This article is shared from HUAWEI CLOUD Community, "ELB Ingress Gateway Helps Cloud Native Applications Manage Traffic Easily-Cloud Community-HUAWEI CLOUD".
background
In most cases, the container network plane of a K8s cluster is isolated from the external network, and the external network cannot directly access the container services inside the cluster. A common way provided by the community is to use K8s resource objects such as Nodeport Service, Loadbalancer Service, and Ingress to expose container-native applications inside the cluster. The Service object provides Layer 4 load balancing capabilities, and the Ingress object provides Layer 7 load balancing capabilities for application-layer access (such as HTTP/HTTPS).
With the widespread implementation of cloud-native architecture in enterprises, containers, as carriers of cloud-native microservice applications, need to face more challenges, such as the complex networking of microservices, and the forwarding of business requests between cloud services often requires source address translation, resulting in traffic distribution loss. Businesses such as games and e-commerce flash purchases will be frequently scaled up and down in a short period of time, and must cope with high-concurrency network traffic. The gateway ingress traffic should provide traffic security protection capabilities in response to Internet security attacks, such as gray industry and abnormal traffic. In addition, Layer 7 advanced forwarding capabilities, such as support for more complex routing rule configurations, multiple application-layer protocols (HTTP, HTTPS, GRPC, etc.), application blue-green publishing, and traffic observability, have gradually become common requirements for cloud-native applications.
Although open source community solutions such as Ingress Nginx, Ingress Kong, and Traefik provide rich Layer 7 traffic management functions, enterprises need to fully weigh the requirements of security, maintainability, and reliability when choosing an ingress solution for key production services to the cloud, in addition to functionality, to find the best balance. Professional cloud service providers provide managed ingress solutions that can better meet these challenges.
HUAWEI CLOUD CCE (CCE_Build_Deploy_Enterprise-Grade Cloud Container_Container Engine-HUAWEI CLOUD) provides fully managed, O&M-free, enterprise-level ingress traffic management based on Elastic Load Balance (ELB), allowing users to easily manage cloud-native application traffic.
ELB Ingress 介绍
In a K8s cluster, the container network plane is usually an isolated network plane independent of the cluster host network, and the address of the container will change after the workload is upgraded or rescheduled, which brings a problem: how to implement the service discovery of a certain group of pods and provide a fixed external access portal? Service and ingress objects are a mechanism in K8s to implement unified access portals for applications inside and outside the cluster.
The K8s community provides three ways to expose traffic outside the cluster: Nodeport Service, Loadbalancer Service, and Ingress. The two work together to implement the external access mechanism of K8s cluster applications. As shown in Figure 1, the client accesses the route declared by the ingress through a load balancer managed by the ingress and imports the traffic to the backend container through the backend service.
Figure 1: Ingress example
ELB Ingress is a Layer 7 traffic management feature provided by HUAWEI CLOUD CCE based on the community-standard Ingress API and provides high-availability, high-performance, high-security, and multi-protocol fully managed O&M-free load balancing capabilities. At the same time, it has elastic capabilities, supports rapid expansion of computing resources in the event of traffic bursts, supports tens of millions of concurrent connections, and millions of new connections, making it an ideal choice for cloud-native application traffic governance.
How ELB Ingress works
ELB ingress is deployed on the master node of the CCE cluster and interconnects with the ELB instance, allowing you to configure the container backend address, forwarding policy, and route declared by the ingress to the ELB instance, and dynamically update it.
Figure 2 shows the workflow diagram of the ELB Ingress workflow based on Nodeport transit, which is used by CCE Standard clusters based on the following principles:
- You create an ingress resource for the cluster, configure traffic access rules in the ingress, such as load balancer instances, URL routes, SSL certificates, and other listening information, as well as the backend service to be accessed.
- When the ingress controller listens to changes in the ingress resources, it reconfigures the listener and backend server routes on the load b based on the traffic access rules defined in the ingress controller.
- When a user accesses an application through ELB, traffic is forwarded to the corresponding node node based on the forwarding policy configured in ELB, and then the associated workload is forwarded to the associated workload through the nodeport for a second time (see k8s official documentation for the forwarding mechanism of Nodeport).
图二: Nodeport中转的ELB Ingress流程图
In this solution, traffic is forwarded multiple times through nodes and IPTables/IPVS rules, resulting in network performance loss. In high-traffic scenarios, the challenges of network forwarding efficiency and network connection speed are particularly prominent. To this end, we have launched a network acceleration solution based on CCE Turbo clusters: containers directly use VPC networks to implement ELB ingress that directly connects to containers, simplifying the original two-layer model of container network + virtual machine network into one layer. As shown in Figure 3, pod IP addresses in a cluster are directly allocated from VPCs, and northbound load balancers can be used to directly access pods in the cluster without being forwarded through node ports, achieving zero traffic distribution loss.
Figure 3: Flow chart of ELB ingress for container network pass-through
Key benefits of ELB Ingress traffic management
Based on native Kubernetes Ingress, ELB Ingress uses declarative APIs to specify routes and interconnected backend services for the ingress or use annotations to configure advanced listener options to ensure eventual consistency. ELB Ingress provides developers and operators with great development flexibility and maintenance convenience, and its core benefits include:
- High throughput, high availability, and high elasticity
ELB Ingress can be used with dedicated ELB instances to support up to 20 million concurrent connections. Through the comprehensive health check mechanism, services are guaranteed to be online in real time, and multi-AZ intra-city active-active disaster recovery is supported, and seamless real-time switchover. Elastic load balancer instances can be scaled up or down based on traffic load, which is suitable for scenarios where business usage fluctuates greatly, such as gaming and video, and can meet instantaneous traffic requirements while minimizing costs.
- High security
As shown in Figure 4, a simple example of how external traffic passes through ELB to access a CCE Turbo cluster: On the access side, the WAF engine can be configured to detect and block malicious attack traffic, and normal traffic is forwarded to the backend ECS. You can use the annotation configuration of ingress to easily configure custom security policies for an ELB instance, such as blacklist and whitelist configurations and two-way authentication. HTTPS encrypted channels are also supported for forwarding from the ELB to the backend, further enhancing overall security.
Figure 4: Example of external traffic accessing CCE Turbo
- Portability
It is fully compatible with the semantics of community ingress and can be easily adapted by migrating from open-source Nginx ingress and other solutions by simply modifying annotations.
- Observability
CloudMonitor allows you to view network traffic and access logs of ELB instances on a timeline basis, dynamically analyze and alert on potential risks. CTS can monitor load balancer resource update logs in real time, generate real-time alarms for risk actions, and dynamically monitor the security of cloud resources. The Ingress Controller also supports a variety of general monitoring metrics, such as API call latency and reload times.
- Maintenance-free
The ELB Ingress component runs on the master node of the cluster, so you do not need to worry about O&M issues, and the components are automatically updated when the cluster is upgraded.
The core features of ELB ingress traffic management
In addition to the basic community functions, HUAWEI CLOUD ELB Ingress has been greatly enhanced in terms of load balancing, routing rules, traffic control, security, and observability, meeting the requirements of more complex production environments. The following describes the core features of ELB Ingress traffic management:
- Grayscale release
Grayscale release is a common way to smooth the transition of version upgrades. When you upgrade a version, let some users use the new version first, while others continue to use the old version. After the new version is stable, gradually expand the scope of use of the new version until all user traffic is migrated to the new version. This maximizes the business risk caused by the release of a new version, reduces the scope of faults, and supports rapid rollback.
We provide grayscale release strategies based on Header/Cookie/Weight, the first two strategies gradually introduce new versions in different time periods by dividing users into several groups, and ultimately expanding the scope of influence of new versions. The weight-based strategy controls the weight of the new version and gradually increases the traffic ratio of the new version in different time periods until it completely replaces the old version.
- Advanced forwarding policies
With the increasing complexity of cloud-native application networking, the traditional Layer 7 traffic governance based on routing and forwarding is no longer able to meet the requirements. We provide advanced forwarding strategies that address the limitations of traditional solutions:
- Header-based load balancing: Requests are distributed to different backend servers based on the different values of client request headers.
- HTTP redirects to HTTPS: The system automatically forwards HTTP listener traffic to HTTPS listeners to improve website security and prevent content tampering.
- URL redirection and rewriting: Supports permanent or temporary mapping of a URL to another URL. At the same time, regular expression matching and rewriting rules for different paths are supported.
- Slow start
When you apply a rolling upgrade, ELB Ingress automatically updates the backend of the load balancer and sets the backend weight based on the number of replicas of the backend container instance. However, during the rollout process after the backend health check is passed, the traffic may surge, resulting in an instantaneous high load on the CPU or memory resources of the backend container, which will affect business stability. After the slow start mode is enabled, the system can gradually import traffic to the backend of the destination container within a specified period of time. This alleviates the pressure of sudden traffic surges in business containers, protects the system from excessive load, and enables a graceful transition.
brief summary
Based on the Elastic Load Balance (ELB) of HUAWEI CLOUD Application-based Load Balancer, ELB Ingress provides powerful ingress traffic management capabilities, is compatible with Nginx Ingress, has the ability to handle complex service routing and automatic certificate discovery, and supports protocols such as HTTP, HTTPS, and GRPC, meeting the requirements for ultra-elasticity and large-scale Layer 7 traffic processing capabilities in cloud-native application scenarios.
In the future, we will publish a series of articles detailing the best practices of traffic management based on ELB Ingress.
Related Links:
- Overview of CCE Routing on HUAWEI CLOUD CLOUD Container Engine: https://support.huaweicloud.com/usermanual-cce/cce_10_0094.html
- Ingress官方文档:https://kubernetes.io/docs/concepts/services-networking/ingress/
Follow #HUAWEI CLOUD Developer Alliance#Click below to learn about HUAWEI CLOUD's fresh technologies for the first time~
HUAWEI CLOUD Blog_Big Data Blog_AI Blog_Cloud Computing Blog_Developer Center-HUAWEI CLOUD