Thanks Anton, maybe I missed in the video, but at the end of the last video you said which of ALB Ingress vs Nginx Ingress you would recommend? The highlights of Nginx: - Acts as a central proxy for all services in k8s, so you can monitor all your traffic to the cluster (sounds like the limitation with ALB is you'd get multiple ALBs per Ingress, unless you use an Ingress Group which has some caveats, so not as easy to monitor) - Supports custom TCP and UDP services (in AWS LB, you'd get one NLB per LB-service) Main cons: - More work to set up SSL termination especially with DNS-01 challenge - If you want to use IP mode, you'd need to also install the AWS LB controller anyway for the NLB(?) The highlights of ALB ingress: - Routes traffic direct from ALB to pod IPs, avoiding the additional nginx proxy, so maybe a bit cheaper, less to debug, and marginally lower latency? - Seems easier to secure with SSL certs - Only requires a single controller Main cons: - Each LB-service creates a new NLB. (could you not just use ClusterIP for all services to avoid any NLBs?) Not so clear which one is the better approach. Cheers!
Thanks for your lessons! very useful! And thank you for the updates, your examples help me to create my first prod-ready eks cluster with Terraform! Have a great day!
Thanks @anton for such lovely video, great content, waiting for your video on client VPN to secure the traffic so that corporate team member can able to only access that using the Private DNS
thank you! i have older video explaining how to setup self hosted vpn server and push private dns to your laptop but i haven't managed to create updated video which uses managed aws client vpn old video - github.com/antonputra/tutorials/tree/main/lessons/084
nginx ingress controller is one of the alternatives for the aws load balancer controller , then why do we need to install aws load balancer also before installing nginx controller ? got confused.. could you please explain insights here
You need the AWS Load Balancer Controller to create an NLB with IP mode (the target group for the load balancer will only contain the pod's IP addresses). Without the AWS Load Balancer Controller, you can only use "instance mode," which adds all your Kubernetes workers to the target group and uses NodePorts. It's not a hard requirement for the NGINX ingress; it's just an improvement.
Thanks for sharing one more awesome lesson, any plans to make a video on using AWS private certificate authority (ACM) with aws-pca-issuer add-on ? thanks
@@AntonPutra our environment is a private setup (secure), so we can't use letsencrypt also it's internal traffic, so have to be ACM, it will be great if you can create one, i have just started working on it, so was looking around, if someone have already created on. thanks
Anton, great video! I have a question though: What are the benefits of using Cert Manager compared to AWS Certificate Manager? Personally, I find AWS Certificate Manager easier to manage since you can simply add the certificate ARN to the NGINX deploy.yaml file. However, I might be overlooking some advantages, so I’d love to hear your thoughts on this. EDIT: Except for the renewal of the certificate. Thank you!!!
no, it's a valid use case, keep using it! but it's a paid service and termination on load balancer which increase cost as well, but it's not significant.. i personally like to use ingress with letsencrypt dns resolver
Hi, I know this is a bit off-topic, but I have a question. I'm using ingress-nginx on EKS with an NLB (externalTrafficPolicy: Local), and my target group instances are showing as unhealthy. Any advice on resolving this? also it's a private cluster..so shoudl i try DaemonSet instead Deployment , trying to understand what's the best recommended approach
It's normal if you use "instance mode," which is the default. The load balancer will add all Kubernetes workers and only show healthy instances where you run your pods.
Good explanation . Thanks. Could you please lets know how much it will be cost on AWS to run all those demos from this series. Now days AWS dont free credit stuff. Thanks
Hi Anton. Thanks for another awesome video. But I followed the tutorial and code but my NLB is not showing up on the console. When I do kubectl get svc -n ingress, EXTERNAL-IP is stuck in pending. Same problem as part 6. Please help point me in the right direction to begin troubleshooting
best way to find the issue is to get logs from aws load balancer controller, with something like "kubectl logs -f aws-load-balancer-controller-78556cfd88-zb4gc -n kube-system". You'll see exactly why
why can't I access the NLB's DNS without cert in a browser when I am using ingress as per the tutorial. but earlier when I was using service of type "LoadBalancer" I was able to access my app through the browser using only the dns of NLB from aws console?
Well, because the common name or alternative name on the certificate must match the endpoint/DNS name you're trying to access. The point is not only to encrypt traffic between you and the website but also to authorize the website, meaning they need to prove that they are who they say they are.
well actually in prod i prefer route53 solver and i even have a video explaining it - th-cam.com/video/DJ2sa49iEKo/w-d-xo.html with dns solver you can resolve challenge and obtain cert before routing real traffic to your application why in this video, just because it requires additional setup, iam roles etc...
I guess it's possible, but I have never tried it personally. ref 1 - github.com/kubernetes/kubernetes/issues/73297 you would use something like this - kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/service/annotations/#ssl-cert
Can I use Istio with Ingress-NGINX controller? I preffer it on the Istio ingress because some capabilities such using GeoIP with Maxmind. I tried to configure Istio work with my Ingress-NGINX controller but seems like it not working.
@@henbiton6486 fFirst, you want to keep it as simple as possible. Do you really need a service mesh? If not, just switch to a simple ingress. Also, how large is your company, how many microservices do you have, and why are you using Istio?
@@AntonPutra I wanted to add Istio to our clusters mostly for security and traffic management. I know that tools like argo rollouts can use canary deployment using ingress-nginx out of the box, but I think that using Istio now on will help us to migrate to gateway API in the future. I know that Istio can be overkill, but I think it’s worth it.
@@usarov TLS is terminated on nginx controller level, you can manually create "tls" kubernetes secret with private key and certificate or you can automate with cert-manager. When using ALB you can use annotation and attach TLS certificate to ALB itself. TLS will be terminated on the load balancer.
2-3 if you don't have a lot of traffic. The more ingresses you have, the more usage and replicas you'll need, as each ingress adds additional load on the NGINX controller instance. Also, make sure to configure Pod Anti-Affinity and Kubernetes Pod Disruption Budgets (PDB) to minimize disruption during cluster upgrades or accidents.
Thanks for the answer. I’m running EKS cluster and installed nginx-ingress. I need to have both internal and external NLBs for the app and internal workloads like Grafana, Should I install 2 controllers for each of them? I tried to use only one but the external dns create all the records with the external NLB
@@henbiton6486 You would deploy 2 ingress controllers to your cluster. One with public load balancer another one with private. You would also use private route53 hosted zone for the internal ingress. To resolve your private ingress with private DNS you would use client vpn. AWS has managed service or you can deploy your own and push DNS when you connect to the vpn. I have example with self deployed openvpn instance - github.com/antonputra/tutorials/tree/main/lessons/084
There is no need for an ALB (Application Load Balancer). It's slower, more expensive, and provides no benefits when used with NGINX Ingress. All Layer 7 routing is handled by the controller itself.
🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com
👉 [Playlist] AWS EKS Kubernetes Tutorial: th-cam.com/play/PLiMWaCMwGJXnKY6XmeifEpjIfkWRo9v2l.html&si=wc6LIC5V2tD-Tzwl
👉 Kubernetes Tutorial for Beginners [Full Course]: th-cam.com/play/PLiMWaCMwGJXkYKFa_x0Ch38uznuv-4c3l.html
👉 AWS EKS Tutorial for Beginners [Full Course]: th-cam.com/video/kwq9EfELYII/w-d-xo.html
👉 Other Kubernetes Tutorials: th-cam.com/play/PLiMWaCMwGJXnKY6XmeifEpjIfkWRo9v2l.html
Thanks Anton, maybe I missed in the video, but at the end of the last video you said which of ALB Ingress vs Nginx Ingress you would recommend?
The highlights of Nginx:
- Acts as a central proxy for all services in k8s, so you can monitor all your traffic to the cluster (sounds like the limitation with ALB is you'd get multiple ALBs per Ingress, unless you use an Ingress Group which has some caveats, so not as easy to monitor)
- Supports custom TCP and UDP services (in AWS LB, you'd get one NLB per LB-service)
Main cons:
- More work to set up SSL termination especially with DNS-01 challenge
- If you want to use IP mode, you'd need to also install the AWS LB controller anyway for the NLB(?)
The highlights of ALB ingress:
- Routes traffic direct from ALB to pod IPs, avoiding the additional nginx proxy, so maybe a bit cheaper, less to debug, and marginally lower latency?
- Seems easier to secure with SSL certs
- Only requires a single controller
Main cons:
- Each LB-service creates a new NLB. (could you not just use ClusterIP for all services to avoid any NLBs?)
Not so clear which one is the better approach. Cheers!
Thanks for your lessons! very useful! And thank you for the updates, your examples help me to create my first prod-ready eks cluster with Terraform! Have a great day!
thank you!!
I really appreciate the quelity of this content, thank you :)
thank you!
Very good playlist.
Could you please add the internal nginx part for the private dashboards ?
Thank you!
thanks, yes at some point
Great lesson, as always. Keep it going!
thank you again!
its official - i hit the bell icon. Well done @AntonPutra.
😂
I’m so grateful to you. ⭐️
thanks! 🫡
Thanks @anton for such lovely video, great content, waiting for your video on client VPN to secure the traffic so that corporate team member can able to only access that using the Private DNS
thank you! i have older video explaining how to setup self hosted vpn server and push private dns to your laptop but i haven't managed to create updated video which uses managed aws client vpn
old video - github.com/antonputra/tutorials/tree/main/lessons/084
Could you give me video link that you said on 2:41 about content "private ingress with private dns and client vpn".
To tear down cluster, first run "terraform destroy --target helm_release.external_nginx" then "terraform destroy"
nginx ingress controller is one of the alternatives for the aws load balancer controller , then why do we need to install aws load balancer also before installing nginx controller ? got confused.. could you please explain insights here
You need the AWS Load Balancer Controller to create an NLB with IP mode (the target group for the load balancer will only contain the pod's IP addresses). Without the AWS Load Balancer Controller, you can only use "instance mode," which adds all your Kubernetes workers to the target group and uses NodePorts. It's not a hard requirement for the NGINX ingress; it's just an improvement.
Thanks Anton
my pleasure :)
Thanks for sharing one more awesome lesson, any plans to make a video on using AWS private certificate authority (ACM) with aws-pca-issuer add-on ? thanks
Thanks, yeah, I will consider it. Can you describe your use case, or just in general, the most common use cases for this integration?
@@AntonPutra our environment is a private setup (secure), so we can't use letsencrypt also it's internal traffic, so have to be ACM, it will be great if you can create one, i have just started working on it, so was looking around, if someone have already created on. thanks
@@Krishreddy-u2k got it thanks, to secure your internal services
@@Krishreddy-u2k, you can use ALB ingress controller and launch internal facing load balancer with ACM on EKS
Could you explain how we can configure traefik instead nginx?
well there is a helm chart that you can use to deploy traefik ingress controller - github.com/traefik/traefik-helm-chart
Anton, great video! I have a question though: What are the benefits of using Cert Manager compared to AWS Certificate Manager? Personally, I find AWS Certificate Manager easier to manage since you can simply add the certificate ARN to the NGINX deploy.yaml file. However, I might be overlooking some advantages, so I’d love to hear your thoughts on this.
EDIT: Except for the renewal of the certificate.
Thank you!!!
no, it's a valid use case, keep using it! but it's a paid service and termination on load balancer which increase cost as well, but it's not significant.. i personally like to use ingress with letsencrypt dns resolver
Hi, I know this is a bit off-topic, but I have a question. I'm using ingress-nginx on EKS with an NLB (externalTrafficPolicy: Local), and my target group instances are showing as unhealthy. Any advice on resolving this? also it's a private cluster..so shoudl i try DaemonSet instead Deployment , trying to understand what's the best recommended approach
It's normal if you use "instance mode," which is the default. The load balancer will add all Kubernetes workers and only show healthy instances where you run your pods.
Good explanation . Thanks. Could you please lets know how much it will be cost on AWS to run all those demos from this series. Now days AWS dont free credit stuff. Thanks
i think no more then $10
Thank you so much. Thank you thank you thank you
Most welcome 😊
Thank you for your hard work! Any plans on Pulumi IaC tutorials?
thanks, yes i got couple of requests for other iac tools including Pulumi
Hi Anton. Thanks for another awesome video. But I followed the tutorial and code but my NLB is not showing up on the console. When I do kubectl get svc -n ingress, EXTERNAL-IP is stuck in pending. Same problem as part 6. Please help point me in the right direction to begin troubleshooting
best way to find the issue is to get logs from aws load balancer controller, with something like "kubectl logs -f aws-load-balancer-controller-78556cfd88-zb4gc -n kube-system". You'll see exactly why
@@AntonPutra thanks for the prompt response🙏🏼
@@nebolos did you find the issue??
why can't I access the NLB's DNS without cert in a browser when I am using ingress as per the tutorial. but earlier when I was using service of type "LoadBalancer" I was able to access my app through the browser using only the dns of NLB from aws console?
Well, because the common name or alternative name on the certificate must match the endpoint/DNS name you're trying to access. The point is not only to encrypt traffic between you and the website but also to authorize the website, meaning they need to prove that they are who they say they are.
@@AntonPutra I understand now. thank you very much
Thank you!!!
you rock, ty!!
thank you!!!
Why you didn't used route53 solver if everything here in AWS?
well actually in prod i prefer route53 solver and i even have a video explaining it - th-cam.com/video/DJ2sa49iEKo/w-d-xo.html
with dns solver you can resolve challenge and obtain cert before routing real traffic to your application
why in this video, just because it requires additional setup, iam roles etc...
Can we use SSL termination at the NLB? e.g. I can setup aws certificate
I guess it's possible, but I have never tried it personally.
ref 1 - github.com/kubernetes/kubernetes/issues/73297
you would use something like this - kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/service/annotations/#ssl-cert
@@AntonPutra Thank you
Can I use Istio with Ingress-NGINX controller? I preffer it on the Istio ingress because some capabilities such using GeoIP with Maxmind.
I tried to configure Istio work with my Ingress-NGINX controller but seems like it not working.
looks like you can - docs.nginx.com/nginx-ingress-controller/tutorials/nginx-ingress-istio/
but i have never tried it myself
@@AntonPutra I will try it, thanks.
Do you think it’s better to move to gateway API and move the GeoIP to the application?
@@henbiton6486 fFirst, you want to keep it as simple as possible. Do you really need a service mesh? If not, just switch to a simple ingress. Also, how large is your company, how many microservices do you have, and why are you using Istio?
@@AntonPutra I wanted to add Istio to our clusters mostly for security and traffic management. I know that tools like argo rollouts can use canary deployment using ingress-nginx out of the box, but I think that using Istio now on will help us to migrate to gateway API in the future. I know that Istio can be overkill, but I think it’s worth it.
@@henbiton6486 sometimes under heavy load it's hard to debug especially for developers who have no idea what is istio is
Is this good to use for production bro? With help of certmanager to renewal the TLS certificates?
Yes I’ve been using this setup for the last 4 years. Just make sure you use valid email, it saved me few times
@@AntonPutra love you bro
What is the advantage of using cert manager with lets encrypt on acm? It seems much more complicated to maintain.
you mean then annotation with aws certificate manager? well it's the only way to automate if you want to use nginx ingress controller
Yes. What do you mean it is the only way?
@@usarov TLS is terminated on nginx controller level, you can manually create "tls" kubernetes secret with private key and certificate or you can automate with cert-manager. When using ALB you can use annotation and attach TLS certificate to ALB itself. TLS will be terminated on the load balancer.
How many replicas should I use in production?
2-3 if you don't have a lot of traffic. The more ingresses you have, the more usage and replicas you'll need, as each ingress adds additional load on the NGINX controller instance. Also, make sure to configure Pod Anti-Affinity and Kubernetes Pod Disruption Budgets (PDB) to minimize disruption during cluster upgrades or accidents.
Thanks for the answer.
I’m running EKS cluster and installed nginx-ingress. I need to have both internal and external NLBs for the app and internal workloads like Grafana, Should I install 2 controllers for each of them? I tried to use only one but the external dns create all the records with the external NLB
@@henbiton6486 You would deploy 2 ingress controllers to your cluster. One with public load balancer another one with private. You would also use private route53 hosted zone for the internal ingress. To resolve your private ingress with private DNS you would use client vpn. AWS has managed service or you can deploy your own and push DNS when you connect to the vpn. I have example with self deployed openvpn instance - github.com/antonputra/tutorials/tree/main/lessons/084
why nlb and not alb ?
There is no need for an ALB (Application Load Balancer). It's slower, more expensive, and provides no benefits when used with NGINX Ingress. All Layer 7 routing is handled by the controller itself.
Ladies and Gentlemen, here we go again ......
?
@@AntonPutra The much awaited playlist
@@twizzoe ❤