NodePort Service loadbalances traffic to different pods using random algorithm. What value is added by a loadbalancer hosted on a supported cloud platform, which warrants the use of LoadBalancer service type? For instance, does the native loadbalancer on the cloud provide different loadbalancing algorithms to choose from?
The “loadbalancing” of pods offered by services is a feature of any K8s service. I’m not sure TBH how using a LoadBalancer style of K8s service would change the loadbalancing behavior; I expect that if this does happen, it’s a characteristic of a given cloud platform’s annotations for the LoadBalancer definition.
If you are running a cluster that serves content to the public internet, you would never use a NodePort service, as this as a requirement means that your worker nodes must be on public subnets and as such are directly exposed to the internet and thus vulnerable to attack. With node ports you also don’t get a lot of other benefits (detailed below)
The point of loadbalancer services is that your cluster resides on private subnets in the cloud and none of the workers can be directly attacked from outside. The cloud provider provisions a cloud loadbalancer (along with security it gives guaranteed by the cloud provider) to bridge the gap between the cluster and the outside world.
So even in this ideal setup, you still don’t deploy loadbalancer services for every deployment running in the cluster. You deploy an ingress or Gateway API controller. This deployment has a loadbalancer service which provisions the cloud loadbalancer connecting the entire cluster to the outside world. Then the ingress controller handles TLS offloading (so your sites can be HTTPS which they absolutely have to be if public), and routing to the individual services in the cluster, which will be ClusterIP. So the benefits of this are
- One cloud loadbalancer for everything (load balancers cost money).
- Ability to serve HTTPS without having to code HTTPS support into every application.
- Cluster nodes are not visible to the outside world (much better security posture).
The loadbalancer service does effectively create a nodeport on every worker, however these ports are connected to the loadbalancer’s backend so the loadbalancer balances requests across all the nodes and then the internal routing of the service takes care of ensuring the traffic ends up where it should within the cluster.