How to load balance Ingress traffic to TCP or UDP based application
In a Kubernetes environment, an Ingress is an object that allows access to the Kubernetes services from outside the Kubernetes cluster. Standard Kubernetes Ingress resources assume that all the traffic is HTTP-based and do not cater to non-HTTP based protocols such as, TCP, TCP-SSL, and UDP. Hence, you cannot expose critical applications based on layer 7 protocols such as DNS, FTP, or LDAP using the standard Kubernetes Ingress.
NetScaler provides a solution using Ingress annotations to load balance TCP or UDP based Ingress traffic. When you specify these annotations in the Ingress resource definition, the NetScaler Ingress Controller configures the NetScaler to load balance TCP or UDP based Ingress traffic.
You can use the following annotations in your Kubernetes Ingress resource definition to load balance the TCP or UDP based Ingress traffic:
-
ingress.citrix.com/insecure-service-type
: The annotation enables L4 load balancing with TCP, UDP, or ANY as protocol for NetScaler. -
ingress.citrix.com/insecure-port
: The annotation configures the TCP port. The annotation is helpful when micro service access is required on a non-standard port. By default, port 80 is configured.
For more information about annotations, see the annotations page.
You can also use the standard Kubernetes solution of creating a service
of type LoadBalancer
with NetScaler. You can find out more about Service Type LoadBalancer in NetScaler.
Sample: Ingress definition for TCP-based Ingress.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.citrix.com/insecure-port: "6379"
ingress.citrix.com/insecure-service-type: "tcp"
kubernetes.io/ingress.class: "guestbook"
name: redis-master-ingress
spec:
defaultBackend:
service:
name: redis-master-pods
port:
number: 6379
<!--NeedCopy-->
Sample: Ingress definition for UDP-based Ingress. The following is a sample for NetScaler Ingress Controller version 1.1.1:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.citrix.com/insecure-port: "5084"
ingress.citrix.com/insecure-service-type: "udp"
name: udp-ingress
spec:
defaultBackend:
service:
name: frontend
port:
name: udp-53 # Service port name defined in the service defination
<!--NeedCopy-->
The following is a sample service definition where the service port name is defined as udp-53
:
apiVersion: v1
kind: Service
metadata:
name: bind
labels:
app: bind
spec:
ports:
- name: udp-53
port: 53
targetPort: 53
protocol: UDP
selector:
name: bind
<!--NeedCopy-->
Sample: Ingress definition for UDP-based Ingress. The following is a sample for NetScaler Ingress Controller version 1.5.25:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.citrix.com/insecure-port: "5084"
ingress.citrix.com/insecure-service-type: "udp"
name: udp-ingress
spec:
defaultBackend:
service:
name: frontend
port:
number: 53
<!--NeedCopy-->
Load balance Ingress traffic based on TCP over SSL
NetScaler Ingress Controller provides an 'ingress.citrix.com/secure-service-type: ssl_tcp
annotation that you can use to load balance Ingress traffic based on TCP over SSL.
Sample: Ingress definition for TCP over SSL based Ingress.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.citrix.com/secure-service-type: "ssl_tcp"
ingress.citrix.com/secure-backend: '{"frontendcolddrinks":"True"}'
kubernetes.io/ingress.class: "colddrink"
name: colddrinks-ingress
spec:
defaultBackend:
service:
name: frontend-colddrinks
port:
number: 443
tls:
- secretName: "colddrink-secret"
<!--NeedCopy-->
Monitor and improve the performance of your TCP or UDP based applications
Application developers can closely monitor the health of TCP or UDP based applications through rich monitors (such as TCP-ECV, UDP-ECV) in NetScaler. The ECV (extended content validation) monitors help in checking whether the application is returning expected content or not.
Also, the application performance can be improved by using persistence methods such as Source IP
. You can use these NetScaler features through Smart Annotations in
Kubernetes. The following is one such example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.citrix.com/frontend-ip: "192.168.1.1"
ingress.citrix.com/insecure-port: "80"
ingress.citrix.com/lbvserver: '{"mongodb-svc":{"lbmethod":"SRCIPDESTIPHASH"}}'
ingress.citrix.com/monitor: '{"mongodbsvc":{"type":"tcp-ecv"}}'
name: mongodb
spec:
rules:
- host: mongodb.beverages.com
http:
paths:
- backend:
service:
name: mongodb-svc
port:
number: 80
path: /
pathType: Prefix
<!--NeedCopy-->
For more information on the different deployment options supported by the NetScaler Ingress Controller, see Deployment topologies.
For more information on deploying the NetScaler Ingress Controller:
How to expose non-standard HTTP ports in the NetScaler CPX service
Sometimes you need to expose ports other than 80 and 443 in a NetScaler CPX service for allowing TCP or UDP traffic on other ports. This section provides information on how to expose other non-standard HTTP ports on the NetScaler CPX service when you deploy it in the Kubernetes cluster.
For Helm chart deployments
To expose non-standard HTTP ports while deploying NetScaler CPX with ingress controller using Helm charts, see the Helm chart installation guide.
For deployments using the OpenShift operator
For deployments using the OpenShift operator, you need to edit the YAML definition for creating CPX with ingress controller as specified in the step 6 of Deploy the NetScaler Ingress Controller as a sidecar with NetScaler CPX using NetScaler Operator and specify the ports as shown in the following example:
servicePorts:
- port: 80
protocol: TCP
name: http
- port: 443
protocol: TCP
name: https
- port: 6379
protocol: TCP
name: tcp
<!--NeedCopy-->
The following is a sample configuration for deployments using the OpenShift Operator. The service port definitions are highlighted in green.
.