I'm working on an application that accepts both TCP/TLS connections and HTTP(s) requests. For the TLS connections, the SSL termination needs to happen at the instance level due to our certificate and authentication handling. I tried to set this up on GCP using a Managed Instance Group (MIG) with both a TCP pass-through load balancer and an HTTP(s) load balancer, but I ran into issues since GCP doesn't allow pointing both load balancers to the same MIG.
Now, I'm curious if Kubernetes (GKE) can handle this scenario better. Is it possible to configure a TCP load balancer and an HTTP load balancer to connect to the same pods, while listening on different ports? I specifically need the app to terminate the TLS connections instead of having the load balancer do it. Can anyone shed some light on whether this setup is feasible?
4 Answers
Load balancers basically operate at different layers: TCP is at layer 4 and HTTP(s) at layer 7. What you need to do is set up a TCP load balancer for your regular TCP port and a separate HTTP load balancer for your HTTP(s) port. They can't both point directly to the same MIG, which is why you're facing issues with GCP. But in Kubernetes, you should be able to define a service that targets the same set of pods for both types if you're using different ports.
Just a heads up, make sure you understand the protocol distinction. TCP is transport layer, while HTTP(s) is application layer. You can't mix them in a single load balancer, but targeting the same pods on different ports is totally doable in Kubernetes.
Are you using Ingress and Services for managing your load balancers, or are you doing it manually? Using Ingress can simplify a lot of the routing since it can handle both types of traffic.
Yep, that's absolutely possible! In your Kubernetes service definition, you can specify multiple ports, one for TCP and another for HTTP. This way, you can have both load balancers pointing at the same pods without any hitches.
I think I'm starting to understand! So in Kubernetes, I can create a TCP load balancer that allows the instance to handle TLS while having an Ingress resource for HTTP(s) that manages the certificates. Just want to be sure that this setup can really work in GKE.