Network Load Balancing on Amazon EKS

Introduction

Amazon Elastic Kubernetes Service (EKS) is a fully managed service that allows you to run Kubernetes on AWS without requiring you to install, operate, and maintain your own Kubernetes control plane. One of the critical components for managing a successful EKS environment is implementing effective network load balancing. This blog provides an extensive look into network load balancing within Amazon EKS, exploring its importance, how it operates, and best practices for optimization.

Understanding Kubernetes and Amazon EKS

Before we delve into the specifics of network load balancing, it’s important to understand what Amazon EKS is and how it integrates with the Kubernetes ecosystem. Kubernetes is an open-source system designed to automate the deployment, scaling, and management of containerized applications. Amazon EKS, on the other hand, simplifies the process of running Kubernetes on AWS by eliminating the need to manage the Kubernetes control plane, thereby providing automatic scaling, updates, and reliability.

The Necessity of Network Load Balancing

Load balancing is a technique used to distribute workloads uniformly across servers or other compute resources to optimize resource use, maximize throughput, minimize response time, and prevent overload of any single resource. With applications hosted on Amazon EKS, network load balancing becomes important for the following reasons:

  • High Availability: Ensures your application is always accessible by distributing incoming traffic across multiple targets in multiple Availability Zones.
  • Scalability: By spreading the load, it allows your application to accommodate variations in workload efficiently and reliably.
  • Fault Tolerance: Diverts traffic from failed nodes to healthy ones, maintaining application performance and availability.

Setting Up an EKS Cluster

First, you need an EKS cluster. You can create one using AWS CLI, AWS Management Console, or using tools like eksctl which is much simpler. Here's how you can create a cluster using eksctl:

`eksctl create cluster \
--name my-eks-cluster \
--version 1.21 \
--region us-west-2 \
--nodegroup-name standard-workers \
--node-type t3.medium \
--nodes 3 \
--nodes-min 1 \
--nodes-max 4 \
--managed

This command creates a cluster named my-eks-cluster with a managed node group of t3.medium instances.

Creating a Deployment

Here's an example of a simple deployment in Kubernetes that creates a simple HTTP server:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-server
spec:
  selector:
    matchLabels:
      app: http-server
  replicas: 2
  template:
    metadata:
      labels:
        app: http-server
    spec:
      containers:
      - name: http-server
        image: hashicorp/http-echo
        args:
          - "-text=echo"
        ports:
        - containerPort: 5678

You can apply this deployment using kubectl apply -f <filename>.yaml.

Exposing the Deployment with a Service

To use a Network Load Balancer (NLB), you need to create a Kubernetes service of type LoadBalancer in your EKS cluster. Below is an example of how to set this up:

apiVersion: v1
kind: Service
metadata:
  name: http-server-svc
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
  ports:
    - port: 80
      targetPort: 5678
      protocol: TCP
  type: LoadBalancer
  selector:
    app: http-server

This specification creates a service named http-server-svc, which exposes the http-server deployment. The annotation specifies that an NLB should be used.

Setting Up Ingress

If you want to use Ingress, you'll need an Ingress controller. The AWS Load Balancer Controller manages AWS load balancers and can handle the creation of an NLB for your Ingress resource. First, install the AWS Load Balancer Controller in your cluster following the official documentation.

Once the controller is installed, you can set up an Ingress resource like this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: simple-ingress
  annotations:
    kubernetes.io/ingress.class: "alb"
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/load-balancer-attributes: routing.http2.enabled=true
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: <ARN-of-your-SSL-cert> # only if you're planning to use HTTPS
spec:
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: http-server-svc
                port:
                  number: 80

This Ingress resource directs traffic to the http-server-svc service. Adjust the annotations according to your requirements, especially if you want to enforce HTTPS.

Amazon EKS and AWS Load Balancer Integration

Amazon EKS works seamlessly with AWS-native load balancers. AWS offers three types of load balancers - Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer. While ALB is best suited for HTTP/HTTPS traffic, NLB is designed for ultra-high performance, allowing handling of millions of requests/sec, and operating at the connection level (Layer 4).

  • Creating an NLB: When you create a service in EKS and want to expose it externally, you can choose to create an NLB. This is done by setting the service type as LoadBalancer and adding the right annotations to your service’s YAML file to specify the use of an NLB.
  • Target Group Binding: EKS integrates with NLB through the usage of target groups. Each Kubernetes service that requires an NLB will have one or more associated target groups.
  • Handling Traffic: The NLB receives traffic on the service’s port and forwards this to the registered targets in the target group, which could be EC2 instances, IP addresses, or Lambda functions.

Advanced Features and Configurations

  • Cross-Zone Load Balancing: This feature enables you to distribute the load evenly across all targets in all enabled Availability Zones.
  • TLS Termination: NLB supports TLS termination, allowing you to offload the decryption of TLS traffic from your application.
  • Preserving Source IP: NLB allows the preservation of the source IP allowing the backend to see the IP address of the client.

Security Considerations

  • Network ACLs and Security Groups: These are utilized to control both inbound and outbound traffic at the subnet and instance level respectively.
  • IAM Policies: Ensure proper IAM roles and policies are in place for correct EKS permissions.

Conclusion

Network Load Balancing on Amazon EKS is not just a strategy but a necessity for applications demanding high availability, fault tolerance, and scalability. By understanding and using the features offered by AWS NLB in an EKS environment, businesses can ensure their applications are robust, secure, and cost-effective.