Deploying Ingress Nginx on EKS With an Internal Load Balancer and HTTPS

In this post, we will deploy Ingress Nginx on EKS with an internal load balancer and HTTPS. This setup is useful when you want to expose your services an internal network (e.g. your work VPN) and secure the communication with HTTPS.

The TLS termination will be done by the NLB, so the traffic between the client and the load balancer will be encrypted.

Prerequisites

Deploy Ingress Nginx

First, we need to deploy Ingress Nginx. We will use the deployment files (I couldn’t get the Helm chart to work properly since it was assigning the wrong target groups to the NLB).

Download the deploy.yaml file from the official repository

Open the file, and modify the proxy-real-ip-cidr: XXX.XXX.XXX/XX field to match the VPC CIDR that your EKS cluster is using (e.g. 10.67.0.0/22).

You will also need to change arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX to match the ARN of your SSL certificate in AWS ACM.

Then, deploy the manifest:

kubectl apply -f deploy.yaml

This should create the Ingress Nginx controller and the necessary resources on K8s, along with an internal NLB on AWS.

Create an Ingress

To test the setup, create an Ingress resource that points to a service in your cluster.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
spec:
  ingressClassName: nginx
  rules:
    - host: my-host.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-service
                port:
                  number: 80

Replace the host field with the domain you want to use, and the service field with the name of the service you want to expose (along with the correct port number). Note that the ingressClassName field is set to nginx.

Then, apply the manifest:

kubectl apply -f ingress.yaml