Migrating services from an NLB load balancer with a Yandex Managed Service for Kubernetes cluster as a target to an ALB L7 load balancer using the management console
- Service migration recommendations
- Getting started
- Create a Smart Web Security profile
- Install an Application Load Balancer Ingress controller and create resources in your Managed Service for Kubernetes cluster
- Migrate the user load from the network load balancer to the L7 load balancer
To migrate a service from a network load balancer to an L7 load balancer:
- See recommendations for service migration.
- Complete the prerequisite steps.
- Create a Smart Web Security profile.
- Install an Application Load Balancer Ingress controller and create resources in your Managed Service for Kubernetes cluster. At this step, you will connect your Smart Web Security profile to the L7 load balancer.
- Migrate the user load from the network load balancer to the L7 load balancer.
Service migration recommendations
-
In addition to DDoS protection at OSI L7 using Yandex Smart Web Security, we recommend enabling DDoS protection at L3-L4. To do this, reserve a public static IP address with DDoS protection in advance and use this address for the L7 load balancer's listener.
If the network load balancer's listener already uses a public IP address with DDoS protection, you can save it and use it for the L7 load balancer.
If the network load balancer's listener uses a public IP address without DDoS protection, DDoS protection at L3-L4 when migrating to an L7 load balancer can only be achieved by changing the public IP for your service.
When using L3-L4 DDoS protection, configure a trigger threshold for the L3-L4 protection mechanisms aligned with the amount of legitimate traffic to the protected resource. To set up this threshold, contact support.
Also, set the MTU value to
1450for the targets downstream of the load balancer. For more information, see Setting up MTU when enabling DDoS protection.
-
We recommend performing migration during the hours when the user load is at its lowest. If you plan to keep your public IP address, bear in mind that migration involves moving this IP address from the load balancer to the L7 load balancer. Your service will be unavailable during this period. Under normal conditions, this may last for several minutes.
-
When using an L7 load balancer, requests to backends come with the source IP address from the range of internal IP addresses of the subnets specified when creating the L7 load balancer. The original IP address of the request source (user) is specified in the
X-Forwarded-Forheader. If you want to log public IP addresses of users on the web server, reconfigure it.
-
For the L7 load balancer, two resource units will be created in each of the subnets specified when creating the
Ingressresource. The
Ingressresource annotations do not support specifying the minimum number of resource units for an L7 load balancer. A group of resource units is automatically scaled depending on the external load on load balancer nodes.
-
The features of the Application Load Balancer load balancer may differ from those of your load balancer deployed in the Managed Service for Kubernetes cluster. See the Application Load Balancer Ingress controller description and operating principles.
Getting started
-
Create subnets in three availability zones. The L7 load balancer will use these subnets.
-
Create security groups that allow the L7 load balancer to receive incoming traffic and send it to the targets and allow the targets to receive incoming traffic from the load balancer.
-
When using HTTPS, add the TLS certificate of your servicec to Yandex Certificate Manager.
-
Reserve a static public IP address with DDoS protection at level L3-L4 for the L7 load balancer. See service migration recommendations.
-
The Managed Service for Kubernetes services used as backends must be of the
NodePorttype. If your services employ another type, change it to
NodePort. For more details on this type, please see the Kubernetes documentation.
Create a Smart Web Security profile
Create a Smart Web Security security profile by selecting From a preset template.
Use these settings when creating the profile:
- In the Action for the default base rule field, select
Allow.
- For the Smart Protection rule, enable Only logging (dry run).
These settings are limited to logging the info about the traffic without applying any actions to it. This will reduce the risk of disconnecting users due to profile configuration issues. As you move along, you will be able to disable Only logging (dry run) and configure some prohibiting rules for your use case in the security profile.
Install an Application Load Balancer Ingress controller and create resources in your Managed Service for Kubernetes cluster
-
Install the Yandex Application Load Balancer Ingress controller.
-
Create an IngressClass resource for the L7 load balancer's Ingress controller:
-
Create a YAML file and describe the
IngressClassresource in it.
IngressClassresource example:
apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: app.kubernetes.io/component: controller name: ingress-alb spec: controller: ingress.alb.yc.io/yc-alb-ingress-controller
-
Use the following command to create the
IngressClassresource:
kubectl apply -f <IngressClass_resource_file>
-
-
Create an
Ingressresource:
-
Read the descriptions of the
Ingressresource fields and annotations and see the example.
-
Create a YAML file and describe the
Ingressresource in it:
-
Complete the annotations section for the L7 load balancer settings:
-
ingress.alb.yc.io/subnets: IDs of the subnets in the three availability zones for the L7 load balancer nodes. Specify the IDs separated by commas with no spaces.
-
ingress.alb.yc.io/security-groups: ID of one or more security groups for the L7 load balancer. For multiple groups, specify their IDs separated by commas with no spaces.
-
ingress.alb.yc.io/external-ipv4-address: Previously reserved static public IP address.
-
ingress.alb.yc.io/group-name: Name of the
Ingressresource group.
Ingressresources are grouped together, each group served by a separate Application Load Balancer instance with a dedicated public IP address.
-
ingress.alb.yc.io/security-profile-id: ID of the previously created Smart Web Security security profile.
Warning
The security profile will be linked to the virtual host of the L7 load balancer. Specifying your security profile is the key step to connecting Smart Web Security.
-
ingress.alb.yc.io/autoscale-min-zone-size: Minimum number of resource units per availability zone, based on expected load.
We recommend selecting the number of resource units based on the load expressed in:
- Number of requests per second (RPS)
- Number of concurrent active connections
- Number of new connections per second
- Traffic processed per second
-
-
For the
ingressClassNamefield, enter the name of the
IngressClassresource you created earlier.
-
When using HTTPS, complete the tls section:
hosts: Your service domain name the TLS certificate corresponds to.
secretName: TLS certificate of your service in Yandex Certificate Manager, in
yc-certmgr-cert-id-<certificate_ID>format.
-
-
Complete the rules section in line with your rules for distribution of incoming traffic among backends depending on the domain name (
hostfield) and requested resource (
http.pathsfield).
-
host: Your service domain name.
-
pathType: Type of reference to the requested resource:
Exact: Request URI path must match the
pathfield value.
Prefix: Request URI path must start with the
pathfield value.
-
-
path: Incoming request URI path (if
Exact) or its prefix (if
Prefix).
-
backend: Reference to a backend or group of backends to process the requests with the specified domain name and URI path. Specify either a service backend (
service) or a backend group (
resource) but not both.
-
service: Managed Service for Kubernetes service to process the requests as a backend:
name: Managed Service for Kubernetes service name. The
Serviceresource this field refers to must be described in line with this configuration.
port: Service port
Ingressis going to address. For the service port, specify either a number (
number) or a name (
name) but not both.
Warning
The Managed Service for Kubernetes services used as backends must be of the
NodePorttype.
-
-
resource: Reference to the
HttpBackendGroupgroup of backends to process the requests. A group like this may have Managed Service for Kubernetes services or Yandex Object Storage buckets as backends. When using a backend group, advanced Application Load Balancer functionality is available. You can also specify relative backend weights to allocate traffic to them in proportion.
kind:
HttpBackendGroup
name: Backend group name. The name must match the value specified in the
metadata.namefield of the
HttpBackendGroupresource. The
HttpBackendGroupresource this field refers to must be described in line with this configuration.
apiGroup:
alb.yc.io
-
-
-
Ingressresource example:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: <resource_name> annotations: ingress.alb.yc.io/subnets: <ru-central1-a_subnet_ID,ru-central1-b_subnet_ID,ru-central1-d_subnet_ID> ingress.alb.yc.io/security-groups: <L7_load_balancer_security_group_ID> ingress.alb.yc.io/external-ipv4-address: <static_public_IP_address> ingress.alb.yc.io/group-name: <resource_group_name> ingress.alb.yc.io/security-profile-id: <Smart_Web_Security_security_profile_ID> ingress.alb.yc.io/autoscale-min-zone-size: <minimum_number_of_L7_load_balancer_resource_units_per_zone> spec: ingressClassName: <IngressClass_resource_name> tls: - hosts: - <service_domain_name> secretName: yc-certmgr-cert-id-<certificate_ID> rules: - host: <service_domain_name> http: paths: - path: / pathType: Prefix backend: service: name: <Kubernetes_service_name> port: number: <port_number_e.g._443>
-
-
Use the following command to create the
Ingressresource:
kubectl apply -f <Ingress_resource_file>
-
-
An L7 load balancer will be deployed based on the
Ingressresource configuration. Wait until its creation is complete and
Ingresshas a public IP address linked. You will need this IP address to check requests. You can view resource info using this command:
kubectl get ingress <Ingress_resource_name> -w
-
Run a test request to the service through the L7 load balancer, for example, using one of these methods:
-
Add this record to the
hostsfile on your workstation:
<L7_load_balancer_public_IP_address> <service_domain_name>. Delete the record after the test.
-
Execute the request using cURL depending on the protocol type:
curl http://<service_domain_name> \ --resolve <service_domain_name>:<service_port>:<public_IP_address_of_L7_load_balancer>
curl https://<service_domain_name> \ --resolve <service_domain_name>:<service_port>:<public_IP_address_of_L7_load_balancer>
-
Migrate the user load from the network load balancer to the L7 load balancer
Select one of the migration options:
Keep the public IP address for your service
-
If your external network load balancer uses a dynamic public IP address, convert it to static.
-
Delete all listeners in the network load balancer to release the static public IP address. This will make your service unavailable through the network load balancer.
-
In the L7 load balancer, assign to the listener the public IP address previously used by the network load balancer:
-
Open the YAML file that describes the
Ingressresource.
-
Under
annotations, for the
ingress.alb.yc.io/external-ipv4-addressfield, specify the public IP address previously assigned to the network load balancer.
-
Apply changes using this command:
kubectl apply -f <Ingress_resource_file>
-
-
Wait for the
Ingressresource to finish changing its public IP address. You can view resource information using this command:
kubectl get ingress <Ingress_resource_name> -w
After the IP address changes, your service will again be available through the L7 load balancer.
-
Go to the L7 load balancer:
- In the management console, go to the folder the Managed Service for Kubernetes cluster is in.
- Select Managed Service for Kubernetes.
- Select the cluster.
- Select Network on the left, and the Ingress tab on the right. For your
Ingressresource, follow the L7 load balancer link in the Load balancer column.
- Monitor the L7 load balancer user load in the load balancer statistics charts.
-
Delete the released static public IP address previously reserved for the L7 load balancer.
-
Optionally, delete the network load balancer after migrating user load to the L7 load balancer.
Do not keep the public IP address for your service
-
To migrate user load from a network load balancer to an L7 load balancer, in the DNS service of your domain's public zone, change the A record value for the service domain name to the public IP address of the L7 load balancer. If the public domain zone was created in Yandex Cloud DNS, change the record using this guide.
Note
The propagation of DNS record updates depends on the time-to-live (TTL) value and the number of links in the DNS request chain. This process can take a long time.
-
As the DNS record updates propagate, monitor the increase of requests coming to the L7 load balancer:
- In the management console, go to the folder the Managed Service for Kubernetes cluster is in.
- Select Managed Service for Kubernetes.
- Select the cluster.
- Select Network on the left, and the Ingress tab on the right. For your
Ingressresource, follow the L7 load balancer link in the Load balancer column.
- Monitor the L7 load balancer's user load from the load balancer statistics charts.
-
You can monitor the decrease of the network load balancer load using the
processed_bytesand
processed_packetsload balancer metrics. You can create a dashboard to visualize these metrics. The absence of load on the network load balancer for a prolonged period of time indicates that the user load has been transferred to the L7 load balancer.
-
(Optional) Delete the network load balancer after migrating the user load to the L7 load balancer.