Open bnutt opened 1 month ago
I think I have confirmed this is due to how the LB controller handles disabling client IP preservation.
@bnutt even if the controller handles the sg rules in correct order, there could still be gaps of downtimes due to the eventually consistency nature of AWS APIs, and the underlying implementation of preserve_client_ip in ELB. If you indeed need to change the preserve_client_ip, which is a big change to LBs, to avoid downtimes, i'd suggest use a new service with weighted DNS based migration.
Describe the bug Modifying the target group attributes of a loadbalancer provisioned by the LBC will result in the controller briefly revoking security group rules on the backend security group. In the time that the rules are revoked and when the rules are added back as part of reconciliation, traffic is dropped to external users. Right now this only looks to occur when using IP targets. In testing, there has been up to a minute gap between the revoke and add of the security group rules.
Steps to reproduce Provision NLB using a k8s service object. Configure the NLB with client IP preservation enabled.
Allow the controller to provision the loadbalancer.
Expected outcome Client IP is disabled without downtime. If I understand the docs correctly, this may not be happening because the controller modifies the rules on what IP ranges are allowed depending whether the flag is set or not. If this is correct, is the only safe way to disable client IP preservation without downtime to provision a new loadbalancer and migrate traffic to it?
Environment
Additional Context: