Configure the network type of an NGINX Ingress Controller - Container Service for Kubernetes

You can configure an NGINX Ingress Controller for public access, private access, or dual access to accommodate clients in different network environments.

How it works

In a cluster, Server Load Balancer (SLB) instance receives client requests and forwards them to the NGINX Ingress Controller workload. The workload then forwards the requests to other Services.

Configure NGINX Ingress for both public and private access

To enable both public and private access, deploy two Services targeting the NGINX Ingress Controller's backend pods: one associated with a public SLB instance and the other with an internal (private) SLB instance.

Check the network type of your current SLB instance.
```
kubectl describe service -n kube-system nginx-ingress-lb | grep "service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type"
```
If the output contains intranet, the current SLB is internal. Otherwise, it is public-facing.

Create a new Service to ensure you have both public and internal types.

Create a file named nginx-ingress-lb-new.yaml. Then, run kubectl apply -f nginx-ingress-lb-new.yaml to create the Service.

Internal Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb-intranet
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet # Specifies that the address type of the SLB instance is internal.
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Public Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb-internet
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Verify that the new Service is working correctly. Replace <service-name> in the following command with the name of the new Service. A 200 response indicates that the new Service is working properly.
```
curl -s -o /dev/null -w "%{http_code}\n" http://$(kubectl get service -n kube-system <service-name> -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
```
Get the external IP of the new Service and configure your DNS records accordingly. Replace <service-name> in the following command with the name of the new Service.
```
kubectl get service <service-name>
```
Internal Service
1. Log on to Alibaba Cloud DNS-Private Zone. On the Authoritative Zone > User Defined Zones tab, click Add Zone. If you have already added a zone, skip to step c.
2. In the Authoritative Zone field, enter the domain name. Keep the default settings for other options, and click OK.
3. Click the target zone. On the Settings tab, click Add Record. Enter the values from the following table, keep the default settings for other parameters, and click OK.
  Parameter
  Value
  Record Type
  A
  Hostname
  Enter a subdomain prefix as needed.
  Record Value
  The IP address of the new Service.
4. Return to the User Defined Zones list. In the Actions column for the target zone, click Effective Scope. Under the Effective in VPCs option, select the virtual private cloud (VPC) where your Container Service for Kubernetes (ACK) cluster is located, then click OK.
Public Service
1. Log on to Alibaba Cloud DNS-Public Zone. Click the target zone to go to the Settings page. Click the Add Record button.
2. Enter the values from the following table. Keep the default settings for other parameters, and click OK.
  Parameter
  Value
  Record Type
  A
  Hostname
  Enter a subdomain prefix as needed.
  Record Value
  The IP address of the new Service.

Change the network type

Important

This procedure involves deleting and recreating the Service, which replaces the underlying SLB instance. This will temporarily interrupt traffic to the NGINX Ingress. The original SLB instance and its associated IP address cannot be recovered.

Confirm that the existing SLB instance has no traffic:
1. Log on to the ACK console, and click the target cluster. In the left navigation pane, choose Network > Services. Find the nginx-ingress-lb Service in the kube-system namespace and record its External IP.
2. Log on to the Classic Load Balancer (CLB) console. At the top of the page, select the same region as your cluster. Find the CLB instance with an IP Address that matches the IP address from the previous step. Click the CLB instance, go to the Monitoring tab, and verify that the instance has zero active connections before you proceed.
Delete the current Service used by the NGINX Ingress Controller.
```
kubectl delete svc -n kube-system nginx-ingress-lb
```

Create a new Service. Save the appropriate manifest below as nginx-ingress-lb.yaml and apply it by running the command kubectl apply -f nginx-ingress-lb.yaml .

Important

The new Service must be named nginx-ingress-lb.

Internal Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet # Specifies that the address type of the SLB instance is internal.
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Public Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Test the new Service. A 200 response code indicates that it is working correctly.

curl -s -o /dev/null -w "%{http_code}\n" http://$(kubectl get service -n kube-system nginx-ingress-lb -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

Run kubectl get service nginx-ingress-lb, and record the external IP of the Service. Then, configure DNS resolution based on the new Service type:
Internal Service
1. Log on to Alibaba Cloud DNS-Private Zone. On the Authoritative Zone > User Defined Zones tab, click Add Zone. If you have already added a zone, skip to step c.
2. In the Authoritative Zone field, enter the domain name. Keep the default settings for other options, and click OK.
3. Click the target zone. On the Settings tab, click Add Record. Enter the values from the following table, keep the default settings for other parameters, and click OK.
  Parameter
  Value
  Record Type
  A
  Hostname
  Enter a subdomain prefix as needed.
  Record Value
  The IP address of the new Service.
4. Return to the User Defined Zones list. In the Actions column for the target zone, click Effective Scope. Under the Effective in VPCs option, select the virtual private cloud (VPC) where your Container Service for Kubernetes (ACK) cluster is located, then click OK.
Public Service
1. Log on to Alibaba Cloud DNS-Public Zone. Click the target zone to go to the Settings page. Click the Add Record button.
2. Enter the values from the following table. Keep the default settings for other parameters, and click OK.
  Parameter
  Value
  Record Type
  A
  Hostname
  Enter a subdomain prefix as needed.
  Record Value
  The IP address of the new Service.

FAQ

Why can't I create a new Service before deleting the old one?

This is not possible because the NGINX Ingress Controller expects to find a Service with the specific default name nginx-ingress-lb during upgrades or reconciliations. Since Service names must be unique within a namespace, you cannot create a new Service with this name while the old one still exists. Delete the old Service first.

Why does the client access IP differ from the endpoint shown in the console?

The Endpoint displayed on the Ingresses page in the ACK console is the IP address of the SLB instance associated only with the Service named nginx-ingress-lb. If you have configured multiple LoadBalancer Services, the console will not display their IPs, even though the Ingress Controller will correctly route traffic from all of them. The IP address your clients actually use depends on your DNS configuration, which may point to a different SLB instance than the one displayed in the console.

If you delete and recreate the nginx-ingress-lb Service, you must update an Ingress resource to trigger a refresh of the endpoint displayed in the console.

How do I roll back if a change operation fails?

If the network type change fails, follow these steps to restore the Ingress entrypoint:

Delete the failed Service: Remove the new Service you created to eliminate any name conflicts that would prevent the default Service from being recreated.
Reinstall the component: In the ACK console, uninstall and reinstall the NGINX Ingress Controller. This action will recreate the default nginx-ingress-lb Service and restore the Ingress entrypoint.
Update DNS: Configure DNS resolution for the new nginx-ingress-lb Service. Point your domain to its new external IP and verify that traffic is being routed correctly.

Reference

To learn more about configuring annotations for an existing SLB instance, see Use an existing SLB instance.

Parameter	Value
Record Type	A
Hostname	Enter a subdomain prefix as needed.
Record Value	The IP address of the new Service.