Skip to content

Instantly share code, notes, and snippets.

@devops-school

devops-school/README.md

Created July 1, 2025 02:03
Show Gist options
  • Save devops-school/2af37f15198d40835e55bd02ae5cb688 to your computer and use it in GitHub Desktop.
Save devops-school/2af37f15198d40835e55bd02ae5cb688 to your computer and use it in GitHub Desktop.
Download ZIP
AWS Load Balancer Controller for Kubernetes: A Comprehensive Guide
Raw
README.md

AWS Load Balancer Controller for Kubernetes: A Comprehensive Guide

Table of Contents

  1. Introduction
    • What is the AWS Load Balancer Controller?
    • How It Works
    • Key Concepts
  2. Prerequisites
    • Kubernetes Cluster Requirements
    • AWS IAM Permissions
  3. Installation
    • Using Helm
    • Using YAML Manifests
  4. Configuring Ingress with ALB
    • Basic Ingress Setup
    • Advanced Routing Rules
    • SSL/TLS Termination
  5. Configuring Services with NLB
    • External Traffic with NLB
    • Internal NLB for Private Services
  6. DNS Management with Route 53
    • Automating DNS Records
    • Custom Domain Names
  7. Security Best Practices
    • IAM Roles for Service Accounts (IRSA)
    • Network Security (Security Groups, VPC Configuration)
  8. Monitoring and Logging
    • CloudWatch Metrics
    • Access Logs
  9. Troubleshooting
    • Common Issues and Fixes
  10. Real-World Use Cases
  11. Summary & FAQ

1. Introduction

What is the AWS Load Balancer Controller?

The AWS Load Balancer Controller (formerly ALB Ingress Controller) is a Kubernetes controller that manages Application Load Balancers (ALB) and Network Load Balancers (NLB) for Kubernetes applications. It automates the creation, configuration, and deletion of AWS load balancers based on Kubernetes Ingress and Service resources.

How It Works

  • Watches Kubernetes API for Ingress and Service resources.
  • Automatically provisions AWS ALB/NLB when needed.
  • Configures routing rules, target groups, and listeners.
  • Handles SSL termination, path-based routing, and health checks.

Key Concepts

  • Ingress: Defines HTTP/HTTPS routing rules for external access.
  • Service (Type: LoadBalancer): Provisions an NLB for TCP/UDP traffic.
  • Target Group Binding: Links Kubernetes pods to AWS target groups.
  • IAM Roles for Service Accounts (IRSA): Grants AWS permissions securely.

2. Prerequisites

Kubernetes Cluster Requirements

  • A running EKS cluster (or self-managed Kubernetes on AWS).
  • kubectl and awscli configured.
  • AWS Load Balancer Controller requires Kubernetes ≥ 1.18.

AWS IAM Permissions

The controller needs IAM permissions to manage ALB/NLB.
Create an IAM policy (AWSLoadBalancerControllerIAMPolicy.json):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeAddresses",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeInstances",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeRules",
        "elasticloadbalancing:DescribeTags",
        "elasticloadbalancing:CreateLoadBalancer",
        "elasticloadbalancing:CreateTargetGroup",
        "elasticloadbalancing:CreateListener",
        "elasticloadbalancing:DeleteLoadBalancer",
        "elasticloadbalancing:DeleteTargetGroup",
        "elasticloadbalancing:DeleteListener",
        "elasticloadbalancing:ModifyLoadBalancerAttributes",
        "elasticloadbalancing:ModifyTargetGroup",
        "elasticloadbalancing:ModifyListener",
        "elasticloadbalancing:AddTags",
        "elasticloadbalancing:SetIpAddressType",
        "elasticloadbalancing:SetSecurityGroups",
        "elasticloadbalancing:SetSubnets",
        "elasticloadbalancing:ModifyRule",
        "cognito-idp:DescribeUserPoolClient",
        "acm:ListCertificates",
        "acm:DescribeCertificate",
        "iam:ListServerCertificates",
        "iam:GetServerCertificate",
        "waf-regional:GetWebACL",
        "waf-regional:GetWebACLForResource",
        "waf-regional:AssociateWebACL",
        "waf-regional:DisassociateWebACL",
        "wafv2:GetWebACL",
        "wafv2:GetWebACLForResource",
        "wafv2:AssociateWebACL",
        "wafv2:DisassociateWebACL",
        "shield:GetSubscriptionState",
        "shield:DescribeProtection",
        "shield:CreateProtection",
        "shield:DeleteProtection"
      ],
      "Resource": "*"
    }
  ]
}

Attach this policy to an IAM role used by the controller.

3. Installation

Using Helm (Recommended)

helm repo add eks https://aws.github.io/eks-charts
helm repo update

helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  --set clusterName=<your-cluster-name> \
  --set serviceAccount.create=true \
  --set serviceAccount.name=aws-load-balancer-controller \
  -n kube-system

Using YAML Manifests

kubectl apply -f https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.5.4/v2_5_4_full.yaml

Verify installation:

kubectl get deployment -n kube-system aws-load-balancer-controller

4. Configuring Ingress with ALB

Basic Ingress Example

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
spec:
  rules:
    - host: my-app.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-app-service
                port:
                  number: 80

SSL/TLS Termination

metadata:
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:123456789012:certificate/xxxx-xxxx-xxxx
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-2017-01

5. Configuring Services with NLB

External NLB Example

apiVersion: v1
kind: Service
metadata:
  name: my-nlb-service
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
spec:
  selector:
    app: my-app
  ports:
    - port: 80
      targetPort: 8080
  type: LoadBalancer

6. DNS Management with Route 53

Automate DNS records using ExternalDNS:

annotations:
  external-dns.alpha.kubernetes.io/hostname: my-app.example.com

7. Security Best Practices

  • Use IRSA (IAM Roles for Service Accounts).
  • Restrict ALB/NLB to specific subnets.
  • Enable WAF for ALB if needed.

8. Monitoring and Logging

Enable ALB access logs:

alb.ingress.kubernetes.io/load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket=my-logs-bucket

9. Troubleshooting

  • Error: "Unable to create Load Balancer" → Check IAM permissions.
  • Ingress not creating ALB → Verify ingress.class: alb.

10. Real-World Use Cases

  • Blue-Green Deployments: Use ALB weighted routing.
  • Multi-Tenant Apps: Path-based routing (/app1, /app2).

11. Summary & FAQ

Summary

  • The AWS Load Balancer Controller automates ALB/NLB provisioning.
  • Supports advanced routing, SSL, and security configurations.
  • Works seamlessly with EKS and self-managed Kubernetes.

FAQ

Q: Can I use both ALB and NLB in the same cluster?
A: Yes, use Ingress for ALB and Service with type: LoadBalancer for NLB.

Q: How do I enable cross-zone load balancing?
A: Add alb.ingress.kubernetes.io/load-balancer-attributes: load_balancing.cross_zone.enabled=true.

Q: How to restrict ALB to a VPC?
A: Use alb.ingress.kubernetes.io/scheme: internal.

This guide covers beginner to advanced AWS Load Balancer Controller usage. For further details, refer to the official documentation. 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment