mirror of
https://github.com/puppetmaster/typhoon.git
synced 2025-01-25 01:48:30 +01:00
5e4f5de271
* NLB subnets assigned both IPv4 and IPv6 addresses * NLB DNS name has both A and AAAA records * NLB to target node traffic is IPv4 (no change), no change to security groups needed * Ingresses exposed through the recommended Nginx Ingress Controller addon will be accessible via IPv4 or IPv6. No change is needed to the app's CNAME to NLB record Related: https://aws.amazon.com/about-aws/whats-new/2020/11/network-load-balancer-supports-ipv6/
107 lines
2.7 KiB
Markdown
107 lines
2.7 KiB
Markdown
# AWS
|
|
|
|
## Load Balancing
|
|
|
|
![Load Balancing](/img/typhoon-aws-load-balancing.png)
|
|
|
|
### kube-apiserver
|
|
|
|
A network load balancer (NLB) distributes IPv4 TCP/6443 traffic across a target group of controller nodes with a healthy `kube-apiserver`. Clusters with multiple controllers span zones in a region to tolerate zone outages.
|
|
|
|
### HTTP/HTTPS Ingress
|
|
|
|
A network load balancer (NLB) distributes IPv4 TCP/80 and TCP/443 traffic across two target groups of worker nodes with a healthy Ingress controller. Workers span the zones in a region to tolerate zone outages.
|
|
|
|
The AWS NLB has a DNS alias record (regional) resolving to 3 zonal IPv4 addresses. The alias record is output as `ingress_dns_name` for use in application DNS CNAME records. See [Ingress on AWS](/addons/ingress/#aws).
|
|
|
|
### TCP Services
|
|
|
|
Load balance TCP applications by adding a listener and target group. A listener and target group may map different ports (e.g 3333 external, 30333 internal).
|
|
|
|
```tf
|
|
# Forward TCP traffic to a target group
|
|
resource "aws_lb_listener" "some-app" {
|
|
load_balancer_arn = module.tempest.nlb_id
|
|
protocol = "TCP"
|
|
port = "3333"
|
|
|
|
default_action {
|
|
type = "forward"
|
|
target_group_arn = aws_lb_target_group.some-app.arn
|
|
}
|
|
}
|
|
|
|
# Target group of workers for some-app
|
|
resource "aws_lb_target_group" "some-app" {
|
|
name = "some-app"
|
|
vpc_id = module.tempest.vpc_id
|
|
target_type = "instance"
|
|
|
|
protocol = "TCP"
|
|
port = 3333
|
|
|
|
health_check {
|
|
protocol = "TCP"
|
|
port = 30333
|
|
}
|
|
}
|
|
```
|
|
|
|
Pass `worker_target_groups` to the cluster to register worker instances into custom target groups.
|
|
|
|
```tf
|
|
module "tempest" {
|
|
...
|
|
worker_target_groups = [
|
|
aws_lb_target_group.some-app.id,
|
|
]
|
|
}
|
|
```
|
|
|
|
Notes:
|
|
|
|
* AWS NLBs and target groups do not support UDP
|
|
* Global Accelerator does support UDP, but its expensive
|
|
|
|
## Firewalls
|
|
|
|
Add firewall rules to the worker security group.
|
|
|
|
```tf
|
|
resource "aws_security_group_rule" "some-app" {
|
|
security_group_id = module.tempest.worker_security_groups[0]
|
|
|
|
type = "ingress"
|
|
protocol = "tcp"
|
|
from_port = 3333
|
|
to_port = 30333
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
```
|
|
|
|
## Routes
|
|
|
|
Add a custom [route](https://www.terraform.io/docs/providers/aws/r/route.html) to the VPC route table.
|
|
|
|
```tf
|
|
data "aws_route_table" "default" {
|
|
vpc_id = module.temptest.vpc_id
|
|
subnet_id = module.tempest.subnet_ids[0]
|
|
}
|
|
|
|
resource "aws_route" "peering" {
|
|
route_table_id = data.aws_route_table.default.id
|
|
destination_cidr_block = "192.168.4.0/24"
|
|
...
|
|
}
|
|
```
|
|
|
|
## IPv6
|
|
|
|
| IPv6 Feature | Supported |
|
|
|-------------------------|-----------|
|
|
| Node IPv6 address | Yes |
|
|
| Node Outbound IPv6 | Yes |
|
|
| Kubernetes Ingress IPv6 | Yes |
|
|
|