Kubernetes internal only ingress

Question

I'm trying Kubernetes in a Azure environment (AKS).

I have an nginx ingress deployed and exposed to internet through a public ip and an azure load balancer. It is used to expose public/front services.

My issue is I would like to deploy 'back' services, not exposed to internet. My first guess would be to deploy a second ingress and expose it on the internal load balancer, am I right ?

But what if my front services needs to consume the back services, can I consume it over the second ingress (to use nginx configuration, ssl offload, etc) but not do a round trip to the internal load balancer. What will be the DNS configuration in that case?

why do you want ingress? why cant you just use kubernetes services? — 4c74356b41
@4c74356b41 Services doesn't allow you to mix paths to serve different apps pointing to separate services like Ingress — prometherion
why do you need that? each service can have its own endpoint — 4c74356b41

Jean-Philippe Bond Jean-Philippe Bond · Accepted Answer · 2019-09-21T14:20:53

Ingress controllers are made for external traffic. For in-cluster communication it is best to use Kubernetes Services which will configure the DNS inside the cluster. With a Service you'll be able to call your backend service without doing a roundtrip to an external resource, the load balancing will be done natively inside the k8s cluster. Nothing prevent you from deploying an nginx pod or inject it as a sidecar in your backend service pod and use it as a reverse proxy, but do you really the nginx configuration and mutual TLS for in-cluster communication? If you really need mutual TLS, you better look at something like Istio, but it is probably overkill for your use case.

Kubernetes internal only ingress

2 Answers