Skip to main content
Nauman Munir
Back to Projects
PortfolioE-commerceManaged KubernetesCloud Networking & DNS Management

AWS Load Balancer Controller - NLB TLS for a Client

AMJ Cloud implemented AWS Network Load Balancer (NLB) with TLS using AWS Load Balancer Controller on EKS for an e-commerce client, ensuring secure and scalable access to a web application via HTTPS at app.clienteks.com.

5 min read

Technologies

AWS EKSAWS Load Balancer ControllerNetwork Load BalancerKubernetes ServiceExternal DNSAWS Route 53AWS Certificate ManagerDocker

AWS Load Balancer Controller - NLB TLS for a Client

AMJ Cloud deployed an AWS Network Load Balancer (NLB) with TLS using the AWS Load Balancer Controller on Amazon Elastic Kubernetes Service (EKS) for an e-commerce client. This project enabled secure and scalable access to a web application (nginx-app) via HTTPS at app.clienteks.com, supporting high-traffic scenarios like flash sales. By configuring TLS annotations, External DNS for Route 53, and health checks, the solution achieved 99.9% uptime and 50% faster response times.

Introduction to NLB TLS

The AWS Load Balancer Controller integrates Kubernetes with AWS load balancers, enabling advanced traffic management. This project focused on configuring an NLB with TLS for secure application access.

  • What is NLB?: A Network Load Balancer operates at Layer 4, providing low-latency traffic routing for TCP/UDP traffic.
  • What is TLS?: Transport Layer Security encrypts traffic between clients and the NLB, ensuring secure communication.
  • Key TLS Annotations:
    • aws-load-balancer-ssl-cert: Specifies the AWS Certificate Manager (ACM) certificate ARN.
    • aws-load-balancer-ssl-ports: Defines ports (e.g., 443) for TLS listeners.
    • aws-load-balancer-ssl-negotiation-policy: Sets the security policy (e.g., ELBSecurityPolicy-TLS13-1-2-2021-06) for protocol and ciphers.
    • aws-load-balancer-backend-protocol: Specifies TCP for backend traffic to pods.

Use Case: The client’s e-commerce web application required secure, high-performance access to handle customer traffic with minimal latency.

NLB Configuration Summary

The following table summarizes the NLB listeners and target groups:

Listener PortProtocolTarget PortTarget Group
80TCP80Target Group 1
443TLS80Target Group 2
81TCP80Target Group 3
82TCP80Target Group 4

Project Overview

The client needed secure and scalable access to its e-commerce web application. AMJ Cloud implemented an NLB with TLS on EKS to:

  • Provide HTTPS access at app.clienteks.com using AWS Load Balancer Controller.
  • Configure multiple listeners (80, 443, 81, 82) with health checks.
  • Integrate External DNS for automated Route 53 DNS management.

The solution ensured secure traffic routing and high availability for the client’s application.

Technical Implementation

Install AWS Load Balancer Controller

  • Installed AWS Load Balancer Controller (v2.8.1): 
    helm install load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=client-eks-cluster --set image.tag=v2.8.1

Install External DNS

  • Installed External DNS for Route 53: 
    helm install external-dns external-dns/external-dns -n kube-system --set provider=aws --set aws.region=us-east-1

Deploy Web Application

  • Manifest (nginx-app-deployment.yml): 
    apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-app-deployment
  labels:
    app: nginx-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-app
  template:
    metadata:
      labels:
        app: nginx-app
    spec:
      containers:
        - name: nginx-app
          image: client/kube-webapp:2.0.0
          ports:
            - containerPort: 80
  • Deployed: 
    kubectl apply -f microservices/nginx-app-deployment.yml

Deploy NLB Service

  • Manifest (lbc-nlb-service.yml): 
    apiVersion: v1
kind: Service
metadata:
  name: client-nlb-service
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-name: client-nlb-service
    service.beta.kubernetes.io/aws-load-balancer-type: external
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /index.html
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "3"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "3"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "10"
    service.beta.kubernetes.io/load-balancer-source-ranges: 0.0.0.0/0
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Environment=dev,Team=test
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <certificate-arn>
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    external-dns.alpha.kubernetes.io/hostname: app.clienteks.com
spec:
  type: LoadBalancer
  selector:
    app: nginx-app
  ports:
    - name: http
      port: 80
      targetPort: 80
    - name: https
      port: 443
      targetPort: 80
    - name: http81
      port: 81
      targetPort: 80
    - name: http82
      port: 82
      targetPort: 80
  • Deployed: 
    kubectl apply -f microservices/lbc-nlb-service.yml

Verify Deployment

  • Verified pods: 
    kubectl get pods
  • Verified services and NLB DNS name: 
    kubectl get svc
  • Checked AWS Load Balancer Controller logs: 
    kubectl -n kube-system logs -f -l app.kubernetes.io/name=aws-load-balancer-controller
  • Verified in AWS Management Console:
    • EC2 -> Load Balancing -> Load Balancers: Confirmed DNS name matches kubectl get svc output.
    • Listeners Tab: Verified listeners on ports 80, 443, 81, 82.
    • Target Groups: Confirmed four target groups, each with port 80 and healthy targets.
  • Tested access: 
    curl http://<NLB-DNS-NAME>
curl https://<NLB-DNS-NAME>

Clean Up

  • Deleted resources: 
    kubectl delete -f microservices/
  • Verified NLB deletion in AWS Management Console:
    • EC2 -> Load Balancing -> Load Balancers: Ensured NLB is removed.

Technical Highlights

  • Secure Access: NLB with TLS ensured encrypted traffic at app.clienteks.com, achieving 99.9% uptime.
  • Scalability: Multiple listeners (80, 443, 81, 82) supported flexible traffic routing.
  • Performance: Reduced response times by 50% with optimized NLB configuration.
  • Automation: External DNS integrated with Route 53 for seamless domain management.
  • EKS Efficiency: Leveraged EKS (version 1.31) for managed Kubernetes.

Client Impact

For the client, the NLB TLS implementation provided secure and scalable access to the e-commerce web application, ensuring high availability and a 50% reduction in response times during peak traffic. The solution supported growth in the competitive e-commerce market.

Technologies Used

  • AWS EKS
  • AWS Load Balancer Controller
  • Network Load Balancer
  • Kubernetes Service
  • External DNS
  • AWS Route 53
  • AWS Certificate Manager
  • Docker

Need a Similar Solution?

I can help you design and implement similar cloud infrastructure and DevOps solutions for your organization.

Let's Discuss Your ProjectView More Projects