoints-app:443 (HTTPS/gRPC on the pod side). Single-endpoint file highlights:
  • BackendTLSPolicy validates the upstream using a CA stored in ConfigMap backend-cert—populate ca.crt with PEM from the backend secret, for example:
kubectl -n arize get secret internalendpoints-app-tls -o jsonpath='{.data.tls\.crt}' | base64 -d
  • HTTPRoute and GRPCRoute attach to the same Gateway and route all paths to internalendpoints-app port 443.
Multi-endpoint follows the same pattern with separate hostnames and routes per the comments in that file. Ensure your cluster runs NGINX Gateway Fabric and the GatewayClass named nginx (or edit gatewayClassName to match your installation).

Community ingress-nginx (legacy)

Paths: nginx/single-endpoint/nginx-legacy.yaml and nginx/multi-endpoint/nginx-legacy.yaml
Docs: ingress-nginx The upstream ingress-nginx project is headed for retirement; the manifest headers link to the Kubernetes announcement and recommend NGINX Inc or Gateway Fabric for new deployments. These examples mirror the NGINX Inc layout but use nginx.ingress.kubernetes.io/* annotations and spec.ingressClassName: nginx. The backend is internalendpoints-app:443 with nginx.ingress.kubernetes.io/backend-protocol: GRPCS in the single-endpoint sample so the controller speaks TLS+gRPC to the service. Use only if you already run community ingress-nginx and are planning a migration.

Istio

Paths: istio/app-services.yaml and (optional) istio/envoy-filter-http2.yaml
Docs: Istio ingress gateway istio/app-services.yaml defines:
  1. Gateway arize-app-services-gw in arize, bound to pods with istio: ingressgateway, port 443, TLS mode SIMPLE, and credentialName: arize-app-services-tls (create this TLS secret in arize so Istio can mount it for the gateway).
  2. VirtualService routing host arize-app.<domain> to internalendpoints-app:443 for all paths.
  3. EnvoyFilter flightserver-http2-settings tuning HTTP/2 frame limits for workloads labeled app: flightserver (Arrow Flight throughput).
istio/envoy-filter-http2.yaml contains the same EnvoyFilter tuning as a standalone file—use it if you prefer to manage that object separately; do not duplicate the same resource name if you already applied app-services.yaml. Set ingressMode: istio in values.yaml per Configuring ingress endpoints. Replace arize-app.<domain> in the manifest with your real hostname; keep appBaseUrl / expBaseUrl consistent.

Kong

Path: kong/app-services.yaml Single Ingress with ingressClassName: kong, TLS host arize-app.<domain>, and backend internalendpoints-app:443. Kong annotations request HTTPS and gRPCS to the upstream, no body size cap, and long read/write timeouts (2 hours) to match large exports:
  • konghq.com/protocols: https,grpcs
  • konghq.com/read-timeout / write-timeout / connect-timeout in milliseconds
Create the TLS secret arize-app-services-tls referenced in the manifest. Install the Kong Ingress Controller and a matching IngressClass named kong (or change ingressClassName). Use ingressMode: tls (default for Kong in the shared controller table) unless your platform team specifies otherwise.

After you apply

  1. kubectl -n arize describe ingress <name> (or kubectl describe gateway / routes for Gateway API) until addresses are assigned.
  2. Create DNS A/AAAA (or CNAME) records to that address.
  3. Update values.yaml with appBaseUrl and expBaseUrl, then upgrade the release or operator values as you do for other changes.
  4. Confirm ingressMode and any internalEndpointsAppTlsCert / internalEndpointsAppTlsKey requirements from the Ingress Controllers table.

Cross-reference