Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Internal load balancer with static ip and supports HTTPS in AWS EKS

0

what is the best way to create an internal load balancer with a static IP address that supports HTTPS termination in the EKS cluster? and the load balancer connect to a deployment running a custom nginx image.

Themen
BehälterVernetzung & Bereitstellung von Inhalten
Tags
Amazon Elastic Kubernetes DienstElastic Load BalancingApplication Load BalancerNetwork Load Balancer
Sprache
English
rePost-User-8428534
gefragt vor 2 Jahren4847 Aufrufe
2 Antworten
0

ALB does not provide Static IPs but NLB does. One way to get the Static IPs is to configure ALB as a Target for NLB, in this case Clients can connect to the Static IPs of NLB.

See below blog for reference:

https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/

profile pictureAWS
EXPERTE
Tushar_J
beantwortet vor 2 Jahren
0

As mentioned by Tushar_J, Network Load Balancer (NLB) provides static IP addresses. Therefore, you can use a network load balancer in front of your kubernetes service and perform SSL termination at the load balancer level.

I have provided a sample echo-server deployment and an NLB type service manifest for an internal loadbalancer that includes annotations required to perform SSL termination at the NLB level.

Before doing the below operations, you will have to create an SSL certificate on AWS Certificate Manager (ACM) and specify the certificate ARN in the below provided service manifest.

Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: echo-pod
  template:
    metadata:
      labels:
        app: echo-pod
    spec:
      containers:
      - name: echoheaders
        image: k8s.gcr.io/echoserver:1.10
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080

Service:

apiVersion: v1
kind: Service
metadata:
  name: echo-service
  annotations:
      # Note that the backend talks over HTTP.
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
      # TODO: Fill in with the ARN of your certificate.
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:<region>:<aws-account-id>:certificate/<acm-cert-id>
      # Only run SSL on the port named "https" below.
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
      # For an NLB type load balancer
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
      # For an internal loadbalancer
      service.beta.kubernetes.io/aws-load-balancer-internal: "true"
spec:
  selector:
    app: echo-pod
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8080
  type: LoadBalancer

Please use these sample manifests as reference and see if you are able to create a network load balancer and terminate SSL traffic for your custom nginx deployment.

Hope this helps!

profile pictureAWS
SUPPORT-TECHNIKER
Venkat Penmetsa
beantwortet vor 2 Jahren
  • rePost-User-8428534
    vor 2 Jahren

    Thanks for sharing but with the above manifests the connection only works on the HTTP level but for HTTPS the connection gets reset and fails with handshakes with the below error when testing with curl: * found 129 certificates in /etc/ssl/certs/ca-certificates.crt

    • found 520 certificates in /etc/ssl/certs
    • ALPN, offering http/1.1
    • gnutls_handshake() failed: Error in the pull function.
    • Closing connection 0 curl: (35) gnutls_handshake() failed: Error in the pull function.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt