NAT on loadbalacer


I have a cluster which has worker nodes where my application is running.
The worker nodes IPs are like 192.168.2.X.
I have a Loadbalacer connected to worker nodes to communicate to external world.
When the application initiates a message it reaches LB with source IP as node IP i.e 192.168.2.X
On the LB I generally add a NAT rule and convert 192.168.2.X to actual application IP.

Now the problem is there are 2 applications which are sending out message to same destination using same destination port , source port is random and source IP since its always node IP it is 192.168.2.X, I am not able to add a NAT rule in LB to differentiate these 2 applications.

Can someone suggest me a workaround?

Why does your LB not receive the Pod IPs, rather than the VM IPs? You need to either map the src IP back to a Pod and thereby to an “application”, or you need to carry metadata, e.g. shard the source port range or carry data in-band (such as an HTTP header).

There was a kubelet flag so the host always SNATs the pod IP. Maybe, if your pod cidr is routable, you can remove that? (If you have it)

In any case, the second option Tim mentions seems better. If you have the pod IP, you still need to see to which pod it is (pod IP is not fixed, usually) and is very kubernetes specific that logic. Using http headers should be more easy and reliable to implement, IMHO.

1 Like