- Newest
- Most votes
- Most comments
ALB does not provide Static IPs but NLB does. One way to get the Static IPs is to configure ALB as a Target for NLB, in this case Clients can connect to the Static IPs of NLB.
See below blog for reference:
As mentioned by Tushar_J, Network Load Balancer (NLB) provides static IP addresses. Therefore, you can use a network load balancer in front of your kubernetes service and perform SSL termination at the load balancer level.
I have provided a sample echo-server deployment and an NLB type service manifest for an internal loadbalancer that includes annotations required to perform SSL termination at the NLB level.
Before doing the below operations, you will have to create an SSL certificate on AWS Certificate Manager (ACM) and specify the certificate ARN in the below provided service manifest.
Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo-deployment
spec:
replicas: 3
selector:
matchLabels:
app: echo-pod
template:
metadata:
labels:
app: echo-pod
spec:
containers:
- name: echoheaders
image: k8s.gcr.io/echoserver:1.10
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
Service:
apiVersion: v1
kind: Service
metadata:
name: echo-service
annotations:
# Note that the backend talks over HTTP.
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
# TODO: Fill in with the ARN of your certificate.
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:<region>:<aws-account-id>:certificate/<acm-cert-id>
# Only run SSL on the port named "https" below.
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
# For an NLB type load balancer
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
# For an internal loadbalancer
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
spec:
selector:
app: echo-pod
ports:
- name: http
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8080
type: LoadBalancer
Please use these sample manifests as reference and see if you are able to create a network load balancer and terminate SSL traffic for your custom nginx deployment.
Hope this helps!
Thanks for sharing but with the above manifests the connection only works on the HTTP level but for HTTPS the connection gets reset and fails with handshakes with the below error when testing with curl: * found 129 certificates in /etc/ssl/certs/ca-certificates.crt
- found 520 certificates in /etc/ssl/certs
- ALPN, offering http/1.1
- gnutls_handshake() failed: Error in the pull function.
- Closing connection 0 curl: (35) gnutls_handshake() failed: Error in the pull function.
Relevant content
- Accepted Answerasked 6 months ago
- Accepted Answerasked 3 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
okay thank you for sharing, I will give that a try.