NLB Across Zones and Subnets

Question

I have a VPC with a public subnet in zone us-east-1a and a private subnet in zone us-east-1b. There is an EKS cluster that spans both zones. I've deployed an Nginx ingress controller to distribute requests across my backend services that reside in the private subnet (zone us-east-1b). When the NLB gets deployed it creates a node and listener in both zone us-east-1a and us-east-1b. We are seeing intermittent connectivity issues when connecting to the service via the internet. I believe the issue is that when the connection is made the to the DNS record of the NLB in zone us-east-1b the connection is dropping because it's a private subnet and the routing table points to a NAT gateway.

Is it possible to deploy a single NLB in a public subnet and have a listener in a different zone/different private subnet? I want to route traffic from the internet > the NLB in my public subnet > the services in my private subnet that is in a different zone than the public subnet.

Answer

Deploying an NLB and having a listener are (pretty much) the same thing. If your application is deployed in two AZs then your NLB should as well. Whether you choose to enable cross-zone load balancing or not is up to you - there is extra cost if you do for traffic that goes to NLB in one AZ and then is sent to the other AZ to be processed by your EKS cluster.

There's no issue with having the NLB listener in a public subnet and EKS in a private subnet - in fact, that's strongly recommended.

Note that NLB modifies the DNS records depending on health checks. Each NLB node IP address will appear in DNS if it has at least one healthy target it can send traffic to. If it hasn't got any healthy targets it is removed from DNS - noting that there is always a lag with DNS propagation. If you have a situation where targets are becoming unhealthy on a regular basis this might be the cause of your issue.

NLB Across Zones and Subnets

Relevant content