使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Internal load balancer with static ip and supports HTTPS in AWS EKS

0

what is the best way to create an internal load balancer with a static IP address that supports HTTPS termination in the EKS cluster? and the load balancer connect to a deployment running a custom nginx image.

主题
容器网络和内容交付
标签
亚马逊弹性 Kubernetes 服务弹性负载平衡应用程序负载均衡器网络负载均衡器
语言
English
rePost-User-8428534
已提问 2 年前4843 查看次数
2 回答
0

ALB does not provide Static IPs but NLB does. One way to get the Static IPs is to configure ALB as a Target for NLB, in this case Clients can connect to the Static IPs of NLB.

See below blog for reference:

https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/

profile pictureAWS
专家
Tushar_J
已回答 2 年前
0

As mentioned by Tushar_J, Network Load Balancer (NLB) provides static IP addresses. Therefore, you can use a network load balancer in front of your kubernetes service and perform SSL termination at the load balancer level.

I have provided a sample echo-server deployment and an NLB type service manifest for an internal loadbalancer that includes annotations required to perform SSL termination at the NLB level.

Before doing the below operations, you will have to create an SSL certificate on AWS Certificate Manager (ACM) and specify the certificate ARN in the below provided service manifest.

Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: echo-pod
  template:
    metadata:
      labels:
        app: echo-pod
    spec:
      containers:
      - name: echoheaders
        image: k8s.gcr.io/echoserver:1.10
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080

Service:

apiVersion: v1
kind: Service
metadata:
  name: echo-service
  annotations:
      # Note that the backend talks over HTTP.
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
      # TODO: Fill in with the ARN of your certificate.
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:<region>:<aws-account-id>:certificate/<acm-cert-id>
      # Only run SSL on the port named "https" below.
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
      # For an NLB type load balancer
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
      # For an internal loadbalancer
      service.beta.kubernetes.io/aws-load-balancer-internal: "true"
spec:
  selector:
    app: echo-pod
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8080
  type: LoadBalancer

Please use these sample manifests as reference and see if you are able to create a network load balancer and terminate SSL traffic for your custom nginx deployment.

Hope this helps!

profile pictureAWS
支持工程师
Venkat Penmetsa
已回答 2 年前
  • rePost-User-8428534
    2 年前

    Thanks for sharing but with the above manifests the connection only works on the HTTP level but for HTTPS the connection gets reset and fails with handshakes with the below error when testing with curl: * found 129 certificates in /etc/ssl/certs/ca-certificates.crt

    • found 520 certificates in /etc/ssl/certs
    • ALPN, offering http/1.1
    • gnutls_handshake() failed: Error in the pull function.
    • Closing connection 0 curl: (35) gnutls_handshake() failed: Error in the pull function.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容