Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kubernetes Ingress for AWS Cost Saving

1,977 views

Published on

Currently, we have multiple Kubernetes clusters on AWS. To exclude EC2 instances cost, we still spend a lot of money on CLB. So, we apply Kubernetes Ingress to help save AWS cost.

Published in: Technology
  • Be the first to comment

Kubernetes Ingress for AWS Cost Saving

  1. 1. Kubernetes Ingress for AWS Cost Saving TrendMicro Consumer WSE AWSE Eric C Huang 2017/10/25
  2. 2. goo.gl/VrjuSp
  3. 3. AWS Elastic Load Balancer Is Too EXPEN$IVE 70% cheaper Kubernetes cluster on AWS
  4. 4. Service Types ● ClusterIP (Default Type) ● NodePort ● LoadBalancer
  5. 5. ClusterIP
  6. 6. Define a ClusterIP Service
  7. 7. ClusterIP ● port ● targetPort
  8. 8. Create a ClusterIP Service via kubectl ● kubectl run echo-server-dev --image=gcr.io/google_containers/echoserver:1.4 --port=8080 --replicas=2 --namespace=awse ● kubectl expose deployment echo-server-dev-service --port=80 --target-port=8080 --namespace=awse
  9. 9. Verify a Service ● kubectl get services echo-server-dev --namespace=awse -o yaml ● kubectl get deployments echo-server-dev --namespace=awse -o yaml ● kubectl get endpoints echo-server-dev --namespace=awse -o yaml
  10. 10. How to Connect a ClusterIP Service? ● kubectl run nettools --image=jonlangemak/net_tools --namespace=default ● kubectl exec nettools-xxx -it bash ● curl http://echo-server-dev.awse ○ [service-name].[namespace]
  11. 11. NodePort
  12. 12. NodePort ● port ● nodePort ● targetPort
  13. 13. How to Connect a NodePort Service? ● curl http://[node ip]:[node port]/
  14. 14. LoadBalancer
  15. 15. LoadBalancer ● port ● nodePort ● targetPort ● CLB (provider: aws)
  16. 16. LoadBalancer
  17. 17. How to Connect a LoadBalancer Service? ● curl http://[CLB]/
  18. 18. LoadBalancer with TLS ● CLB ○ HTTPS / TCP + SSL ○ Certificate (from ACM) ○ TLS Protocol + Cipher ● Route 53 A Alias -> CLB
  19. 19. How to Connect a LoadBalancer Service with TLS? ● curl https://[Route 53 A Alias]/
  20. 20. Ingress
  21. 21. Ingress ● An Ingress is a collection of rules that allow inbound connections to reach the cluster services. ● Ingress Types ○ Simple Fanout ○ Name Based Virtual Hosting ○ TLS
  22. 22. Simple Fanout
  23. 23. Name Based Virtual Hosting
  24. 24. Different Ingress Controllers ● Ingress Controller ○ Nginx: https://github.com/kubernetes/ingress-nginx ○ Voyager (HAProxy): https://github.com/appscode/voyager/tree/3.2.2 ○ Træfik: https://docs.traefik.io/user-guide/kubernetes/ ○ ...etc
  25. 25. Nginx Ingress Controller ● Handle 404: ○ nginx-default-backend deployment ○ nginx-default-backend ClusterIP service ● Reverse Proxy: ○ ingress-nginx deployment ○ ingress-nginx LoadBalancer service
  26. 26. Ingress
  27. 27. Verify Ingress ● Simple Fanout ○ curl -H “Host:foo.bar.com” http://ingress-nginx.kube-system/foo ○ curl -H “Host:foo.bar.com” http://[node ip]:[nodeport]/bar ○ curl -H “Host:foo.bar.com” http://[CLB]/foo ● Name Based Virtual Hosting ○ curl -H “Host:foo.bar.com” http://ingress-nginx.kube-system ○ curl -H “Host:bar.foo.com” http://[node ip]:[nodeport] ○ curl -H “Host:foo.bar.com” http://[CLB]
  28. 28. TLS ● AWS CLB Annotations: ○ service.beta.kubernetes.io/aws-load-balancer-backend-protocol: “http” ○ service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:ap-northeast-1:xxx:certificate/xxxx" ○ service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" ○ service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" ○ ( service.beta.kubernetes.io/aws-load-balancer-internal: “false” ) ○ ( service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: “sg-xxx” ) ● Route 53 A Alias -> AWS CLB
  29. 29. Ingress + CLB + TLS
  30. 30. Verify Name Based Virtual Hosting with TLS ● curl https://foo.bar.com ● curl https://bar.foo.com
  31. 31. Q & A

×