Configuring ingress cluster traffic on AWS using a Network Load Balancer

OKD provides methods for communicating from outside the cluster with services running in the cluster. This method uses a Network Load Balancer (NLB), which forwards the client’s IP address to the node. You can configure an NLB on a new or existing AWS cluster.

Replacing Ingress Controller Classic Load Balancer with Network Load Balancer

You can replace an Ingress Controller that is using a Classic Load Balancer (CLB) with one that uses a Network Load Balancer (NLB) on AWS.

This procedure causes an expected outage that can last several minutes due to new DNS records propagation, new load balancers provisioning, and other factors. IP addresses and canonical names of the Ingress Controller load balancer might change after applying this procedure.

Procedure

  1. Create a file with a new default Ingress Controller. The following example assumes that your default Ingress Controller has an External scope and no other customizations:

    Example ingresscontroller.yml file

    1. apiVersion: operator.openshift.io/v1
    2. kind: IngressController
    3. metadata:
    4.   creationTimestamp: null
    5.   name: default
    6.   namespace: openshift-ingress-operator
    7. spec:
    8.   endpointPublishingStrategy:
    9.     loadBalancer:
    10.       scope: External
    11.       providerParameters:
    12.         type: AWS
    13.         aws:
    14.           type: NLB
    15.     type: LoadBalancerService

    If your default Ingress Controller has other customizations, ensure that you modify the file accordingly.

  2. Force replace the Ingress Controller YAML file:

    1. $ oc replace --force --wait -f ingresscontroller.yml

    Wait until the Ingress Controller is replaced. Expect serveral of minutes of outages.

Configuring an Ingress Controller Network Load Balancer on an existing AWS cluster

You can create an Ingress Controller backed by an AWS Network Load Balancer (NLB) on an existing cluster.

Prerequisites

  • You must have an installed AWS cluster.

  • PlatformStatus of the infrastructure resource must be AWS.

    • To verify that the PlatformStatus is AWS, run:

      1. $ oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.type}'
      2. AWS

Procedure

Create an Ingress Controller backed by an AWS NLB on an existing cluster.

  1. Create the Ingress Controller manifest:

    1.  $ cat ingresscontroller-aws-nlb.yaml

    Example output

    1. apiVersion: operator.openshift.io/v1
    2. kind: IngressController
    3. metadata:
    4.   name: $my_ingress_controller(1)
    5.   namespace: openshift-ingress-operator
    6. spec:
    7.   domain: $my_unique_ingress_domain(2)
    8.   endpointPublishingStrategy:
    9.     type: LoadBalancerService
    10.     loadBalancer:
    11.       scope: External(3)
    12.       providerParameters:
    13.         type: AWS
    14.         aws:
    15.           type: NLB
    1Replace $my_ingress_controller with a unique name for the Ingress Controller.
    2Replace $my_unique_ingress_domain with a domain name that is unique among all Ingress Controllers in the cluster.
    3You can replace External with Internal to use an internal NLB.

  2. Create the resource in the cluster:

    1. $ oc create -f ingresscontroller-aws-nlb.yaml

Before you can configure an Ingress Controller NLB on a new AWS cluster, you must complete the Creating the installation configuration file procedure.

Configuring an Ingress Controller Network Load Balancer on a new AWS cluster

You can create an Ingress Controller backed by an AWS Network Load Balancer (NLB) on a new cluster.

Prerequisites

  • Create the install-config.yaml file and complete any modifications to it.

Procedure

Create an Ingress Controller backed by an AWS NLB on a new cluster.

  1. Change to the directory that contains the installation program and create the manifests:

    1. $ ./openshift-install create manifests --dir <installation_directory> (1)
    1For <installation_directory>, specify the name of the directory that contains the install-config.yaml file for your cluster.

  2. Create a file that is named cluster-ingress-default-ingresscontroller.yaml in the <installation_directory>/manifests/ directory:

    1. $ touch <installation_directory>/manifests/cluster-ingress-default-ingresscontroller.yaml (1)
    1For <installation_directory>, specify the directory name that contains the manifests/ directory for your cluster.

    After creating the file, several network configuration files are in the manifests/ directory, as shown:

    1. $ ls <installation_directory>/manifests/cluster-ingress-default-ingresscontroller.yaml

    Example output

    1. cluster-ingress-default-ingresscontroller.yaml

  3. Open the cluster-ingress-default-ingresscontroller.yaml file in an editor and enter a custom resource (CR) that describes the Operator configuration you want:

    1. apiVersion: operator.openshift.io/v1
    2. kind: IngressController
    3. metadata:
    4.   creationTimestamp: null
    5.   name: default
    6.   namespace: openshift-ingress-operator
    7. spec:
    8.   endpointPublishingStrategy:
    9.     loadBalancer:
    10.       scope: External
    11.       providerParameters:
    12.         type: AWS
    13.         aws:
    14.           type: NLB
    15.     type: LoadBalancerService

  4. Save the cluster-ingress-default-ingresscontroller.yaml file and quit the text editor.

  5. Optional: Back up the manifests/cluster-ingress-default-ingresscontroller.yaml file. The installation program deletes the manifests/ directory when creating the cluster.

Additional resources