I have an AKS cluster with the add-on AGIC enabled (will try and convert it into Helm based AGIC in the near future). At the moment I have an application on this cluster with the Ingress set to the Application Gateway. This works perfectly on port 80 at the moment.

If I want to enable SSL, do I just need to add the certificate at the App Gateway and then reference that in deployment as such? (example taken from https://thewindowsupdate.com/2021/10/19/what-does-it-mean-for-the-application-gateway-ingress-controller-agic-to-assume-full-ownership/

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: aspnetapp
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/appgw-ssl-certificate: <name of your certificated added to Application Gateway>
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: aspnetapp
          servicePort: 80

Although the service port is set to 80 above, will the App GW apply TLS automatically? Should the service port above be 80 or 443? Or does it not matter since the SSL Redirect is set? Also what aspects does this encrypt automatically?

• External -> App GW ?
• App GW -> Ingress ?

Also, do I need another certificate for the external side of App GW as well? Or do I need just the one cert?