Nginx-controller deployed - Do we still need additional external Load Balancer

Kubernetes
#1

Hi, i have a conceptual confusion -

  • Consider a cluster with 4 bare metal nodes (on-prem cluster, no cloud). If we have www.abcd.com/wear and www.abcd.com/watch as the paths routing to wear and watch service respectively, do we STILL need some sort of "external load balancer in addition to nginx-controller? between the ROUTER and our nodes? or does ngnix controller deployment we learnt take care of this? My doubt attached…

image
image1070×1360 95.2 KB

#2

Probably, especially if you multiple nodes, which you will. Not sure what the best loadbalancer options are for bare metal, but you should do that.

1 Like
#3

Hi @rob_kodekloud

  1. Re-watched Lecture # 111. Got confused more … Doesn’t nginx-ingress load balance across services?. If so, why would we need external load balancer across nodes, if the pods are already placed by scheduler on different physical nodes?

/wear service = 8 pods (2 on each of the 4 Raspberry Pis)
/watch service = 6 pods (3 on Pi1 and Pi2 each)

  1. Different question: If ingress is exposed as nodeport service on 31111 on all 4 nodes (Raspberry Pis) and if configure router/gateway to forward to 192.168.0.51 (to Pi#1), if Pi#1 goes down, does it automatically route to Pi#2 (192.168.0.52) or does the whole setup go down?
#4

The service in front of the ingress controller (IC) does multiplex to the pods across all of the nodes, but using a NodePort service still has a couple of problems. First, the nodes themselves are a point of failure, and using a NodePort service, if the node goes down, you won’t get routed to another node where kube-proxy has set up firewall rules.

The second problem is that you won’t get a common port like 80 or 443 if you use a NodePort service; kube-proxy is not allowed to give those ports out to prevent conflicts with other software.

A LoadBalancer service gets around both of these issues. It is allowed to use the commonly used ports, and it can route to the services in ingress resources directly, without going through the the service of the IC, and then going on to the wrapped services of the IRs. I suspect also that a dedicated LB has less overhead, and is faster as well.