search

aws / aws-application-networking-k8s

A Kubernetes controller for Amazon VPC Lattice
https://www.gateway-api-controller.eks.aws.dev/
Apache License 2.0
176 stars 50 forks source link

Support ingress (north/south) traffic? #535

Open gazal-k opened 1 year ago

gazal-k commented 1 year ago

I believe Gateway API was meant to be v2 of Ingress API. Also, as per the documentation for Gateway API:

The Gateway API was originally designed to manage traffic from clients outside the cluster to services inside the cluster -- the ingress or north/south case. Over time, interest from service mesh users prompted the creation of the GAMMA initiative to define how the Gateway API could also be used for inter-service or east/west traffic within the same cluster.

The existence of https://github.com/aws-solutions-library-samples/guidance-for-external-connectivity-amazon-vpc-lattice and the following excerpt:

When you create a VPC Lattice Service, you are given a DNS name that represents it (globally unique and externally resolvable). However, from outside of the VPC, the DNS name resolves to a series of IP addresses in the 169.254.171.x/24 range (within the IPv4 Link-Local range 169.254/16 defined in RFC3927) and fd00:ec2:80::/64 range (within the IPv6 Link-local range fe80::/10 defined in RFC4291). seems to indicate that aws-application-networking-k8s

indicates that this Gateway Controller (which relies on VPC Lattice) only implements east/west traffic at the moment.

Could this controller be extended to support ingress (north/south) traffic?

It almost seems to me like aws-load-balancer-controller and this controller may need to merge in some way to fully support all Gateway API capabilities. (Related: https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/1338)

solmonk commented 1 year ago

In terms of publicly accessible ingress endpoint, we are investigating offering this as a native feature. In the meantime you can reference this blog as a viable workaround: https://aws.amazon.com/blogs/networking-and-content-delivery/external-connectivity-to-amazon-vpc-lattice/

On another note, the limitation imposed by such IP range is that it is only accessible within the VPCs that are associated to the service network, but it can still be outside of the cluster - e.g. another EC2 instance in the same VPC.

seifrajhi commented 8 months ago

In the meantime you can reference this blog as a viable workaround: https://aws.amazon.com/blogs/networking-and-content-delivery/external-connectivity-to-amazon-vpc-lattice/

@solmonk, I believe this workaround creates unnecessary complexity and overhead, especially in large microservice environments heavily reliant on EKS and ingress routing. Integrating Gateway API support would be incredibly beneficial. As suggested, perhaps merging with the AWS Load Balancer Controller (https://github.com/kubernetes-sigs/aws-load-balancer-controller) could be a great option to handle both north-south (internet) and east-west (internal) traffic.