We recently switched our Kubernetes setup from using NGINX Ingress to AWS Application Load Balancer (ALB). Previously, our architecture had NGINX handling SSL termination within the cluster, with Cert-manager managing certificates from Let's Encrypt. After Kubernetes announced the end of life for NGINX Ingress, we decided it was time to migrate.
Now, we have configured our microservices to benefit from AWS native services. This new setup includes:
- AWS ALB for external management
- Automated certificate management through AWS Certificate Manager (ACM) with wildcard support
- Route 53 for DNS management
- SSL termination handled at the ALB level
- WAF (Web Application Firewall) for enhanced security
I want to hear thoughts on whether this transition was the right decision or if there are better alternatives we could have considered instead.
4 Answers
You're right to migrate from NGINX if support is dropping. ALB with ACM handles cert renewals well, which is a plus. But double-check if you have to implement scripts for certificate rotation, that might indicate you're not leveraging ACM fully yet. And how have you been handling use cases like custom annotations during the transition? It's something to consider going forward!
Glad the migration seems to have worked for you! Just keep in mind that ALB’s Layer 7 capabilities can be somewhat limited. If I were designing a new architecture, I’d consider using something like Traefik or sticking to an NLB with TLS termination. But if you’re satisfied with the performance and managing costs, it sounds like you made a good choice!
As a security-focused professional, I’m a bit concerned about having HTTP traffic between the ALB and your instances. Could expose you to various risks. Ensuring that all traffic remains secure is crucial. Maybe add further layers of security to mitigate potential threats?
Absolutely, I appreciate those insights! I'll definitely explore how to keep that traffic secure.
Switching to AWS ALB can simplify things for teams already deep into AWS, but have you checked the potential cost increases? Also, consider if you might encounter limits with ALB, like the 200 rules cap. If you're still within the expected traffic levels, it should be fine, but exploring options like Traefik or HAProxy could give you more flexibility in cluster management.
Yeah, the portability of those alternatives might be worth it, especially if cost is a concern!
We managed to get it working smoothly, but I’m keen to see if there are better ways to customize those settings!