How to configure an internal Elastic Load Balancer (ELB) or Network Load Balancer (NLB) with an Istio Ingress Gateway in Rancher v2.3+
This document (000020142) is provided subject to the disclaimer at the end of this document.
Situation
Task
When configuring an Istio Ingress Gateway, a LoadBalancer type service is commonly configured to provide external access to the cluster.
By default Kubernetes will provision an internet-facing Classic Load Balancer (CLB). The below steps provide guidance on the annotations needed to configure an internal CLB or Network Load Balancer (NLB) using private subnets.
Pre-requisites
- A Rancher v2.3+ managed Kubernetes cluster, runnning in AWS, with the AWS cloud provider configured
- Istio enabled in the cluster
- Tagging configured for the VPC and Subnets that will be used for the ELB or NLB
Note: When using Load Balancers with the AWS cloud provider, it is important tag the private and public subnets in the VPC so that kube-controller-manager can correctly discover the specific subnets intended for use.
For example the kubernetes.io/role/internal-elb and kubernetes.io/role/elb keys configured respectively, with the value of 1.
Steps
Enable the Istio Ingress Gateway
If the not already enabled, enable the Istio Ingress Gateway. In the drop down list for 'Service Type of Ingress Gateway', select LoadBalancer.
Use an internal Load Balancer
When editing the Istio Ingress Gateway, click the drop down for Custom Answers.
Paste the below in the Variable field, this will automatically populate the value:
gateways.istio-ingressgateway.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal" = "true"
Use an NLB
To use an NLB, click 'Add Answer' and paste the below in the Variable field:
gateways.istio-ingressgateway.serviceAnnotations."service\.beta\.kubernetes\.io/aws-load-balancer-type" = nlb
Note: An NLB can be used as an internet-facing loadbancer by using only the above annotation, without adding the aws-load-balancer-internal annotation.
References
Istio install options documentation
Kubernetes load balancer documentation
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.