The information in this documentation is geared towards users that want to use Gloo Gateway proxies with the Kubernetes Gateway API. If you want to use the Gloo Edge API instead, see the Gloo Gateway (Gloo Edge API) documentation.
Network Load Balancer (NLB)
Expose your gateway proxy by using an AWS Network Load Balancer NLB.
Gloo Gateway is an application (L7) proxy based on Envoy and the Kubernetes Gateway API that can act as both a secure edge router and as a developer-friendly Kubernetes ingress/egress (north-south traffic) gateway. You can get many benefits by pairing Gloo Gateway with an AWS Elastic Load Balancer (ELB), including better cross availability zone failover and deeper integration with AWS services like AWS Certificate Manager, AWS CLI & CloudFormation, and Route 53 (DNS).
AWS provides the following types of ELBs:
Network Load Balancer (NLB): An optimized L4 TCP/UDP load balancer that can handle very high throughput (millions of requests per second) while maintaining low latency. This load balancer also has deep integration with other AWS services like Route 53 (DNS).
Application Load Balancer (ALB): An L7 HTTP-only load balancer that is focused on providing HTTP request routing capabilities.
In general, it is recommended to use a Gloo Gateway proxy with an AWS NLB as it provides more application (L7) capabilities than AWS ALBs. For example, you can configure the NLB for TLS passthrough and terminate TLS traffic on the gateway. You can also terminate traffic at the NLB and configure the NLB with a certificate that is used to secure the connection from the NLB to the gateway proxy.
ALBs on the other hand are useful if you want to use AWS WAF policies. Because TLS traffic is terminated at the ALB, you are responsible for securing the connection from the AWS to the Gloo Gateway proxy.
In this guide you explore how to expose the Gloo Gateway proxy with an AWS NLB. The following use cases are covered:
NLB HTTP: Create an HTTP listener on the NLB that exposes an HTTP endpoint on your gateway proxy. Traffic from the NLB to the proxy is not secured.
TLS passthrough: Expose an HTTPS endpoint of your gateway with an NLB. The NLB passes through HTTPS traffic to the gateway proxy where the traffic is terminated.
report
Keep in mind the following considerations when working with an NLB:
Gloo Gateway does not open any proxy ports until at least one HTTPRoute resource is created that references the gateway. However, AWS ELB health checks are automatically created and run after you create the gateway. Because of that, registered targets might appear unhealthy until an HTTPRoute resource is created.
An AWS NLB has an idle timeout of 350 seconds that you cannot change. This limitation can increase the number of reset TCP connections.
Create an AWS IAM policy and bind it to a Kubernetes service account.
# Set up an IAM OIDC provider for a cluster to enable IAM roles for pods
eksctl utils associate-iam-oidc-provider \
--region ${REGION} \
--cluster ${CLUSTER_NAME} \
--approve
# Fetch the IAM policy that is required for the Kubernetes service account
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.3/docs/install/iam_policy.json
# Create the IAM policy
aws iam create-policy \
--policy-name ${IAM_POLICY_NAME} \
--policy-document file://iam-policy.json
# Create the Kubernetes service account
eksctl create iamserviceaccount \
--cluster=${CLUSTER_NAME} \
--namespace=kube-system \
--name=${IAM_SA} \
--attach-policy-arn=arn:aws:iam::${AWS_ACCOUNT_ID}:policy/${IAM_POLICY_NAME} \
--override-existing-serviceaccounts \
--approve \
--region ${REGION}
Verify that the service account is created in your cluster.
kubectl -n kube-system get sa aws-load-balancer-controller -o yaml
Depending on the annotations that you use on your gateway proxy, you can configure the NLB in different ways.
Follow these steps to create a simple NLB that accepts HTTP traffic on port 80 and forwards this traffic to the HTTP listener on your gateway proxy.
Create a GatewayParameters resource with custom AWS annotations. These annotations instruct the AWS load balancer controller to expose the gateway proxy with a public-facing AWS NLB.
Instruct Kubernetes to pass the Gateway’s service configuration to the AWS load balancer controller that you created earlier instead of using the built-in capabilities in Kubernetes. For more information, see the AWS documentation.
aws-load-balancer-scheme: internet-facing
Create the NLB with a public IP addresses that is accessible from the internet. For more information, see the AWS documentation.
aws-load-balancer-nlb-target-type: "instance"
Use the Gateway’s instance ID to register it as a target with the NLB. For more information, see the AWS documentation.
Create a Gateway resource that references the custom GatewayParameters resource that you created.
Verify that the gateway service is exposed with an AWS NLB and assigned an AWS hostname.
kubectl get services gloo-proxy-aws-cloud -n gloo-system
Example output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
gloo-proxy-aws-cloud LoadBalancer 172.20.181.57 k8s-gloosyst-glooprox-e11111a111-111a1111aaaa1aa.elb.us-east-2.amazonaws.com 80:30557/TCP 12m
Go to Load Balancing > Load Balancers, and find and open the load balancer that was created for you.
On the Resource map tab, verify that the load balancer points to targets in your cluster.
notifications
Gloo Gateway does not open any proxy ports until at least one HTTPRoute is associated with the gateway. The AWS ELB health checks are automatically created when you create the Gateway resource and might report that the gateway proxy is unhealthy. Continue with this guide to create an HTTPRoute resource and send traffic through the NLB.
Pass through HTTPS requests from the AWS NLB to your gateway proxy, and terminate TLS traffic at the gateway proxy for added security.
Create a GatewayParameters resource with custom AWS annotations. These annotations instruct the AWS load balancer controller to expose the gateway proxy with a public-facing AWS NLB.
Instruct Kubernetes to pass the Gateway’s service configuration to the AWS load balancer controller that you created earlier instead of using the built-in capabilities in Kubernetes. For more information, see the AWS documentation.
aws-load-balancer-scheme: internet-facing
Create the NLB with a public IP addresses and is accessible from the internet. For more information, see the AWS documentation.
aws-load-balancer-nlb-target-type: "instance"
Use the Gateway’s instance ID to register it as a target with the NLB. For more information, see the AWS documentation.
Create a self-signed TLS certificate to configure your gateway proxy with an HTTPS listener.
Create a directory to store your TLS credentials in.
mkdir example_certs
Create a self-signed root certificate. The following command creates a root certificate that is valid for a year and can serve any hostname. You use this certificate to sign the server certificate for the gateway later. For other command options, see the OpenSSL docs.
Create a Kubernetes secret to store your server TLS ertificate. You create the secret in the same cluster and namespace that the gateway is deployed to.
Create a Gateway with an HTTPS listener that terminates incoming TLS traffic. Make sure to reference the custom GatewayParameters resource and the Kubernetes secret that contains the TLS certificate information.
Verify that the gateway service is exposed with an AWS NLB and assigned an AWS hostname.
kubectl get services gloo-proxy-aws-cloud -n gloo-system
Example output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
gloo-proxy-aws-cloud LoadBalancer 172.20.181.57 k8s-gloosyst-glooprox-e11111a111-111a1111aaaa1aa.elb.us-east-2.amazonaws.com 443:30557/TCP 12m
Review the load balancer in the AWS EC2 dashboard.
Go to Load Balancing > Load Balancers. Find and open the load balancer that was created for you.
On the Resource map tab, and verify that the load balancer points to targets in your cluster.
notifications
Gloo Gateway does not open any proxy ports until at least one HTTPRoute is associated with the gateway. The AWS ELB health checks are automatically created when you create the Gateway resource and might report that the gateway proxy is unhealthy. Continue with this guide to create an HTTPRoute resource and send traffic through the NLB.