All Products
Search

This Product

    :How can I configure an internal SLB instance for an NGINX Ingress controller

    Document Center

    :How can I configure an internal SLB instance for an NGINX Ingress controller

    Last Updated:Sep 03, 2020

    Overview

    This topic describes how to configure internal SLB instances for NGINX Ingress controllers in clusters of Alibaba Cloud Container Service for Kubernetes (ACK).

     

    Information

    Background

    When you create an ACK cluster in the ACK console, the system automatically deploys an NGINX Ingress controller in the cluster and associates it with a public SLB instance during cluster initialization.

     

    Configure an internal SLB instance

    If you need to allow only access from other workloads in the same Virtual Private Cloud (VPC) network where the cluster is deployed, modify the NGINX Ingress controller configurations.

    1. Create an SLB instance in the same VPC network as the target cluster. Configure the instance specifications based on your requirements.
    2. Use the following YAML template to configure the NGINX Ingress controller. A LoadBalancer service that is named nginx-ingress-lb is created in the kube-system namespace. This service is associated with the internal SLB instance that is created in Step 1. 
      # nginx ingress slb service
apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
  annotations:
    service.beta.kubernetes.io/alicloud-loadbalancer-address-type: intranet
    service.beta.kubernetes.io/alicloud-loadbalancer-id: [$SLB_ID]
    #service.beta.kubernetes.io/alicloud-loadbalancer-force-override-listeners: 'true'
spec:
  type: LoadBalancer
  # route traffic to other nodes
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    # select app=ingress-nginx pods
    app: ingress-nginx
      Note:
      • alicloud-loadbalancer-address-type: intranet specifies that the SLB instance uses an internal IP address.
      • [$SLB_ID] specifies the ID of the internal SLB instance.
      • alicloud-loadbalancer-force-override-listeners: 'true' specifies that listeners are automatically created for the SLB instance.

     

    Use an internal SLB instance and a public SLB instance together

    You may need to allow both Internet access and access from other workloads in the same VPC network to your services. In this scenario, you can deploy another NGINX Ingress controller. For example, a service named nginx-ingress-lb-intranet can be deployed in the kube-system namespace.

    When you create an ACK cluster, an nginx-ingress-lb service is automatically created in the kube-system namespace during cluster initialization. This service is associated with a public SLB instance.

    1. Create an SLB instance in the same VPC network as the target cluster. Configure the instance specifications based on your requirements.
    2. Use the following YAML template to create a service named nginx-ingress-lb-intranet in the kube-system namespace. 
      # intranet nginx ingress slb service
apiVersion: v1
kind: Service
metadata:
  # Set the service name to nginx-ingress-lb-intranet.
  name: nginx-ingress-lb-intranet
  namespace: kube-system
  labels:
    app: nginx-ingress-lb-intranet
  annotations:
    service.beta.kubernetes.io/alicloud-loadbalancer-address-type: intranet
    # Specify [$SLB_ID] as the ID of the created internal SLB instance.
    service.beta.kubernetes.io/alicloud-loadbalancer-id: [$SLB_ID]
    #service.beta.kubernetes.io/alicloud-loadbalancer-force-override-listeners: 'true'
spec:
  type: LoadBalancer
  # route traffic to other nodes
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    # select app=ingress-nginx pods
    app: ingress-nginx
      Note: In this example, the name of the service is specified as nginx-ingress-lb-intranet. You can specify a custom name based on your requirements.
    3. After the nginx-ingress-lb-intranet service is deployed in the kube-system namespace, run the following command to query the deployed services. The output shows that two NGINX Ingress controllers are deployed. One is associated with a public SLB instance, and the other is associated with an internal SLB instance. 
      kubectl -n kube-system get svc | grep nginx-ingress-lb
nginx-ingress-lb            LoadBalancer   XX.XX.XX.XX   a.b.c.d<Public IP address>   80:31456/TCP,443:30016/TCP   5h
nginx-ingress-lb-intranet   LoadBalancer   XX.XX.XX.XX   e.f.g.h<Internal IP address>   80:32394/TCP,443:31000/TCP   7m
    4. When you expose the service through Ingresses, the public SLB instance is used to allow access to the service over the Internet and the internal SLB instance is used to allow access to the service from other workloads in the same VPC network.

     

    Application scope

    • All ACK clusters