NGINX Ingress Controller + front F5 Load Balancer


#1

Hi I’m relatively new to Kubernetes. I have quite some knowledge after reading 5 or 6 books on Kubernetes but I have never built one cluster before. We plan to build a on-premise K8s cluster. I have a question about nginx ingress controller.

In our current architecture we have a F5 load balancer fronting a cluster of nginx web servers, which sits in front of our app servers. We rely on the nginx web servers to handle user authentication. Nginx servers are configured as reverse proxy as well to all the backend app services. We’d like to keep using the same security design by letting nginx handle user authentication.

Our app servers consist of Node.js servers and tomcat and sprint boot servers.

Nginx Ingress Controller seems to play two roles, first as a reverse proxy to route traffic to different services, second as a load balancer.

Does it mean I don’t need a front end load balancer like F5 any more with an Nginx Ingress Controller? If so i’m wondering the security impact. Currently we put F5 in the public and all nginx servers are in the DMZ. Is it safe to leave the nginx sever, as the ingress controller, in the public?

Second question is HA of the nginx server itself as the ingress controller. Can I configure a HA Nginx Ingress Controller?

Or should I still put F5 in front of Nginx Ingress Controller?

Thanks for any insight!


#2

Hi!

Basically, you need direct traffic to your kubernetes cluster. How you do it, it really depends on your setup. But is not a bad idea to have the F5 have the Publix IPs and it direct traffic (to pods or to ingress controller, as you prefer).

If you want F5 directly routing to pods, you will need your services to use type node Port. And then, the F5 know on which port route to every app.

If you want F5 routing to your ingress, then your ingress service has a type nodePort, F5 routes to it and the ingress routes to pods.

To be more precise, the ingress will route to a service (that probably is type cluster IP), then the ingress routes traffic to that IP and kube-proxy does the load balancing. So, answering your question, nginx ingress is not acting so much as a load balancer, but it does that job in conjunction with kube-proxy.

It is safe to leave the ingress to the public, as long as you limit the ports available and you can actually do it (i.e. route traffic to it). That part is not trivial and F5, MetalLB, or something else might come handy. I can later search for a nice link explaining this problem if you want, just let me know.

Regarding your second question, yes, your nginx ingress can have multiple replicas as any deployment. If traffic is routed correctly and handles failures fine, you can just route to several replicas in an HA setup.

And regarding your third question, I think it is it depends. But it is not a band idea at all to do it :slight_smile:

Hope it helps,

Rodrigo