The information contained in this article has been verified as up-to-date on the date of the original publication of the article.  HashiCorp endeavors to keep this information up-to-date and correct, but it makes no representations or warranties of any kind, express or implied, about the ongoing completeness, accuracy, reliability, or suitability of the information provided.

All information contained in this article is for general information purposes only.  Any reliance you place on such information as it applies to your use of your HashiCorp product is therefore strictly at your own risk.

Introduction

When deploying the Consul Mesh Gateway as a Load Balancer on an Amazon EKS cluster, it may incorrectly launch in a public subnet within your VPC, even with the correct annotations. To ensure the Consul LoadBalancer Mesh Gateway is deployed in a private subnet, you need to install the AWS Load Balancer Controller on your EKS cluster. This installation enables the EKS cluster to recognize annotations properly, facilitating the deployment of the Mesh Gateway in the desired private subnet. This approach also applies to other Consul components, ensuring that load balancer deployments align with your subnet preferences.

Prerequisites

•  Consul-K8s running on EKS Cluster.
•  Private Subnet in same VPC as EKS Cluster.
•  AWS LoadBalancer Controller installed on EKS cluster.

Use Case

Deploying a Mesh Gateway as a LoadBalancer in a private subnet on an Amazon EKS cluster enables you to establish a highly available and fault-tolerant network infrastructure for your microservices architecture. By leveraging AWS Network Load Balancers with the Consul Mesh Gateway, you can efficiently manage traffic routing, load balancing, and service discovery within your private network.

Procedure

1. Follow the Amazon instructions to Create an Amazon EKS cluster.
2. Complete the prerequisite steps outlined in the AWS documentation Install the AWS Load Balancer Controller using Helm to create the appropriate AWS IAM Policy and IAM Service Account (aws-load-balancer-controller).
3. Add and update the EKS Helm chart repository.

   helm repo add eks https://aws.github.io/eks-charts
   helm repo update eks

4. Use Helm to install the AWS Load Balancer Controller 
   

   helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
       --namespace kube-system \
       --set clusterName=consul-cluster-dc1 \
       --set serviceAccount.create=false \
       --set serviceAccount.name=aws-load-balancer-controller

5. Add appropriate K8s annotation for Consul Mesh Gateway Load Balancer type to specify whether the LoadBalancer will be internet-facing or internal. In our case, it would be Internal.

   meshGateway:
     enabled: true
     replicas: 1
     type: LoadBalancer
     annotation:
       service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"

6. Verify the Load Balancer Details page to confirm the scheme and subnets or use below describe CLI command to get the same Loadbalancer details.
   

   aws elbv2 describe-load-balancers \
       --no-cli-pager \
       | jq -r '.LoadBalancers[]
       | select(LoadBalancerName|match("k8s-consul-consulme-.*"))

   {
     "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-2:XXXXXXXXXX:loadbalancer/net/k8s-consul-consulme-1d5b690c23/dc0ea86c150ef9ee",
     "DNSName": "k8s-consul-consulme-1d5b690c23-dc0ea86c150ef9ee.elb.us-east-2.amazonaws.com",
     "CanonicalHostedZoneId": "ZLMOA37VPKANP",
     "CreatedTime": "2024-07-11T16:50:24.707000+00:00",
     "LoadBalancerName": "k8s-consul-consulme-1d5b690c23",
     "Scheme": "internal",
     "VpcId": "vpc-XXXXXXXXXXXX",
     "State": {
       "Code": "active"
     },
     "Type": "network",
     "AvailabilityZones": [
       {
         "ZoneName": "us-east-2b",
         "SubnetId": "subnet-XXXXXXXXX02",
         "LoadBalancerAddresses": []
       },
       {
         "ZoneName": "us-east-2c",
         "SubnetId": "subnet-XXXXXXXXX03",
         "LoadBalancerAddresses": []
       },
       {
         "ZoneName": "us-east-2a",
         "SubnetId": "subnet-XXXXXXXXX01",
         "LoadBalancerAddresses": []
       }
     ],
     "SecurityGroups": [
       "sg-XXXXXXXXXXXXXXXXX",
       "sg-XXXXXXXXXXXXXXXXX"
     ],
     "IpAddressType": "ipv4"
   }
   

Additional Information

Example of consul-K8s values.yaml file

global:
 enabled: true
 name: consul
 datacenter: dc1
 image: "hashicorp/consul:1.18.1"
 peering:
   enabled: true
 tls:
   enabled: true
 acls:
   manageSystemACLs: true
 gossipEncryption:
   autoGenerate: true
server:
 replicas: 1
 bootstrapExpect: 1
 extraConfig: |
   {
     "log_level": "TRACE"
   }

connectInject:
  enabled: true
  replicas: 1

meshGateway:
  enabled: true
  replicas: 1
  type: LoadBalancer
  annotation:
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"

ui:
  enabled: true
  service:
    enabled: true
    type: LoadBalancer

Resources

• Amazon VPC Subnet types
• Create an Amazon EKS Cluster
• Install the AWS Load Balancer Controller using Helm
• AWS Load Balancer Controller