Migrate workloads from a self-managed NGINX Ingress to an ALB Ingress - Server Load Balancer

This topic describes how to migrate workloads from a self-managed NGINX Ingress to an Application Load Balancer (ALB) Ingress.

Background information

ALB provides Ingresses that are ideal for handling traffic fluctuations. Compared with NGINX Ingresses, ALB Ingresses enhance traffic management in terms of the following advantages:

Fully managed and maintenance-free: ALB is a fully managed cloud service that does not require manual maintenance.
Automatic scaling: ALB is developed on top of the CyberStar framework and supports high-performance automatic scaling, which helps your services handle traffic spikes.
Ultra-high capabilities: Each ALB instance supports up to one million queries per second (QPS) and tens of millions of concurrent connections. SSL hardware acceleration is used by default.
Integration with cloud services: ALB can work together with various cloud services, such as Web Application Firewall (WAF), Function Compute, PrivateLink, transit routers, Enterprise Distributed Application Service (EDAS), Serverless App Engine (SAE), and Service Mesh (ASM).
Hot updates of configurations: Hot updates of configurations do not require process reloading to ensure that persistent connections remain unaffected.

Sample scenario

The following scenario is an example. A company created an Internet-facing Classic Load Balancer (CLB) instance in the China (Hangzhou) region. The company used the NGINX Ingress controller to configure Ingress forwarding rules, including redirect rules, domain-based forwarding rules, and URL-based forwarding rules. The CLB instance provides Internet-facing services through a domain name. When requests are sent to the domain name www.example.net, the requests are redirected to the CLB instance based on an A record. The CLB instance forwards the requests to the pods associated with the Service based on the forwarding rules created on the Ingress. 迁移前

Due to business development, the company needs to migrate the NGINX Ingress to an ALB Ingress. To ensure service stability, the enterprise does not want to change the domain name that is used to provide services, or the IP addresses of the backend servers. To meet this requirement, the company can install the ALB Ingress controller in a Container Service for Kubernetes (ACK) or ACK Serverless cluster. Then, the company can create Ingress rules on the controller to ensure that the ALB Ingress and the NGINX Ingress use the same forwarding rules, and configure weighted DNS records. This allows the company to migrate the NGINX Ingress to the ALB Ingress. 迁移后

Usage notes

Make sure that a kubectl client is connected to the cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
CLB and ALB use the pay-as-you-go billing method. The billable items and pricing of CLB and ALB are different. After you migrate services from CLB to ALB, the fees change. For more information, see the following topics:
- Pay-as-you-go
- ALB billing rules

Procedure

迁移步骤

Step 1: Create an ALB Ingress

Log on to the ACK console and install the ALB Ingress controller. For more information, see Manage the ALB Ingress controller.
Note
- You must install the ALB Ingress controller in the ACK or ACK Serverless cluster of the NGINX Ingress that you want to migrate.
- To allow access from the ALB Ingress to an ACK dedicated cluster, grant access permissions to the ALB Ingress controller before you deploy Services. For more information, see Authorize an ACK dedicated cluster to access the ALB Ingress controller.
Use the kubectl client to log on to the ACK cluster or ACK Serverless cluster where the NGINX Ingress is deployed and create an AlbConfig.
Note
When you create the ALB Ingress controller, if you set Gateway Source to New or Existing, the controller automatically creates an AlbConfig named alb and an IngressClass named alb. In this case, you can skip this step.
1. Create a file named albconfig.yaml and copy the following content to the file:
```
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    name: alb-test
    addressType: Internet
    zoneMappings:
    - vSwitchId: vsw-wz9e2usil7e5an1xi****
    - vSwitchId: vsw-wz92lvykqj1siwvif****
  listeners:
    - port: 80
      protocol: HTTP
```
  zoneMappings: the IDs of the vSwitches used by the ALB Ingress. You must specify at least two vSwitches that belong to different zones. The vSwitches that you specify must belong to the same virtual private cloud (VPC) as your cluster.
  Note
  If the NGINX Ingress that you want to migrate supports IPv6, you can set addressIpVersion to DualStack in the configuration of the AlbConfig. For more information, see Use AlbConfigs to configure ALB instances.
2. Run the following command to create an AlbConfig:
```
kubectl apply -f albconfig.yaml
```
3. Run the following command to check whether the ALB instance is created:
```
kubectl get albconfig
```
  Expected output:
```
NAME       ALBID                    DNSNAME                                               PORT&PROTOCOL   CERTID   AGE
alb-demo   alb-a8mmh2tqbmrm11****   alb-a8mmh2tqbmrm11****.cn-hangzhou.alb.aliyuncs.com                            27s
```
Create an IngressClass.
Note
When you create the ALB Ingress controller, if you set Gateway Source to New or Existing, the controller automatically creates an AlbConfig named alb and an IngressClass named alb. In this case, you can skip this step.
1. Create a file named ingressclass.yaml and copy the following content to the file:
```
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: alb
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: alb-demo
```
  parameters.name: the name of the AlbConfig that you want to use.
2. Run the following command to create an IngressClass:
```
kubectl apply -f ingressclass.yaml
```
Create an ALB Ingress.
Important
If advanced forwarding rules are configured on the NGINX Ingress, you can enable the advanced features of the ALB Ingress to forward requests that are destined for different domain names or URLs to different backend servers, redirect requests from HTTP to HTTPS, and perform canary releases. For more information, see ALB Ingress advanced features.
1. Create a file named albingress.yaml and copy the following content to the file:
```
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-ingress-alb
  namespace: default
spec:
  ingressClassName: alb
  rules:
    - host: www.example.net
      http:
        paths:
          - backend:
              service:
                name: nginx
                port:
                  number: 80
            path: /
            pathType: Prefix
```
  - name: the name of the Ingress. In the same namespace, the name of the ALB Ingress must be different from the name of the NGINX Ingress.
  - ingressClassName: the name of the IngressClass that you want to use.
2. Run the following command to create an ALB Ingress:
```
kubectl apply -f albingress.yaml
```
3. Run the following command to query ALB Ingress resources:
```
kubectl get ing
```
  Expected output:
```
NAME                CLASS   HOSTS              ADDRESS                                               PORTS   AGE
demo-ingress-alb   alb     www.example.net   alb-a8mmh2tqbmrm11****.cn-hangzhou.alb.aliyuncs.com   80      10m     46s
```
  The output contains the endpoint of the ALB Ingress. Example: alb-a8mmh2tqbmrm11****.cn-hangzhou.alb.aliyuncs.com.
4. Run the following command to access the backend services from the ALB Ingress to test the traffic volume.
```
curl -H "Host:  www.example.net" http://alb-a8mmh2tqbmrm11****.cn-hangzhou.alb.aliyuncs.com
```
  If the expected output is returned, the ALB Ingress can access the backend services.

Step 2: Switch network traffic to the ALB Ingress

Warning

Before you switch network traffic to the ALB Ingress, compare the forwarding rules generated by the NGINX Ingress with the forwarding rules generated by the ALB Ingress to make sure that the forwarding rules are the same. All the configurations must be tested in case issues arise.
We recommend that you switch network traffic during off-peak hours.

Before you switch traffic, an A record must be configured for the CLB instance. The A record maps the service domain name to the IP address of the CLB instance. 现状2

After you install the ALB Ingress controller, configure the same forwarding rules as the NGINX Ingress for the ALB Ingress, and then test all configurations, you can switch network traffic to the ALB Ingress. Alibaba Cloud DNS is used as an example to show how to switch network traffic. The following steps show how to switch network traffic to the ALB instance. For more information about Alibaba Cloud DNS, see Public Authoritative DNS Resolution. 迁移步骤2

Step 1. Configure a temporary domain name for the CLB instance

We recommend that you add a CNAME record for the ALB instance. To meet the conditions for configuring weighted DNS records, you must add a CNAME record for the temporary domain name and point the temporary domain name to the IP address of the CLB instance.

Note

To configure weights for different DNS records of the same domain name, the DNS records must be of the same type and have the same hostname and ISP line. The supported types are A, CNAME, and AAAA.

Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, find and click the domain name www.example.net. The domain name points to the CLB instance.

On the DNS Settings page, click Add DNS Record. In the Add DNS Record panel, configure the following parameters and click OK.

Parameter	Description
Record Type	Select CNAME from the drop-down list.
Hostname	Enter the prefix of your domain name. In this example, `www` is entered.
DNS Request Source	Select Default.
Record Value	Enter a temporary domain name. In this example, `web0.example.net` is entered.
TTL	Specify a time-to-live (TTL) value for the CNAME record cached on the DNS server. In this example, the TTL is set to 5 seconds. In this example, Alibaba Cloud DNS Enterprise Ultimate Edition is used. The TTL is set to 5 seconds. You can specify a TTL value based on your business requirements. For more information, see Editions.

On the DNS Settings tab, find the A record that points to the IP address of the CLB instance and click Modify in the Actions column.
In the Modify DNS Record panel, modify the Hostname parameter and click OK. In this example, the Hostname parameter is set to web0. The other parameters are not modified.

Step 2: Add a CNAME record for the ALB instance

Run the following command to query the domain name of the ALB instance:
```
kubectl get albconfig
```
Expected output:
```
NAME       ALBID                    DNSNAME                                               PORT&PROTOCOL   CERTID   AGE
alb-demo   alb-a8mmh2tqbmrm11****   alb-a8mmh2tqbmrm11****.cn-hangzhou.alb.aliyuncs.com                             27s
```
Note
You can also log on to the ALB console to view the domain name of the ALB instance. The ALB console provides only the configurations of ALB instances. To modify the configurations, refer to the YAML file.

To create a CNAME record, perform the following steps:

Log on to the Alibaba Cloud DNS console.
On the Manage DNS page, click Add Domain Name.
In the Add Domain Name dialog box, enter your domain name and click OK.
Warning
- The domain name associated with the CLB instance is added.
- Before you create the CNAME record, use a TXT record to verify the ownership of the domain name.
Find the domain name that you want to manage and click DNS Settings in the Actions column.
On the DNS Settings page, click Add Record.

In the Add DNS Record panel, configure the following parameters and click OK.

Parameter	Description
Record Type	Select CNAME from the drop-down list.
Hostname	Enter the prefix of the domain name. In this example, `www` is entered.
DNS Request Source	Select Default.
Value	Enter the CNAME, which is the domain name of the ALB instance.
TTL	Specify a TTL value for the CNAME record to be cached on the DNS server. In this example, the TTL is set to 5 seconds. In this example, Alibaba Cloud DNS Enterprise Ultimate Edition is used. The TTL is set to 5 seconds. You can specify a TTL value based on your business requirements. For more information, see Editions.

Note

Newly created CNAME records immediately take effect. The amount of time that is required for a modified CNAME record to take effect is determined by the TTL value, which is 10 minutes by default.
If the CNAME record that you want to create conflicts with an existing record, specify another domain name.

Step 3: Specify weights for the DNS records and perform a canary release

On the Domain Name Resolution page, click the domain name that you want to manage. On the DNS Settings page, click Weight Settings in the left-side navigation pane.
On the Weighted Round-robin page, click Enable Weight in the Actions column, and then click Set Weight.
To configure weights for different DNS records of the same domain name, the DNS records must be of the same type and have the same hostname and ISP line. The supported types are A, CNAME, and AAAA.
In the Set Weight panel, configure weights for the DNS records of the CLB and ALB instances. Set the weight of the DNS record for the CLB instance to 100. Set the weight of the DNS record for the ALB instance to 0.
Gradually reduce the weight of the DNS record for the CLB instance and gradually increase the weight of the DNS record for the ALB instance. Make sure that your services are not affected.
Log on to the ECS instance on which the pods of the Service are deployed and run the dig command multiple times to check the traffic volume.
```
dig www.example.net
```
The following figure shows the output. The results show that network traffic is distributed to the ALB or CLB instance based on the weights of the DNS records.
Gradually reduce the weight of the CLB DNS record to 0 and gradually increase the ALB DNS record to 100.

If your DNS service provider does not support weighted CNAME records, click to view the traffic switching solution.

Step 3: Delete redundant resources

After you close all persistent connections on the NGINX Ingress and no traffic is forwarded to the NGINX Ingress, you can release redundant resources after a period of observation.

Delete the NGINX Ingress.
1. Log on to the ACK console. On the Clusters page, click the ID of the ACK or ACK Serverless cluster that you want to release.
2. In the left-side navigation pane, choose Network > Ingresses.
3. In the upper part of the Ingresses page, select a namespace. Find the NGINX Ingress that you want to delete and choose > Delete in the Actions column.
4. In the message that appears, click OK.
Uninstall the Nginx Ingress controller.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Operations > Add-ons.
3. On the Add-ons page, click the Networking tab, find the Nginx Ingress Controller card, and then click Uninstall.
4. In the message that appears, click OK.

Server Load Balancer:Migrate workloads from a self-managed NGINX Ingress to an ALB Ingress