In this article, we will see the features Kubernetes Ingress provides for content-based routing and traffic control inside the cluster.
What is Kubernetes Ingress?
Kubernetes Ingress provides a rule-based workflow that will setup the routing API objects inside the cluster. The Ingress APIs will facilitate content-based routing for the services with the external endpoints using an HTTP(s) load balancer that connects with the public internet. In some cases, the internal routing technique inside a Virtual Private Cloud.
HTTP(s) Load Balancer
The exposed service requires an HTTP(s) Load Balancer to connect with external traffic in Google Kubernetes Engine and the user receives low latency HTTP(s) connection with the help of Google Points of Presence. So, the service is connected to various Google Load Balancers using the Anycast routing method that determines the low-cost path to reach any closest Load Balancer nodes in the network.
It’s a technique that exposes the service to the public internet with a single IP address.
What is Anycast routing?
Anycast is a routing method that distributes the incoming request (a single IP address) into multiple routes based on regional, content-based, or any other priority methods. The prioritization of the routing node provides services within low latency bandwidth to the user. The shortest path algorithm of the Anycast network determines the closest or nearest nodes. In the real scenarios, the network request to reach any nearest CDN, data center to reduce traffic congestion in the high traffic volume applications.
Internal and External traffic control using Ingress
In Google Cloud, there are many different ways the HTTP(s) traffic is distributed in the network. The two different kinds of traffic requests will provide autoscaling, regional load balancing, integration of cache content delivery, and many other load balancing features.
Ingress for internal traffic Load Balancing
The internal HTTP(s) Load Balancer is only accessible to the selected region from the *Virtual Private Cloud(VPC)* network using an internal IP address.
Envoy Proxy as a Sidecar
The internal HTTP(s) Load Balancer uses Envoy Proxy to manage services in the cluster. The proxy service works as a *sidecar proxy* to provide service mesh to manage the internal traffic control in a region, VMs, or GKE nodes. The service instances are not connected to the external traffic but use the local proxy to communicate with another service within a zone. The Envoy proxy takes care of service discovery, load balancing, traffic control, circuit breaker, health check in a cluster.
It’s a supporting feature for the applications that are applied as a container, configuration element, logging, proxy services. The sidecar services work as an attachable and detachable component for an application lifecycle.
The internal load balancer follows the *L7 routing method that allows forming certain URL types to define various paths to connect with the backend service using a single internal IP address. The [URL map](cloud.google.com/load-balancing/docs/url-ma.. creates path rules to direct the traffic to content-based routing backend services.
There is a BASE URL “mymediaservice.internal” that has two backend service “video”, “image”. So the path rule will decide to connect to multiple internal backend services or buckets using a single URL.
Internal Microservice Architecture
The internal backend services are hosted inside multiple instance groups within the VMs that work as internal microservices for internal clients.
L7 Traffic Management
The L7 internal routing follows traffic management methods to route traffic intelligently and provides high-performance routing facilities in the production environment.
- Traffic Steering (header-based routing)
The HTTP(s) request headers will direct the traffic to the destination service instance by setting user-agent.
If the user has a mobile device, then the request param with “user-agent: Mobile” in the header, and for other users “user-agent: Desktop”, so the traffic can redirect to the required service instance based on the user’s device usability. So the traffic steering mechanisms enable intelligent routing in regional, zonal routing applications.
Traffic Steering based on user device type
- Traffic Action (weight-based traffic splitting)
The traffic action is useful for managing the newer version of the service in the network. The migration of service with the “version-2” can be split into multiple sets of “95%” and “5%”. The first set of the traffic will be running the “version-1” of the service and other running the “version-2” of the service until the performance is stable, release ratio will slowly increase in the network. The traffic action highly performant in-service migration, A/B testing, and other release processes of the services in the production environment.
Updating Service by traffic splitting
Traffic management components
The L7 traffic management system provides a wide variety of features to enable traffic steering, traffic actions, and traffic policies in a regional network.
The URL map provides Route Rule, Rule Match, Rule Action methods to direct traffic under a regional space to connect with several backend services.
The HTTP(s) load balancer directs the traffic to various backend service instances such as Compute Engine Virtual Machines(VMs) instances in an *Unmanaged Instance Group (UIG), Compute Engine Virtual Machines(VMs) instances in a [Managed Instance Group (MIG)](cloud.google.com/compute/docs/instance-grou..) or containers from Google Kubernetes Engine(GKE) node in a [Network Endpoint Group(NEG)](cloud.google.com/load-balancing/docs/negs)*. So, the routing of load balancers to a backend service is defined under a regional URL map.
More on URL Map path rules — https://cloud.google.com/load-balancing/docs/l7-internal/traffic-management#simple_host_and_path_rule
Ingress for external traffic Load Balancing
The Ingress for external traffic in Google Kubernetes Engine works as a global load balancer providing the HTTP(s) load balancer as Pod. The load balancer is globally distributed which exposes the applications to the public internet. The load balancer can be connected with multiple backend types to facilitate external traffic using IPv4 and IPv6 with path-based routing.
The external HTTP(s) load balancer enables the services to connect with public backend services such as Cloud CDNs, Content-based storage backend, Geography regional services, and similar backend services with a single IP address.
- Instance Group
There will be many collections of VMs running within a single cluster that forms an instance group. There are *Managed Instance and [Unmanaged Instance](cloud.google.com/compute/docs/instance-grou..) *that functions VMs differently in a Google Cloud Computing environment.
Managed Instance Groups (MIG)
Many types of stateless and stateful applications run in Pods, Services within a cluster. The performance scalability of these instances is possible by creating multiple identical VMs that will provide autoscaling, autohealing, regional deployment, and automatic updating.
Advantages of Managed Instance Groups
There are multiple replicas of VMs running as instance group that will provide seamless workflow in the cluster, so if any of the VM instances goes down another replica VM instance will resume the work.
The regional MIGs will distribute the app load across several zones as a replica VM in the network that will reduce the traffic load to a single instance of VM.
The autoscaling methods will enable the feature to increase the computation resource requirement for the application, so the MIGs can automatically grow the instance in the cluster as per the demand, the same applies to reduce the instances group if the demand drops.
The auto rollout of software updates into the instances are very flexible as the migration to a newer version can be controlled based on the stable testing across all the region.
The stateful workload will create unique identical replicas that will handle auto-healing, recreation, updates, and more for all kinds of stateful applications.
Unmanaged Instance Group
There will be manual efforts to optimize, scale, health check for the instances that are running inside the VMs. The UIG does not offer automatic processing like scaling, rollout, healing, or anything that will be managed automatically in the cluster.
2. Network Endpoint Groups (NEGs)
In general, the Network Endpoint Groups defines the collection of backend endpoints or services running within a container. There are a small set of backend instances can be created for each endpoint running under the VMs.
The Compute Engine VMs that runs endpoints must have a combination of IP:port.
The *Zonal NEGs *run multiple set of containers that runs under a VM.
There will be a range of *subnet IPs* for each container followed by the alias IP of the VM.
2 Zonal NEGs running 2 VMs
Serverless NEGs is a backend service that can run from IPv4 and IPv6 addresses which are not shared with other services.
There will be only one base URL that can be spread as an identical serverless application running across the different regions. So, the user can be beneficial to reach the closest *CDNs, data centers to access the service. So, the same URL can be used as a single HTTP(s) load balancer to send traffic to other Google Cloud Technologies such as [Cloud Run](cloud.google.com/run), App Engine, Cloud Functions, Compute Engine, Google Kubernetes Engine, and [Cloud Storage](cloud.google.com/storage)*.
The backend services reside outside the Google Cloud forms an *Internet NEGs *defines multiple backend endpoints of load balancers to connect to the public internet.
Static IP address for external HTTP(s) load balancers
In general, the ingress object creates an external IP address that the client can use to connect to the public internet but the same IP address will change to a new one if the Ingress service dies or recreated in the cluster.
We can assign a static IP address that remains permanently as an ingress annotation.
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: cache-ingress annotations: kubernetes.io/ingress.global-static-ip-name: 192.168.1.2
The HTTP(s) load balancers mostly work as a proxy that will either expose the service to the public internet or create an internal IP address to communicate with Virtual Private Cloud. The proxies work on the *HTTP(s) Forwarding Rule to send the request to the backend VM or external cloud services. The Google Kubernetes Engine provides [Ingress Controllers](kubernetes.io/docs/concepts/services-networ.. that will automate the configuration of sidecar proxies in the load balancers, path-based routing, SSL without manually handling them in the production environment.
So, this is the overview of traffic control and content-based routing using Kubernetes Ingress and the strong relationship with Google Cloud HTTP(s) Load Balancer.
I hope you find this article useful :)