From c5cbd20aedd489c14bc1a8a182331c4c3a758037 Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Wed, 6 May 2020 14:07:21 -0700 Subject: [PATCH 1/4] Create nats-external-nlb.md --- nats-on-kubernetes/nats-external-nlb.md | 46 +++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 nats-on-kubernetes/nats-external-nlb.md diff --git a/nats-on-kubernetes/nats-external-nlb.md b/nats-on-kubernetes/nats-external-nlb.md new file mode 100644 index 0000000..7f62ff8 --- /dev/null +++ b/nats-on-kubernetes/nats-external-nlb.md @@ -0,0 +1,46 @@ +# Using a load balancer for external access to NATS on K8S + +Although it is not recommended in general to use a load balancer +with NATS for external access, sometimes due to policy it might +help to use one. If that is the case, then one option would be +to use an L4 load balancer that has raw tcp support. + +In the example below, you can find how to use a [AWS Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html) +to connect externally to a cluster that has TLS setup. + +```sh +# One-line installer creates a secure cluster named 'nats' +$ curl -sSL https://nats-io.github.io/k8s/setup.sh | sh + +# Create AWS Network Load Balancer service +$ echo ' +apiVersion: v1 +kind: Service +metadata: + name: nats-nlb + namespace: default + labels: + app: nats + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" +spec: + type: LoadBalancer + externalTrafficPolicy: Local + ports: + - name: nats + port: 4222 + protocol: TCP + targetPort: 4222 + selector: + app: nats +' | kubectl apply -f - + +$ kubectl get svc nats-nlb -o wide +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR +nats-nlb LoadBalancer 10.100.67.123 a18b60a948fc611eaa7840286c60df32-9e96a2af4b5675ec.elb.us-east-2.amazonaws.com 4222:30297/TCP 151m app=nats + +$ nats-pub -s nats://a18b60a948fc611eaa7840286c60df32-9e96a2af4b5675ec.elb.us-east-2.amazonaws.com:4222 -creds nsc/nkeys/creds/KO/A/test.creds test.foo bar +``` + +Also, it would be recommended to disable [no_advertise](https://docs.nats.io/nats-server/configuration/clustering/cluster_config) +to avoid gossiping internal addresses from pods in Kubernetes to NATS clients. From 57bfc316498dc12b18758db7a86e7e9c3194e52a Mon Sep 17 00:00:00 2001 From: Ginger Collison Date: Thu, 7 May 2020 11:11:19 -0500 Subject: [PATCH 2/4] Update nats-external-nlb.md --- nats-on-kubernetes/nats-external-nlb.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nats-on-kubernetes/nats-external-nlb.md b/nats-on-kubernetes/nats-external-nlb.md index 7f62ff8..e2bcca9 100644 --- a/nats-on-kubernetes/nats-external-nlb.md +++ b/nats-on-kubernetes/nats-external-nlb.md @@ -5,7 +5,7 @@ with NATS for external access, sometimes due to policy it might help to use one. If that is the case, then one option would be to use an L4 load balancer that has raw tcp support. -In the example below, you can find how to use a [AWS Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html) +In the example below, you can find how to use an [AWS Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html) to connect externally to a cluster that has TLS setup. ```sh @@ -42,5 +42,5 @@ nats-nlb LoadBalancer 10.100.67.123 a18b60a948fc611eaa7840286c60df32-9e96a $ nats-pub -s nats://a18b60a948fc611eaa7840286c60df32-9e96a2af4b5675ec.elb.us-east-2.amazonaws.com:4222 -creds nsc/nkeys/creds/KO/A/test.creds test.foo bar ``` -Also, it would be recommended to disable [no_advertise](https://docs.nats.io/nats-server/configuration/clustering/cluster_config) +Also, it would be recommended to disable [no_advertise](nats-server/configuration/clustering/cluster_config.md) to avoid gossiping internal addresses from pods in Kubernetes to NATS clients. From e12467187b7440f6730e55a2b4ff05b23580590a Mon Sep 17 00:00:00 2001 From: Ginger Collison Date: Thu, 7 May 2020 11:15:08 -0500 Subject: [PATCH 3/4] Update nats-external-nlb.md --- nats-on-kubernetes/nats-external-nlb.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nats-on-kubernetes/nats-external-nlb.md b/nats-on-kubernetes/nats-external-nlb.md index e2bcca9..ceb75cd 100644 --- a/nats-on-kubernetes/nats-external-nlb.md +++ b/nats-on-kubernetes/nats-external-nlb.md @@ -42,5 +42,5 @@ nats-nlb LoadBalancer 10.100.67.123 a18b60a948fc611eaa7840286c60df32-9e96a $ nats-pub -s nats://a18b60a948fc611eaa7840286c60df32-9e96a2af4b5675ec.elb.us-east-2.amazonaws.com:4222 -creds nsc/nkeys/creds/KO/A/test.creds test.foo bar ``` -Also, it would be recommended to disable [no_advertise](nats-server/configuration/clustering/cluster_config.md) +Also, it would be recommended to disable [no_advertise](../nats-server/configuration/clustering/cluster_config.md) to avoid gossiping internal addresses from pods in Kubernetes to NATS clients. From 5052e3346bb921e0d2352aba0dfb9815fcf48b4a Mon Sep 17 00:00:00 2001 From: ainsley Date: Thu, 7 May 2020 12:06:04 -0500 Subject: [PATCH 4/4] adding NATS external nlb doc to summary --- SUMMARY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SUMMARY.md b/SUMMARY.md index 60d2368..2df7648 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -199,4 +199,4 @@ * [NATS and Prometheus Operator](nats-on-kubernetes/prometheus-and-nats-operator.md) * [NATS Cluster and Cert Manager](nats-on-kubernetes/nats-cluster-and-cert-manager.md) * [Securing a NATS Cluster with cfssl](nats-on-kubernetes/operator-tls-setup-with-cfssl.md) - +* [Using a Load Balancer for External Access to NATS](nats-on-kubernetes/nats-external-nlb.md)