By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to make EKS Ingress with ALB partly private?

0

Kubernetes version: 1.23

Hi everyone,

I have several services running inside AWS EKS and they are exposed through one ingress (AWS Load Balancer Controller). My ingress file is:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
    alb.ingress.kubernetes.io/certificate-arn: arn-of-certificate
    alb.ingress.kubernetes.io/healthcheck-path: /healthcheck
    alb.ingress.kubernetes.io/ssl-redirect: '443'
  name: app-ingress
  namespace: namespace
spec:
  rules:
  - host: my-domain.com
    http:
      paths:
      - path: /app1
        pathType: Prefix
        backend:
          service:
            name: app1-service
            port:
              name: app1-port
      - path: /app2
        pathType: Prefix
        backend:
          service:
            name: app2-service
            port:
              name: app2-port
      - path: /app3
        pathType: Prefix
        backend:
          service:
            name: app3-service
            port:
              name: app3-port
...
  tls:
  - hosts:
    - my-domain.com

everything works fine, but I want, for example, app3 to be more private. I want to be able to set specified IP addresses to be able to access that application. I haven't found anything helpful regarding this.

For example if random person tries to access app1 he/she should be able to with https://my-domain.com/app1

but if he/she tries https://my-domain.com/app3 and his/hers IP address is not in allowed IP addresses, the access will be denied.

The thing is, I want one ALB for several applications.

Anything would be helpful, some links or what should I be looking for. I'm wondering if this is even possible?

Or the only solution is to make multiple ALBs and for the app3 change the network configuration to allow selected IPs?

Topics
Networking & Content DeliveryContainersMicroservices
Tags
Networking & Content DeliveryAmazon Elastic Kubernetes ServiceElastic Load BalancingMicroservices
Language
English
mc2609
asked a year ago1414 views
2 Answers
1
Accepted Answer

L3 (IP) ingress control can be done outside of Kubernetes, via CIDR ranges in AWS security groups, or inside of Kubernetes via NetworkPolicy resources.

Since you are using one Ingress and one ALB, a security group on the ALB is not ideal, as it will impact all targets. Your options are:

  • Create another Ingress/ALB and move app3 to that configuration, then restrict source IPs via the ALB security group
  • Add Network Policies to your Kubernetes cluster, and create a Network Policy for the Pods fronted by the app3 Service. The user experience should be the same.
  • You could also look into Security Groups for Pods. However, for simple L3 ingress control, I would recommend either ALB security groups or Kubernetes Network Policies.

Network Policies can be added to Amazon EKS, depending on the CNI you are using. For the AWS VPC CNI, you could use the Calico project. There are also alternative CNIs for Amazon EKS.

profile pictureAWS
jimmyray
answered a year ago
0

Thank You very much. This is very helpful and thorough

mc2609
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content