Service Load Balancers in Kubernetes
Service Load Balancers in Kubernetes allow external and internal traffic to be distributed across pods. They are commonly used to expose applications to users, APIs, or other services while ensuring high availability, scalability, and reliability.
Thalassa Cloud supports native VPC Load Balancers, designed specifically for secure, high-performance traffic distribution. Supported protocols include:
- TCP and UDP for application-level traffic.
- HTTP/HTTPS with support for secure encryption.
- PROXY protocol for passing client connection information.
How Load Balancers Work in Thalassa Cloud
In Thalassa Cloud, LoadBalancer-type Services integrate directly with the VPC networking layer. When a service of type LoadBalancer is created, the system provisions a highly available load balancer and assigns it an external or internal IP, depending on the configuration.
Key Components
| Component | Description |
|---|---|
| Service | The Kubernetes object that defines how traffic is forwarded. |
| VPC Load Balancer | Routes traffic to backend pods based on predefined rules. |
| Health Checks | Ensures only healthy pods receive traffic. |
| Annotations | Custom settings for controlling load balancer behavior. |
Managing Load Balancers in Thalassa Cloud
To list existing load balancer services, use:
kubectl get services --field-selector spec.type=LoadBalancerCreating a Load Balancer
To expose a service using a Thalassa Cloud VPC Load Balancer, define a LoadBalancer service:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: production
spec:
selector:
app: web-app
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 8080Configuring Load Balancer Annotations
Thalassa Cloud Load Balancers can be customized using annotations to optimize networking, security, and performance.
| Annotation | Description |
|---|---|
loadbalancer.k8s.thalassa.cloud/subnet | Defines which subnet to use. Defaults to the first available subnet in the VPC. |
loadbalancer.k8s.thalassa.cloud/internal | Boolean flag to create an internal-only load balancer. Default is false. |
loadbalancer.k8s.thalassa.cloud/enable-proxy-protocol | Enables the PROXY protocol for passing original client IP. Default is false. |
loadbalancer.k8s.thalassa.cloud/server-timeout | Maximum time (in seconds) for the backend server to respond. |
loadbalancer.k8s.thalassa.cloud/client-timeout | Maximum time (in seconds) for a client to wait for a response. |
loadbalancer.k8s.thalassa.cloud/connect-timeout | Maximum time (in seconds) for establishing a new connection. |
Health Checks and Traffic Routing
Load balancers ensure traffic is only sent to healthy pods. Kubernetes uses readiness probes and liveness probes to check pod health. Additionally, Thalassa Cloud Load Balancers provide configurable health checks.
| Annotation | Description |
|---|---|
loadbalancer.k8s.thalassa.cloud/health-check-path | Defines the HTTP health check endpoint (default: /healthz). |
loadbalancer.k8s.thalassa.cloud/health-check-port | The port number to use for health checks (default: 80). |
loadbalancer.k8s.thalassa.cloud/health-check-interval | Time (in seconds) between health checks. |
loadbalancer.k8s.thalassa.cloud/health-check-timeout | Time (in seconds) to wait for a health check response. |
loadbalancer.k8s.thalassa.cloud/health-check-up-threshold | Number of successful health checks required before a backend is marked healthy. |
loadbalancer.k8s.thalassa.cloud/health-check-down-threshold | Number of failed health checks before a backend is considered unhealthy. |
Access Control (ACLs)
Restrict traffic to only trusted sources using Access Control Lists (ACLs).
| Annotation | Description |
|---|---|
loadbalancer.k8s.thalassa.cloud/acl-allowed-sources | Comma-separated list of CIDR ranges that are allowed access. Default is open to all sources. |
Example: Restricting Access to an Internal CIDR
apiVersion: v1
kind: Service
metadata:
name: restricted-service
namespace: secure-apps
annotations:
loadbalancer.k8s.thalassa.cloud/acl-allowed-sources: "10.0.0.0/8, 192.168.1.0/24"
spec:
selector:
app: secure-api
type: LoadBalancer
ports:
- protocol: TCP
port: 443
targetPort: 8443This ensures that only internal networks can access the service. The above annotation will configure the ACL rule for each port’s listener on the Load Balancer.
Known Issues
Proxy Protocol and ExternalTrafficPolicy Local
When enabling Proxy Protocol the health checking will also be performed using Proxy Protocol. When combined with a service that has ExternalTrafficPolicy: Local, the health probes against each Kubernetes nodes .nodeHealthCheckPort will fail, as the Kubelet does not use Proxy Protocol.
This issue has been mimimized by recent versions of the Cloud Controller Manager (CCM), utilizing endpointslices for detecting which nodes to configure as part of a targetgroup.