Services & Load Balancers

Service Load Balancers in Kubernetes

Service Load Balancers in Kubernetes allow external and internal traffic to be distributed across pods. They are commonly used to expose applications to users, APIs, or other services while ensuring high availability, scalability, and reliability.

Thalassa Cloud supports native VPC Load Balancers, designed specifically for secure, high-performance traffic distribution. Supported protocols include:

TCP and UDP for application-level traffic.
PROXY protocol for passing client connection information.

How Load Balancers Work in Thalassa Cloud

In Thalassa Cloud, LoadBalancer-type Services integrate directly with the VPC networking layer. When a service of type LoadBalancer is created, the system provisions a highly available load balancer and assigns it an external or internal IP, depending on the configuration.

Key Components

Component	Description
Service	The Kubernetes object that defines how traffic is forwarded.
VPC Load Balancer	Routes traffic to backend pods based on predefined rules.
Health Checks	Ensures only healthy pods receive traffic.
Annotations	Custom settings for controlling load balancer behavior.

Managing Load Balancers in Thalassa Cloud

To list existing load balancer services, use:

kubectl get services --field-selector spec.type=LoadBalancer

Creating a Load Balancer

To expose a service using a Thalassa Cloud VPC Load Balancer, define a LoadBalancer service:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: production
spec:
  selector:
    app: web-app
  type: LoadBalancer
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080

Configuring Load Balancer Annotations

Thalassa Cloud Load Balancers can be customized using annotations to optimize networking, security, and performance.

Annotation	Description
`loadbalancer.k8s.thalassa.cloud/subnet`	Defines which subnet to use. Defaults to the first available subnet in the VPC.
`loadbalancer.k8s.thalassa.cloud/internal`	Boolean flag to create an internal-only load balancer. Default is `false`.
`loadbalancer.k8s.thalassa.cloud/enable-proxy-protocol`	Enables the PROXY protocol for passing original client IP. Default is `false`.
`loadbalancer.k8s.thalassa.cloud/server-timeout`	Maximum time (in seconds) for the backend server to respond.
`loadbalancer.k8s.thalassa.cloud/client-timeout`	Maximum time (in seconds) for a client to wait for a response.
`loadbalancer.k8s.thalassa.cloud/connect-timeout`	Maximum time (in seconds) for establishing a new connection.
`loadbalancer.k8s.thalassa.cloud/security-groups`	Comma-separated list of security group IDs to apply to the load balancer.
`loadbalancer.k8s.thalassa.cloud/create-security-group`	Boolean flag to automatically create a security group for the load balancer. Default is `false`. When `true`, a security group is created with the same name as the load balancer and rules matching the load balancer configuration. The security group is automatically deleted when the load balancer is deleted.

Health Checks and Traffic Routing

Load balancers ensure traffic is only sent to healthy pods. Kubernetes uses readiness probes and liveness probes to check pod health. Additionally, Thalassa Cloud Load Balancers provide configurable health checks.

Annotation	Description
`loadbalancer.k8s.thalassa.cloud/health-check-path`	Defines the HTTP health check endpoint (default: `/healthz`).
`loadbalancer.k8s.thalassa.cloud/health-check-port`	The port number to use for health checks (default: `80`).
`loadbalancer.k8s.thalassa.cloud/health-check-protocol`	the protocol to use for health checks
`loadbalancer.k8s.thalassa.cloud/health-check-interval`	Time (in seconds) between health checks.
`loadbalancer.k8s.thalassa.cloud/health-check-timeout`	Time (in seconds) to wait for a health check response.
`loadbalancer.k8s.thalassa.cloud/health-check-up-threshold`	Number of successful health checks required before a backend is marked healthy.
`loadbalancer.k8s.thalassa.cloud/health-check-down-threshold`	Number of failed health checks before a backend is considered unhealthy.

Access Control (ACLs)

Restrict traffic to only trusted sources using Access Control Lists (ACLs). You can configure ACLs globally for all ports or per-port for fine-grained control.

Annotation	Description
`loadbalancer.k8s.thalassa.cloud/acl-allowed-sources`	Comma-separated list of CIDR ranges that are allowed access. Default is open to all sources. Applies to all ports when configured.
`loadbalancer.k8s.thalassa.cloud/acl-port-{port-name-or-number}`	Per-port ACL configuration. Format: `loadbalancer.k8s.thalassa.cloud/acl-port-{port-name-or-number}` (e.g., `acl-port-http` or `acl-port-80`). Value is a comma-separated list of CIDR ranges (same format as global `acl-allowed-sources`). When both global and per-port ACLs are configured, they are combined.

Example: Restricting Access to an Internal CIDR

apiVersion: v1
kind: Service
metadata:
  name: restricted-service
  namespace: secure-apps
  annotations:
    loadbalancer.k8s.thalassa.cloud/acl-allowed-sources: "10.0.0.0/8, 192.168.1.0/24"
spec:
  selector:
    app: secure-api
  type: LoadBalancer
  ports:
    - protocol: TCP
      port: 443
      targetPort: 8443

This ensures that only internal networks can access the service. The above annotation will configure the ACL rule for each port’s listener on the Load Balancer.

Example: Per-Port ACL Configuration

You can configure different ACL rules for different ports. This is useful when you need different access restrictions for different services exposed on the same load balancer:

apiVersion: v1
kind: Service
metadata:
  name: multi-port-service
  namespace: production
  annotations:
    loadbalancer.k8s.thalassa.cloud/acl-allowed-sources: "10.1.0.0/8"
    loadbalancer.k8s.thalassa.cloud/acl-port-80: "10.0.0.0/8, 192.168.1.0/24"
    loadbalancer.k8s.thalassa.cloud/acl-port-443: "10.0.0.0/8"
spec:
  selector:
    app: web-app
  type: LoadBalancer
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 8080
    - name: https
      protocol: TCP
      port: 443
      targetPort: 8443

In this example:

Port 80 will accept traffic from three source ranges: 10.1.0.0/8 (from the global ACL), 10.0.0.0/8, and 192.168.1.0/24.
Port 443 will accept traffic from two source ranges: 10.1.0.0/8 (from the global ACL) and 10.0.0.0/8.

The global ACL (10.1.0.0/8) is always included for every port, and any per-port ACLs you set are added to the allowed sources for that specific port. This means each port will allow connections from its own specified list, plus any sources defined in the global ACL.

Security Groups

Security groups provide an additional layer of network security by controlling inbound and outbound traffic at the load balancer level. You can apply existing security groups to a load balancer, or automatically create a new security group that matches your load balancer configuration.

Example: Applying Existing Security Groups to a Load Balancer

apiVersion: v1
kind: Service
metadata:
  name: secured-service
  namespace: production
  annotations:
    loadbalancer.k8s.thalassa.cloud/security-groups: "sg-12345678, sg-87654321"
spec:
  selector:
    app: web-app
  type: LoadBalancer
  ports:
    - protocol: TCP
      port: 443
      targetPort: 8443

This configuration applies the specified security groups to the load balancer, which will enforce the rules defined in those security groups for all traffic passing through the load balancer.

Example: Automatically Creating a Security Group

You can have Thalassa Cloud automatically create a security group for your load balancer. The security group will be created with the same name as the load balancer and will include rules that match your load balancer’s configuration:

apiVersion: v1
kind: Service
metadata:
  name: auto-secured-service
  namespace: production
  annotations:
    loadbalancer.k8s.thalassa.cloud/create-security-group: "true"
spec:
  selector:
    app: web-app
  type: LoadBalancer
  ports:
    - protocol: TCP
      port: 443
      targetPort: 8443

When create-security-group is set to true, a security group named auto-secured-service (matching the service name) will be automatically created and applied to the load balancer. The managed security group understands your port ACLs (both global and per-port) and automatically configures the correct security group rules based on those ACLs. The security group will be automatically deleted when the load balancer is deleted, ensuring no orphaned resources remain.

Example: Automatic Security Group with Port ACLs

When using create-security-group with port ACLs, the security group rules are automatically configured to match your ACL settings:

apiVersion: v1
kind: Service
metadata:
  name: acl-secured-service
  namespace: production
  annotations:
    loadbalancer.k8s.thalassa.cloud/create-security-group: "true"
    loadbalancer.k8s.thalassa.cloud/acl-allowed-sources: "10.1.0.0/8"
    loadbalancer.k8s.thalassa.cloud/acl-port-80: "10.0.0.0/8, 192.168.1.0/24"
    loadbalancer.k8s.thalassa.cloud/acl-port-443: "10.0.0.0/8"
spec:
  selector:
    app: web-app
  type: LoadBalancer
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 8080
    - name: https
      protocol: TCP
      port: 443
      targetPort: 8443

In this example, the automatically created security group will have rules configured to match the ACL settings:

Port 80 will allow traffic from 10.1.0.0/8, 10.0.0.0/8, and 192.168.1.0/24
Port 443 will allow traffic from 10.1.0.0/8 and 10.0.0.0/8

The security group rules are automatically synchronized with your ACL configuration, ensuring consistent network security policies.

Networking Horizontal Pod Autoscaling