1

I have installed a private EKS cluster where subnets attached are private subnet. What my requirement is "Private EKS with Istio installation" and create multiple microservices and expose them within the vpc. For exposing them within VPC, i expected the 'istio-ingressgateway' would create an internal ALB but it is showing "Pending"

istio-ingressgateway   LoadBalancer   1xx.x0x.xx.2xx     <pending>

My need is to install multiple microservice within in different port using "NodePort" and expose them via Gateway.

Request any help or view in this.

Thanks!

Jithin Kumar S
  • 701
  • 2
  • 9
  • 20
  • By definition a Private EKS cluster use Private VPC's, so it cant create loadbalancers exposed to the internet because it lacks public subnets – paltaa Feb 02 '21 at 17:43
  • thanks for the taking time to comment!. my thought was if i get an internal ALB address then within vpc i can do routing traffic from differnt node ports, ex: like that. any idea how to do that ? – Jithin Kumar S Feb 02 '21 at 17:51
  • Oh, yes an internal load balancer you can, going to post the instrucitons, sec – paltaa Feb 02 '21 at 17:55

1 Answers1

1

You have 2 options, can use ALB ingress controller and create an internal ingress object and add the annotation:

alb.ingress.kubernetes.io/scheme: "internal"

or create a LoadBalancer service that will create an ELB. Add these annotations to the service:

service.beta.kubernetes.io/aws-load-balancer-internal: Used on the service to indicate that we want an internal ELB.

service.beta.kubernetes.io/aws-load-balancer-security-groups: Used to specify the security groups to be added to ELB created. This replaces all other security groups previously assigned to the ELB.

For example,

enter image description here

Also, you need these tags in the VPC subnets:

Key: kubernetes.io/role/internal-elb
Value: 1

For your case, take option 2.

Chris
  • 5,109
  • 3
  • 19
  • 40
paltaa
  • 2,985
  • 13
  • 28
  • I understood your point. but my aim is to create the service as "NodePort" and the gateway of istio .i.e. the istio: ingressgateway use a loadbalancer so that i can access each microservices via . but when i look "kubectl get svc -n istio-system" i always getting loadbalancer as expected an internal alb address here – Jithin Kumar S Feb 02 '21 at 18:21
  • It is not a good idea to expose any kind of service as NodePort, only encouraged for testing purposes – paltaa Feb 02 '21 at 20:08
  • But the problem here is, i have 10-12 microservices so if i deploy using service Loadbalancer then i need to create 10-12 ALB's right ? which is too costly – Jithin Kumar S Feb 03 '21 at 03:57
  • Well your first requirement was to have a internal LoadBalancer, if you do that with the service internal annotation you will indeed need one per service, in the case you use the internal alb ingress (example 1) you just need one ALB per namespace – paltaa Feb 03 '21 at 12:39