The information contained in this article has been verified as up-to-date on the date of the original publication of the article. HashiCorp endeavors to keep this information up-to-date and correct, but it makes no representations or warranties of any kind, express or implied, about the ongoing completeness, accuracy, reliability, or suitability of the information provided.
All information contained in this article is for general information purposes only. Any reliance you place on such information as it applies to your use of your HashiCorp product is therefore strictly at your own risk.
Introduction
When deploying the Consul Mesh Gateway as a Load Balancer on an Amazon EKS cluster, it may incorrectly launch in a public subnet within your VPC, even with the correct annotations. To ensure the Consul LoadBalancer Mesh Gateway is deployed in a private subnet, you need to install the AWS Load Balancer Controller on your EKS cluster. This installation enables the EKS cluster to recognize annotations properly, facilitating the deployment of the Mesh Gateway in the desired private subnet. This approach also applies to other Consul components, ensuring that load balancer deployments align with your subnet preferences.
Prerequisites
- Consul-K8s running on EKS Cluster.
- Private Subnet in same VPC as EKS Cluster.
- AWS LoadBalancer Controller installed on EKS cluster.
Use Case
Deploying a Mesh Gateway as a LoadBalancer in a private subnet on an Amazon EKS cluster enables you to establish a highly available and fault-tolerant network infrastructure for your microservices architecture. By leveraging AWS Network Load Balancers with the Consul Mesh Gateway, you can efficiently manage traffic routing, load balancing, and service discovery within your private network.
Procedure
- Follow the Amazon instructions to Create an Amazon EKS cluster.
- Complete the prerequisite steps outlined in the AWS documentation Install the AWS Load Balancer Controller using Helm to create the appropriate AWS IAM Policy and IAM Service Account (aws-load-balancer-controller).
- Add and update the EKS Helm chart repository.
helm repo add eks https://aws.github.io/eks-charts
helm repo update eks - Use Helm to install the AWS Load Balancer Controller
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
--namespace kube-system \
--set clusterName=consul-cluster-dc1 \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller - Add appropriate K8s annotation for Consul Mesh Gateway Load Balancer type to specify whether the LoadBalancer will be internet-facing or internal. In our case, it would be Internal.
meshGateway:
enabled: true
replicas: 1
type: LoadBalancer
annotation:
service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" - Verify the Load Balancer Details page to confirm the scheme and subnets or use below describe CLI command to get the same Loadbalancer details.
aws elbv2 describe-load-balancers \
--no-cli-pager \
| jq -r '.LoadBalancers[]
| select(LoadBalancerName|match("k8s-consul-consulme-.*")){
"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-2:XXXXXXXXXX:loadbalancer/net/k8s-consul-consulme-1d5b690c23/dc0ea86c150ef9ee",
"DNSName": "k8s-consul-consulme-1d5b690c23-dc0ea86c150ef9ee.elb.us-east-2.amazonaws.com",
"CanonicalHostedZoneId": "ZLMOA37VPKANP",
"CreatedTime": "2024-07-11T16:50:24.707000+00:00",
"LoadBalancerName": "k8s-consul-consulme-1d5b690c23",
"Scheme": "internal",
"VpcId": "vpc-XXXXXXXXXXXX",
"State": {
"Code": "active"
},
"Type": "network",
"AvailabilityZones": [
{
"ZoneName": "us-east-2b",
"SubnetId": "subnet-XXXXXXXXX02",
"LoadBalancerAddresses": []
},
{
"ZoneName": "us-east-2c",
"SubnetId": "subnet-XXXXXXXXX03",
"LoadBalancerAddresses": []
},
{
"ZoneName": "us-east-2a",
"SubnetId": "subnet-XXXXXXXXX01",
"LoadBalancerAddresses": []
}
],
"SecurityGroups": [
"sg-XXXXXXXXXXXXXXXXX",
"sg-XXXXXXXXXXXXXXXXX"
],
"IpAddressType": "ipv4"
}
Additional Information
Example of consul-K8s values.yaml file
global:
enabled: true
name: consul
datacenter: dc1
image: "hashicorp/consul:1.18.1"
peering:
enabled: true
tls:
enabled: true
acls:
manageSystemACLs: true
gossipEncryption:
autoGenerate: true
server:
replicas: 1
bootstrapExpect: 1
extraConfig: |
{
"log_level": "TRACE"
}
connectInject:
enabled: true
replicas: 1
meshGateway:
enabled: true
replicas: 1
type: LoadBalancer
annotation:
service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
ui:
enabled: true
service:
enabled: true
type: LoadBalancer