This is an advanced deployment guide to configure Contour on AWS with the Network Load Balancer (NLB). This configuration has several advantages:
- NLBs are often cheaper. This is especially true for development. Idle LBs do not cost money.
- There are no extra network hops. Traffic goes to the NLB, to the node hosting Contour, and then to the target pod.
- Source IP addresses are retained. Envoy (running as part of Contour) sees the native source IP address and records this with an
X-Forwarded-Forheader.
- We run Contour as a DaemonSet across the cluster.
- The Contour pod runs with host networking and binds to port 8080 and 8443 on the node.
- Host networking means that traffic hits Envoy without transitioning through any other fancy networking hops.
- Contour also binds to 8001 for Envoy->Contour config traffic.
- Clone the Contour repository and cd into the repo.
- Run
kubectl apply -f examples/contour/
This creates the projectcontour Namespace along with a ServiceAccount, RBAC rules, and the DaemonSet itself. It also creates the NLB based loadbalancer for you.
You can get the address of your NLB via:
kubectl get service contour --namespace=projectcontour -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'
You can now test your NLB.
- Install a workload (see the kuard example in the main deployment guide).
- Look up the address for your NLB in the AWS console and enter it in your browser.
- Notice that Envoy fills out
X-Forwarded-For, because it was the first to see the traffic directly from the browser.