AWS NLB with service externalTrafficPolicy = Local

Iurchenko · February 14, 2020, 7:02am

Hi Team,

I’d like to use AWS NLB for our ingressGateway. And the only way to preserve client PI is to set Service externalTrafficPolicy=Local. And as it describes in K8S Service Doc

Nodes without any Pods for a particular LoadBalancer Service will fail the NLB Target Group’s health check on the auto-assigned .spec.healthCheckNodePort and not receive any traffic.

And this works as expected.
The default Health check params for Target Groups in Kubernetes 1.15.6:

Unhealthy threshold is set to 3
Interval 30s.
Timeout 6s

And seems it brings an issue in case we have enabled HPA for ingressGateway. When hpa scales down the pod - there is a delay in NLB/TargetGroups when it moves instance from healthy → unhealthy. And for 90+ seconds NLB routes traffic to this nodes.

What would be a proper solution or workaround here?

Iurchenko · February 14, 2020, 8:55pm

Seems Health Check params were reduced - PR

thiago_leite · July 29, 2020, 6:25pm

I have the same scenario, is there any solution or workaround?
looks like the PILOT_SIDECAR_USE_REMOTE_ADDRESS does not solve the issue too.

Topic		Replies	Views
AWS Nlb HealthCheck fails for TargetGroup when ExternalTrafficPolicy is Local Networking	2	658	December 5, 2023
Service health check exposed for AWS NLB Networking	13	9499	April 22, 2022
Unhealthy targets when provisioning ALB Ingress with Istio Ingress Gateway as backend Networking	0	2011	November 27, 2022
Graceful Shutdown of istio-ingressgateway for AWS NLB Networking	3	3131	April 12, 2022
Custom ingress gateway balanced with NLB	4	2108	February 14, 2021

AWS NLB with service externalTrafficPolicy = Local

Related topics