balancer | Golang client side load balancer | Load Balancing library

I'm trying to deploy a simple REST API written in Golang to AWS EKS.

I created an EKS cluster on AWS using Terraform and applied the AWS load balancer controller Helm chart to it.

All resources in the cluster look like:

I am trying to deploy a PHP through AWS CodeDeploy and am currently stuck on the AllowTraffic step in CodeDeploy. The application is on an EC2 instance behind an ALB. In the ALB, I am getting failing health checks. I have the PHP application code sitting in the following directory on the EC2 instance: /var/www/html/src. If I were to curl the private IP of the EC2 following by the directory where the code sits, I am getting an error 404 Not Found. Even though the index.php file is in that directory, I am unable to curl it. Currently I have security groups setup where the ALB security group allows any traffic from only HTTP, and all traffic from the ALB security group is allowed to reach the EC2 instance. I am able to curl the root of the instance and see Apache's default page.

If I were to adjust the health check settings on the ALB Target group, I get a 403 error when setting the health check to /. I get a 404 error when specifying the path to the directory that has the PHP application code.

Any advice on how I can get the instance to a healthy state for the ALB would be appreciated.

TG Health Check

Application Load balancer security group allows traffic on port 80 EC2 instance security group allows traffic from Application Load Balancer security group.

The PHP application should be accessible on port 80, where Apache is running. The Application Load Balancer has only 1 listener that is set up for port 80, that forwards traffic to the target group.

I've been trying to get over this but I'm out of ideas for now hence I'm posting the question here.

I'm experimenting with the Oracle Cloud Infrastructure (OCI) and I wanted to create a Kubernetes cluster which exposes some service.

The goal is:

• A running managed Kubernetes cluster (OKE)
• 2 nodes at least
• 1 service that's accessible for external parties

The infra looks the following:

• A VCN for the whole thing
• A private subnet on 10.0.1.0/24
• A public subnet on 10.0.0.0/24
• NAT gateway for the private subnet
• Internet gateway for the public subnet
• Service gateway
• The corresponding security lists for both subnets which I won't share right now unless somebody asks for it
• A containerengine K8S (OKE) cluster in the VCN with public Kubernetes API enabled
• A node pool for the K8S cluster with 2 availability domains and with 2 instances right now. The instances are ARM machines with 1 OCPU and 6GB RAM running Oracle-Linux-7.9-aarch64-2021.12.08-0 images.
• A namespace in the K8S cluster (call it staging for now)
• A deployment which refers to a custom NextJS application serving traffic on port 3000

And now it's the point where I want to expose the service running on port 3000.

I have 2 obvious choices:

• Create a LoadBalancer service in K8S which will spawn a classic Load Balancer in OCI, set up it's listener and set up the backendset referring to the 2 nodes in the cluster, plus it adjusts the subnet security lists to make sure traffic can flow
• Create a Network Load Balancer in OCI and create a NodePort on K8S and manually configure the NLB to the ~same settings as the classic Load Balancer

The first one works perfectly fine but I want to use this cluster with minimal costs so I decided to experiment with option 2, the NLB since it's way cheaper (zero cost).

Long story short, everything works and I can access the NextJS app on the IP of the NLB most of the time but sometimes I couldn't. I decided to look it up what's going on and turned out the NodePort that I exposed in the cluster isn't working how I'd imagine.

The service behind the NodePort is only accessible on the Node that's running the pod in K8S. Assume NodeA is running the service and NodeB is just there chilling. If I try to hit the service on NodeA, everything is fine. But when I try to do the same on NodeB, I don't get a response at all.

That's my problem and I couldn't figure out what could be the issue.

What I've tried so far:

• Switching from ARM machines to AMD ones - no change
• Created a bastion host in the public subnet to test which nodes are responding to requests. Turned out only the node responds that's running the pod.
• Created a regular LoadBalancer in K8S with the same config as the NodePort (in this case OCI will create a classic Load Balancer), that works perfectly
• Tried upgrading to Oracle 8.4 images for the K8S nodes, didn't fix it
• Ran the Node Doctor on the nodes, everything is fine
• Checked the logs of kube-proxy, kube-flannel, core-dns, no error
• Since the cluster consists of 2 nodes, I gave it a try and added one more node and the service was not accessible on the new node either
• Recreated the cluster from scratch

Edit: Some update. I've tried to use a DaemonSet instead of a regular Deployment for the pod to ensure that as a temporary solution, all nodes are running at least one instance of the pod and surprise. The node that was previously not responding to requests on that specific port, it still does not, even though a pod is running on it.

Edit2: Originally I was running the latest K8S version for the cluster (v1.21.5) and I tried downgrading to v1.20.11 and unfortunately the issue is still present.

Edit3: Checked if the NodePort is open on the node that's not responding and it is, at least kube-proxy is listening on it.

We have two VMs behind a Load Balancer. We would like to make one of the VMs publicly inaccessible when we do a new deployment, so we can test the new version of the application before it becomes publicly accessible. The current plan is to block one out of two VMs by changing Network Security Group rule via Service Tag for Load Balancer:

It works. When we change NSG Rule for VM1 from Allow to Deny only VM2 stays publicly accessible. Once we verify that new release works as expected we then switch NSG rule for VM2 and switch NSG rule for VM1, so only a VM with the newest version of application is accessible while we update application on the other VM.

The problem with that is NSG rules don't immediately take effect and can take 1-3 minutes to make VM inaccessible/accessible. More over if we switch NSG for both VMs at the same time we can be in situations when both VMs with different version of software are publicly available which can lead to data corruption or data lose or both VM are not accessible. So the only way around this is to change NSG rule for VM2 then for VM1 and having downtime of 2-6 minutes. Is there a better way to do that?

I have the following basic architecture:

For reasons I don't want to get into, I want to allow the client to fetch data from either server if they so choose. If they don't care then the load balancer will decide for them.

Is there a best practice for designing the API request?

I've come up with a few options:

• Add an optional query string parameter:

Is there a way we can alter the resource names of the resources provisioned by AKS itself (screenshot below). I know I can change the node resource group name as per the documentation but cannot find any reference (or documentation) if we can change the AKS managed resource names. The resources for which I want to have custom naming specifically are:

1. Load balancer
2. AKS Virtual Machine Scale Set

We are having difficulties choosing a load balancing solution (Load Balancer, Application Gateway, Traffic Manager, Front Door) for IIS websites on Azure VMs. The simple use case when there are 2 identical sites is covered well – just use Azure Load Balancer or Application Gateway. However, in cases when we would like to update websites and test those updates, we encounter limitation of load balancing solutions.

For example, if we would like to update IIS websites on VM1 and test those updates, the strategy would be:

• Point a load balancer to VM2.
• Update IIS website on VM1
• Test the changes
• If all tests are passed then point the load balancer to VM1 only, while we update VM2.
• Point the load balancer to both VMs

We would like to know what is the best solution for directing traffic to only one VM. So far, we only see one option – removing a VM from backend address pool then returning it back and repeating the process for other VMs. Surely, there must be a better way to direct 100% of traffic to only one (or to specific VMs), right?

Update:

We ended up blocking the connection between VMs and Load Balancer by creating Network Security Group rule with Deny action on Service Tag Load Balancer. Once we want that particular VM to be accessible again we switch the NSG rule from Deny to Allow.

The downside of this approach is that it takes 1-3 minutes for the changes to take an effect. Continuous Delivery with Azure Load Balancer

If anybody can think of a faster (or instantaneous) solution for this, please let me know.

I have an ingress pod deployed with Scaleway on a Kubernetes cluster and it exists in the kube-system namespace. I accidentally created a load balancer service on the default namespace and I don't want to delete and recreate it a new one on the kube-system namespace so I want my Load balancer in the default namespace to have the ingress pods as endpoints:

I'm struggling to expose a service in an AWS cluster to outside and access it via a browser. Since my previous question haven't drawn any answers, I decided to simplify the issue in several aspects.

First, I've created a deployment which should work without any configuration. Based on this article, I did

1. kubectl create namespace tests

2. created file probe-service.yaml based on paulbouwer/hello-kubernetes:1.8 and deployed it kubectl create -f probe-service.yaml -n tests:

   ...