How to make EKS Ingress with ALB partly private?

Question

Kubernetes version: 1.23

Hi everyone,

I have several services running inside AWS EKS and they are exposed through one ingress (AWS Load Balancer Controller).
My ingress file is:
```
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
    alb.ingress.kubernetes.io/certificate-arn: arn-of-certificate
    alb.ingress.kubernetes.io/healthcheck-path: /healthcheck
    alb.ingress.kubernetes.io/ssl-redirect: '443'
  name: app-ingress
  namespace: namespace
spec:
  rules:
  - host: my-domain.com
    http:
      paths:
      - path: /app1
        pathType: Prefix
        backend:
          service:
            name: app1-service
            port:
              name: app1-port
      - path: /app2
        pathType: Prefix
        backend:
          service:
            name: app2-service
            port:
              name: app2-port
      - path: /app3
        pathType: Prefix
        backend:
          service:
            name: app3-service
            port:
              name: app3-port
...
  tls:
  - hosts:
    - my-domain.com
```

everything works fine, but I want, for example, app3 to be more private. I want to be able to set specified IP addresses to be able to access that application. I haven't found anything helpful regarding this.

For example if random person tries to access app1 he/she should be able to with https://my-domain.com/app1

but if he/she tries https://my-domain.com/app3 and his/hers IP address is not in allowed IP addresses, the access will be denied.

The thing is, I want one ALB for several applications.

Anything would be helpful, some links or what should I be looking for. I'm wondering if this is even possible?

Or the only solution is to make multiple ALBs and for the app3 change the network configuration to allow selected IPs?

Accepted Answer

L3 (IP) ingress control can be done outside of Kubernetes, via CIDR ranges in [AWS security groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html), or inside of Kubernetes via [NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) resources.

Since you are using one Ingress and one ALB, a security group on the ALB is not ideal, as it will impact all targets. Your options are:
- Create another Ingress/ALB and move app3 to that configuration, then restrict source IPs via the ALB security group
- Add Network Policies to your Kubernetes cluster, and create a Network Policy for the Pods fronted by the app3 Service. The user experience should be the same.
- You could also look into [Security Groups for Pods](https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html). However, for simple L3 ingress control, I would recommend either ALB security groups or Kubernetes Network Policies.

Network Policies can be added to Amazon EKS, depending on the CNI you are using. For the AWS VPC CNI, you could use the [Calico](https://docs.aws.amazon.com/eks/latest/userguide/calico.html) project. There are also [alternative CNIs](https://docs.aws.amazon.com/eks/latest/userguide/alternate-cni-plugins.html) for Amazon EKS.

Answer

Thank You very much. This is very helpful and thorough

How to make EKS Ingress with ALB partly private?

관련 콘텐츠