Service Load Balancers in Kubernetes
Service Load Balancers in Kubernetes allow external and internal traffic to be distributed across pods. They are commonly used to expose applications to users, APIs, or other services while ensuring high availability, scalability, and reliability.
Thalassa Cloud supports native VPC Load Balancers, designed specifically for secure, high-performance traffic distribution. Supported protocols include:
- TCP and UDP for application-level traffic.
- HTTP/HTTPS with support for secure encryption.
- PROXY protocol for passing client connection information.
How Load Balancers Work in Thalassa Cloud
In Thalassa Cloud, LoadBalancer-type Services integrate directly with the VPC networking layer. When a service of type LoadBalancer is created, the system provisions a highly available load balancer and assigns it an external or internal IP, depending on the configuration.
Key Components:
| Component | Description |
|---|---|
| Service | The Kubernetes object that defines how traffic is forwarded. |
| VPC Load Balancer | Routes traffic to backend pods based on predefined rules. |
| Health Checks | Ensures only healthy pods receive traffic. |
| Annotations | Custom settings for controlling load balancer behavior. |
Managing Load Balancers in Thalassa Cloud
To list existing load balancer services, use:
kubectl get services --field-selector spec.type=LoadBalancerCreating a Load Balancer
To expose a service using a Thalassa Cloud VPC Load Balancer, define a LoadBalancer service:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: production
annotations:
loadbalancer.k8s.thalassa.cloud/type: "public"
spec:
selector:
app: web-app
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 8080Configuring Load Balancer Annotations
Thalassa Cloud Load Balancers can be customized using annotations to optimize networking, security, and performance.
| Annotation | Description |
|---|---|
loadbalancer.k8s.thalassa.cloud/subnet | Defines which subnet to use. Defaults to the first available subnet in the VPC. |
loadbalancer.k8s.thalassa.cloud/type | Specifies the type of load balancer. Default is public. |
loadbalancer.k8s.thalassa.cloud/internal | Boolean flag to create an internal-only load balancer. Default is false. |
loadbalancer.k8s.thalassa.cloud/enable-proxy-protocol | Enables the PROXY protocol for passing original client IP. Default is false. |
loadbalancer.k8s.thalassa.cloud/enable-sticky-sessions | Enables sticky sessions to persist client connections to the same backend. Default is false. |
loadbalancer.k8s.thalassa.cloud/server-timeout | Maximum time (in seconds) for the backend server to respond. |
loadbalancer.k8s.thalassa.cloud/client-timeout | Maximum time (in seconds) for a client to wait for a response. |
loadbalancer.k8s.thalassa.cloud/connect-timeout | Maximum time (in seconds) for establishing a new connection. |
Health Checks and Traffic Routing
Load balancers ensure traffic is only sent to healthy pods. Kubernetes uses readiness probes and liveness probes to check pod health. Additionally, Thalassa Cloud Load Balancers provide configurable health checks.
| Annotation | Description |
|---|---|
loadbalancer.k8s.thalassa.cloud/health-check-path | Defines the HTTP health check endpoint (default: /healthz). |
loadbalancer.k8s.thalassa.cloud/health-check-port | The port number to use for health checks (default: 80). |
loadbalancer.k8s.thalassa.cloud/health-check-interval | Time (in seconds) between health checks. |
loadbalancer.k8s.thalassa.cloud/health-check-timeout | Time (in seconds) to wait for a health check response. |
loadbalancer.k8s.thalassa.cloud/health-check-up-threshold | Number of successful health checks required before a backend is marked healthy. |
loadbalancer.k8s.thalassa.cloud/health-check-down-threshold | Number of failed health checks before a backend is considered unhealthy. |
Access Control (ACLs)
Restrict traffic to only trusted sources using Access Control Lists (ACLs).
| Annotation | Description |
|---|---|
loadbalancer.k8s.thalassa.cloud/acl-allowed-sources | Comma-separated list of CIDR ranges that are allowed access. Default is open to all sources. |
Example: Restricting Access to an Internal CIDR
apiVersion: v1
kind: Service
metadata:
name: restricted-service
namespace: secure-apps
annotations:
loadbalancer.k8s.thalassa.cloud/acl-allowed-sources: "10.0.0.0/8, 192.168.1.0/24"
spec:
selector:
app: secure-api
type: LoadBalancer
ports:
- protocol: TCP
port: 443
targetPort: 8443This ensures that only internal networks can access the service.
Summary
Thalassa Cloud Kubernetes provides secure VPC Load Balancers for Kubernetes applications. Whether you need external, internal, or fine-grained ACL-controlled load balancing, Thalassa Cloud’s Kubernetes integration ensures scalability and reliability for workloads.
Key Takeaways:
- Use
LoadBalancerservices for external and internal traffic distribution. - Configure annotations to control network settings, timeouts, and security.
- Implement health checks to monitor backend availability.
- Enforce ACL restrictions for IP-based access control.
Additional Resources
This guide provides a complete reference for Kubernetes Load Balancers in Thalassa Cloud. Follow best practices to optimize performance, security, and availability of your services.