Configure the network type of an NGINX Ingress Controller - Container Service for Kubernetes

Configure an NGINX Ingress Controller for public access, private access, or dual access to accommodate clients in different network environments.

How it works

In a cluster, a Server Load Balancer (SLB) instance receives client requests and forwards them to the NGINX Ingress Controller workload. The workload then forwards the requests to other Services.

Prerequisites

An ACK managed or dedicated Kubernetes cluster
kubectl command-line tool configured to access your cluster
Appropriate permissions to manage Services and DNS records

Check current network type

First, determine the current network type of your NGINX Ingress Controller:

kubectl describe service -n kube-system nginx-ingress-lb | grep "service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type"

If the output contains intranet, the current SLB is internal. Otherwise, it is public-facing.

Configure NGINX Ingress for both public and private access

To enable both public and private access, deploy two Services targeting the NGINX Ingress Controller's backend pods: one associated with a public SLB instance and the other with an internal (private) SLB instance.

Create internal Service

Create a file named nginx-ingress-lb-new.yaml:

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb-intranet
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Create public Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb-internet
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Deploy the Services

kubectl apply -f nginx-ingress-lb-new.yaml

Verify the Services

Replace <service-name> with the name of your new Service:

curl -s -o /dev/null -w "%{http_code}\n" http://$(kubectl get service -n kube-system <service-name> -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

A 200 response indicates that the Service is working properly.

Configure DNS records

For internal Service

Log on to Alibaba Cloud DNS-Private Zone
On the Authoritative Zone > User Defined Zones tab, click Add Zone (skip if already added)
In the Authoritative Zone field, enter your domain name
Click the target zone and go to the Settings tab
Click Add Record with these values:
- Record Type: A
- Hostname: Enter subdomain prefix as needed
- Record Value: The IP address of your new Service
Return to User Defined Zones list
In the Actions column, click Effective Scope
Under Effective in VPCs, select your ACK cluster's VPC

For public Service

Log on to Alibaba Cloud DNS-Public Zone
Click the target zone to go to the Settings page
Click Add Record with these values:
- Record Type: A
- Hostname: Enter subdomain prefix as needed
- Record Value: The IP address of your new Service

Change the network type

Important

This procedure involves deleting and recreating the Service, which replaces the underlying SLB instance. This will temporarily interrupt traffic to the NGINX Ingress. The original SLB instance and its associated IP address cannot be recovered.

Preparation

Confirm that the existing SLB instance has no traffic:
- Log on to the ACK console and click your target cluster
- In the left navigation pane, choose Network > Services
- Find the nginx-ingress-lb Service in the kube-system namespace and record its External IP
- Log on to the Classic Load Balancer (CLB) console
- Select the same region as your cluster
- Find the CLB instance with matching IP address
- Click the CLB instance, go to the Monitoring tab, and verify zero active connections

Change to internal network type

Delete the current Service:

kubectl delete svc -n kube-system nginx-ingress-lb

Create a new internal Service. Save this as nginx-ingress-lb.yaml:

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Apply the configuration:
```
kubectl apply -f nginx-ingress-lb.yaml
```

Change to public network type

Delete the current Service:

kubectl delete svc -n kube-system nginx-ingress-lb

Create a new public Service. Save this as nginx-ingress-lb.yaml:

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Apply the configuration:
```
kubectl apply -f nginx-ingress-lb.yaml
```

Verification

Test the new Service:

curl -s -o /dev/null -w "%{http_code}\n" http://$(kubectl get service -n kube-system nginx-ingress-lb -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

A 200 response code indicates that it is working correctly.

Record the external IP and configure DNS resolution based on your Service type using the procedures described in the dual access section above.

Troubleshooting

If Services fail to create, check that your cluster has sufficient resources and proper RBAC permissions
Verify that the NGINX Ingress Controller pods are running:
```
kubectl get pods -n kube-system -l app=ingress-nginx
```

Check Service events for error details:

kubectl describe service -n kube-system nginx-ingress-lb

Ensure your VPC and vSwitch configurations allow the required network traffic

How it works

In a cluster, Server Load Balancer (SLB) instance receives client requests and forwards them to the NGINX Ingress Controller workload. The workload then forwards the requests to other Services.

Configure NGINX Ingress for both public and private access

Check the network type of your current SLB instance.
```
kubectl describe service -n kube-system nginx-ingress-lb | grep "service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type"
```
If the output contains intranet, the current SLB is internal. Otherwise, it is public-facing.

Create a new Service to ensure you have both public and internal types.

Create a file named nginx-ingress-lb-new.yaml. Then, run kubectl apply -f nginx-ingress-lb-new.yaml to create the Service.

Internal Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb-intranet
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet # Specifies that the address type of the SLB instance is internal.
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Public Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb-internet
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Verify that the new Service is working correctly. Replace <service-name> in the following command with the name of the new Service. A 200 response indicates that the new Service is working properly.
```
curl -s -o /dev/null -w "%{http_code}\n" http://$(kubectl get service -n kube-system <service-name> -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
```
Get the external IP of the new Service and configure your DNS records accordingly. Replace <service-name> in the following command with the name of the new Service.
```
kubectl get service <service-name>
```
Internal Service
1. Log on to Alibaba Cloud DNS - Private Zone. On the Authoritative Zone > User Defined Zones tab, click Add Zone. If you have already added a zone, skip to step c.
2. In the Authoritative Zone field, enter the domain name. Keep the default settings for other options, and click OK.
3. Click the target zone. On the Settings tab, click Add Record. Enter the values from the following table, keep the default settings for other parameters, and click OK.
  Parameter
  Value
  Record Type
  A
  Hostname
  Enter a subdomain prefix as needed.
  Record Value
  The IP address of the new Service.
4. Return to the User Defined Zones list. In the Actions column for the target zone, click Effective Scope. Under the Effective in VPCs option, select the virtual private cloud (VPC) where your ACK cluster is located, then click OK.
Public Service
1. Log on to Alibaba Cloud DNS - Public Zone. Click the target zone to go to the Settings page. Click the Add Record button.
2. Enter the values from the following table. Keep the default settings for other parameters, and click OK.
  Parameter
  Value
  Record Type
  A
  Hostname
  Enter a subdomain prefix as needed.
  Record Value
  The IP address of the new Service.

Change the network type

Important

Confirm that the existing SLB instance has no traffic:
1. Log on to the ACK console, and click the target cluster. In the left navigation pane, choose Network > Services. Find the nginx-ingress-lb Service in the kube-system namespace and record its External IP.
2. Log on to the Classic Load Balancer (CLB) console. At the top of the page, select the same region as your cluster. Find the CLB instance with an IP Address that matches the IP address from the previous step. Click the CLB instance, go to the Monitoring tab, and verify that the instance has zero active connections before you proceed.
Delete the current Service used by the NGINX Ingress Controller.
```
kubectl delete svc -n kube-system nginx-ingress-lb
```

Create a new Service. Save the appropriate manifest below as nginx-ingress-lb.yaml and apply it by running the command kubectl apply -f nginx-ingress-lb.yaml .

Important

The new Service must be named nginx-ingress-lb.

Internal Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
  annotations:
    service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: intranet # Specifies that the address type of the SLB instance is internal.
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Public Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-lb
  namespace: kube-system
  labels:
    app: nginx-ingress-lb
spec:
  type: LoadBalancer
  externalTrafficPolicy: "Cluster"
  ports:
  - port: 80
    name: http
    targetPort: 80
  - port: 443
    name: https
    targetPort: 443
  selector:
    app: ingress-nginx

Test the new Service. A 200 response code indicates that it is working correctly.

curl -s -o /dev/null -w "%{http_code}\n" http://$(kubectl get service -n kube-system nginx-ingress-lb -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

Run kubectl get service nginx-ingress-lb, and record the external IP of the Service. Then, configure DNS resolution based on the new Service type:
Internal Service
1. Log on to Alibaba Cloud DNS - Private Zone. On the Authoritative Zone > User Defined Zones tab, click Add Zone. If you have already added a zone, skip to step c.
2. In the Authoritative Zone field, enter the domain name. Keep the default settings for other options, and click OK.
3. Click the target zone. On the Settings tab, click Add Record. Enter the values from the following table, keep the default settings for other parameters, and click OK.
  Parameter
  Value
  Record Type
  A
  Hostname
  Enter a subdomain prefix as needed.
  Record Value
  The IP address of the new Service.
4. Return to the User Defined Zones list. In the Actions column for the target zone, click Effective Scope. Under the Effective in VPCs option, select the virtual private cloud (VPC) where your ACK cluster is located, then click OK.
Public Service
1. Log on to Alibaba Cloud DNS - Public Zone. Click the target zone to go to the Settings page. Click the Add Record button.
2. Enter the values from the following table. Keep the default settings for other parameters, and click OK.
  Parameter
  Value
  Record Type
  A
  Hostname
  Enter a subdomain prefix as needed.
  Record Value
  The IP address of the new Service.

FAQ

Why can't I create a new Service before deleting the old one?

This is not possible because the NGINX Ingress Controller expects to find a Service with the specific default name nginx-ingress-lb during upgrades or reconciliations. Since Service names must be unique within a namespace, you cannot create a new Service with this name while the old one still exists. Delete the old Service first.

Why does the client access IP differ from the endpoint shown in the console?

The Endpoint displayed on the Ingresses page in the ACK console is the IP address of the SLB instance associated only with the Service named nginx-ingress-lb. If you have configured multiple LoadBalancer Services, the console will not display their IPs, even though the Ingress Controller will correctly route traffic from all of them. The IP address your clients actually use depends on your DNS configuration, which may point to a different SLB instance than the one displayed in the console.

If you delete and recreate the nginx-ingress-lb Service, you must update an Ingress resource to trigger a refresh of the endpoint displayed in the console.

How do I roll back if a change operation fails?

If the network type change fails, follow these steps to restore the Ingress entrypoint:

Delete the failed Service: Remove the new Service you created to eliminate any name conflicts that would prevent the default Service from being recreated.
Reinstall the component: In the ACK console, uninstall and reinstall the NGINX Ingress Controller. This action will recreate the default nginx-ingress-lb Service and restore the Ingress entrypoint.
Update DNS: Configure DNS resolution for the new nginx-ingress-lb Service. Point your domain to its new external IP and verify that traffic is being routed correctly.

Reference

To learn more about configuring annotations for an existing SLB instance, see Use an existing SLB instance.

Parameter	Value
Record Type	A
Hostname	Enter a subdomain prefix as needed.
Record Value	The IP address of the new Service.