Has internal load balancer (ILB) been created for distributing the incoming traffic from a service to one of its pods? -
YES
//////////////////////////////////
Do we need multiple ILBs in case there are multiple services in AKS configured for lead balancing in AKS? -
No. One ILS is enough for multiple services. Once you create an Internal LB - a corresponding LB with name kubernetes-internal gets created. If you want to deploy another ILB it uses the same kubernetes-internal but the LB rules gets updated with the new service.
Example to create an Internal LB:
apiVersion: v1
kind: Service
metadata:
name: internal-app
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
type: LoadBalancer
ports:
- port: 80
selector:
app: internal-app
////////////////////////////////////////////
If network topology selected for AKS is CNI - Does AKS still need ILB?
ILB is independent of AKS Network topology (i.e. Azure CNI vs Kubenet)
///////////////////////////////
Charges would be same if you use only Application Gateway WAF or all AG WAF, AGIC and AG ?
Charges are different for each one of the service, please take a look at the document https://azure.microsoft.com/en-us/pricing/details/application-gateway/
and play around by selecting multiple options in the drop down.
FYI - When you enable AGIC add-on , it will create an APPGW which incurs some charges.
//////////////////////////////////
Is Traefik not a Ingress which can take route internet traffic to various services in a AKS using its ingress controller ?
Definitely you can make use of Traefik ingress controller which internally creates a service of type LoadBalancer;
You also have an option to create Internal LB service with Traefik ingress controller
There are multiple ingress controllers like Nginx , AGIC , Traefix depending upon your requirements you can make use of it. It all depends on the features
https://stackshare.io/stackups/nginx-vs-traefik
You can take a look at the detailed documentation w.r.t AGIC: https://azure.github.io/application-gateway-kubernetes-ingress/setup/install-existing/
/////////////////////////////////////////
Why WAF feature of AG is needed - Is Traefik lacks any security feature provided by AG WAF?
Well , AGIC WAF provides much more security! Mainly WAF2
AGIC can be customized up to maximum extent: https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/custom-waf-rules-overview
/////////////////////////////////
It seems Traefik is the ingress but how does it work together with Application Gateway as both are layer 7 load balancers.
Inner details of How APPGW works and it's corresponding WAF:
https://video2.skills-academy.com/en-us/azure/application-gateway/how-application-gateway-works
////////////////////////
Why do we need Azure Bastion service when we don't interact directly with Virtual Machine Scale set (VMSS) used by AKS for hosting worker nodes and we are already using Azure Firewall, WAF and Traefik for security hardening?
Bastion is mainly used to RDP to the VMSS nodes securely
https://video2.skills-academy.com/en-us/azure/bastion/bastion-connect-vm-scale-set
//////////////////////////////////
Let us know if you have additional follow-up questions! Happy to help out.