Currently I have a pod in EKS that allows ssh sitting behind a Classic Load Balencer for ingress. I want this pod to recive the source IP for logging and threat detection purposes. So I'm trying to provision a NLB since it is able to preserve the source IP.
When I provision a NLB with IP preservation enabled on the target group, I get timedout when curl'ing the NLB's DNS endpoint. When I have IP Preservation turned off I can reach the pod with no issue.
EKS Version: 1.23 aws-load-balancer-controller:v2.4.1
The NLB is in one public subnet. The pods are in a private subnet within the same avalibilty zone.
I ended up following this AWS documentation to try to narrow down the issue. Everything works unless I add the preserve_client_ip.enabled=true annotation in the service.yaml.
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nlb-sample-app
namespace: nlb-test
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: public.ecr.aws/nginx/nginx:1.21
ports:
- name: tcp
containerPort: 80
apiVersion: v1
kind: Service
metadata:
name: nlb-sample-service
namespace: nlb-test
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: external
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
#service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
type: LoadBalancer
selector:
app: nginx
Curl results:
Ip Preservation: disabled
curl k8s-\[redacted\].amazonaws.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
Ip Preservation: enabled
curl: (28) Failed to connect to k8s-[redacted].amazonaws.com port 80 after 75044 ms: Operation timed out
I'm stuck and don't know where to look next.
