Accessing a service via a load balancer in an AKS cluster

Question

I have a cluster configured where the services (and their assoicated pods/containers) are all deployed into a private subnet. One of these pods represents the UI for the application and I've defined a load balancer with a public ip to proivde access to the UI. At least that's my intent. When I enter a URL in my browser with the IP of the load balancer, requests are not making it to the UI container. I assume I have something configured incorrectly and some advice would be appreciated. The definition for the UI service looks like this:

    apiVersion: apps/v1beta1
    kind: Deployment
    metadata: {name: myui, namespace: gem}
    spec:
      replicas: 1
      template:
        metadata:
          labels: {app: myui}
        spec:
          containers:
            image: myblobstore.azurecr.io/myui:latest
            imagePullPolicy: Always
            name: myui
            ports:
            - {containerPort: 80}
    ---
    apiVersion: v1
    kind: Service
    metadata: {name: myapp, namespace: gem}
    spec:
      loadBalancerIP: 40.123.124.125
      ports:
      - {name: '80', port: 80}
      selector: {app: myui}
      type: LoadBalancer

I've also defined a rule in my network security group that I had intended to allow traffic from a load balancer to reach the target container:

    65001    AzureLoadBalancerInBound   Any  Any  AzureLoadBalancer  Any  Allow

Traffic does not make it to the UI container though. What additional configuration do I need to get this to work?

Update: Here are the endpoints for my cluster:

$ kubectl get endpoints -n gem
NAME                ENDPOINTS                       AGE
...
myui                10.0.2.22:80                    176m
...

And to complete the picture, here's some additional info:

$ kubectl get pods -n gem -o wide
NAME                                 READY   STATUS             RESTARTS   AGE    IP          NODE                  NOMINATED NODE
...
myui-99c55f8d4-2thzv                 1/1     Running            0          ...

$ kubectl get svc -n gem -o wide
NAME                TYPE           CLUSTER-IP   EXTERNAL-IP     PORT(S)             AGE    SELECTOR
...
myui                LoadBalancer   10.1.0.94    40.123.124.125  80:32246/TCP        3h1m   app=myui
...

$ kubectl describe svc/myui -n gem
Name:                     myui
Namespace:                gem
Labels:                   <none>
Annotations:              kubectl.kubernetes.io/last-applied-configuration:
                            {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"myui","namespace":"gem"},"spec":{"loadBalancerIP":"40.123.124,125"...
Selector:                 app=myui
Type:                     LoadBalancer
IP:                       10.1.0.94
IP:                       40.123.124.125
LoadBalancer Ingress:     40.123.124.125
Port:                     80  80/TCP
TargetPort:               80/TCP
NodePort:                 80  32246/TCP
Endpoints:                10.0.2.22:80
Session Affinity:         None
External Traffic Policy:  Cluster

Peter

Answer 1

In the end the solution was simply to make sure that the network security group being used has ports 80 and 443 open to allow internet traffic to flow. I had two different security groups and thought my load balancer would use the one I designated as my "public" security group, which did have ports 80 and 443 open. It instead used my other security group, and I had to add the appropriate rules to that group.