Internal load balancer with static ip and supports HTTPS in AWS EKS

0

what is the best way to create an internal load balancer with a static IP address that supports HTTPS termination in the EKS cluster? and the load balancer connect to a deployment running a custom nginx image.

2 Answers
0

ALB does not provide Static IPs but NLB does. One way to get the Static IPs is to configure ALB as a Target for NLB, in this case Clients can connect to the Static IPs of NLB.

See below blog for reference:

https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/

profile pictureAWS
EXPERT
answered 2 years ago
0

As mentioned by Tushar_J, Network Load Balancer (NLB) provides static IP addresses. Therefore, you can use a network load balancer in front of your kubernetes service and perform SSL termination at the load balancer level.

I have provided a sample echo-server deployment and an NLB type service manifest for an internal loadbalancer that includes annotations required to perform SSL termination at the NLB level.

Before doing the below operations, you will have to create an SSL certificate on AWS Certificate Manager (ACM) and specify the certificate ARN in the below provided service manifest.

Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: echo-pod
  template:
    metadata:
      labels:
        app: echo-pod
    spec:
      containers:
      - name: echoheaders
        image: k8s.gcr.io/echoserver:1.10
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080

Service:

apiVersion: v1
kind: Service
metadata:
  name: echo-service
  annotations:
      # Note that the backend talks over HTTP.
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
      # TODO: Fill in with the ARN of your certificate.
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:<region>:<aws-account-id>:certificate/<acm-cert-id>
      # Only run SSL on the port named "https" below.
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
      # For an NLB type load balancer
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
      # For an internal loadbalancer
      service.beta.kubernetes.io/aws-load-balancer-internal: "true"
spec:
  selector:
    app: echo-pod
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8080
  type: LoadBalancer

Please use these sample manifests as reference and see if you are able to create a network load balancer and terminate SSL traffic for your custom nginx deployment.

Hope this helps!

profile pictureAWS
SUPPORT ENGINEER
answered 2 years ago
  • Thanks for sharing but with the above manifests the connection only works on the HTTP level but for HTTPS the connection gets reset and fails with handshakes with the below error when testing with curl: * found 129 certificates in /etc/ssl/certs/ca-certificates.crt

    • found 520 certificates in /etc/ssl/certs
    • ALPN, offering http/1.1
    • gnutls_handshake() failed: Error in the pull function.
    • Closing connection 0 curl: (35) gnutls_handshake() failed: Error in the pull function.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions