mirror of
https://github.com/poseidon/typhoon
synced 2025-07-10 13:54:20 +02:00
* AWS IPv4 address pricing is quite high compared to other clouds, and an NLB unavoidably uses at least 3. * Unlike Azure's nice outbound through LB options, AWS has only NAT options which are even more costly than IPv4 in budget clusters. Another option is to simply forget about accessing nodes via IPv4 or outbound IPv4 internet access (tradeoff: GitHub is a notable website that only serves via IPv4, so cut ties)
110 lines
2.7 KiB
HCL
110 lines
2.7 KiB
HCL
# Network Load Balancer DNS Record
|
|
resource "aws_route53_record" "apiserver" {
|
|
zone_id = var.dns_zone_id
|
|
|
|
name = format("%s.%s.", var.cluster_name, var.dns_zone)
|
|
type = "A"
|
|
|
|
# AWS recommends their special "alias" records for NLBs
|
|
alias {
|
|
name = aws_lb.nlb.dns_name
|
|
zone_id = aws_lb.nlb.zone_id
|
|
evaluate_target_health = true
|
|
}
|
|
}
|
|
|
|
resource "aws_route53_record" "apiserver-ipv6" {
|
|
zone_id = var.dns_zone_id
|
|
|
|
name = format("%s.%s.", var.cluster_name, var.dns_zone)
|
|
type = "AAAA"
|
|
|
|
# AWS recommends their special "alias" records for NLBs
|
|
alias {
|
|
name = aws_lb.nlb.dns_name
|
|
zone_id = aws_lb.nlb.zone_id
|
|
evaluate_target_health = true
|
|
}
|
|
}
|
|
|
|
# Network Load Balancer for apiservers and ingress
|
|
resource "aws_lb" "nlb" {
|
|
name = "${var.cluster_name}-nlb"
|
|
load_balancer_type = "network"
|
|
ip_address_type = "dualstack"
|
|
internal = false
|
|
|
|
subnets = aws_subnet.public.*.id
|
|
|
|
enable_cross_zone_load_balancing = true
|
|
}
|
|
|
|
# Forward TCP apiserver traffic to controllers
|
|
resource "aws_lb_listener" "apiserver-https" {
|
|
load_balancer_arn = aws_lb.nlb.arn
|
|
protocol = "TCP"
|
|
port = "6443"
|
|
|
|
default_action {
|
|
type = "forward"
|
|
target_group_arn = aws_lb_target_group.controllers.arn
|
|
}
|
|
}
|
|
|
|
# Forward HTTP ingress traffic to workers
|
|
resource "aws_lb_listener" "ingress-http" {
|
|
load_balancer_arn = aws_lb.nlb.arn
|
|
protocol = "TCP"
|
|
port = 80
|
|
|
|
default_action {
|
|
type = "forward"
|
|
target_group_arn = module.workers.target_group_http
|
|
}
|
|
}
|
|
|
|
# Forward HTTPS ingress traffic to workers
|
|
resource "aws_lb_listener" "ingress-https" {
|
|
load_balancer_arn = aws_lb.nlb.arn
|
|
protocol = "TCP"
|
|
port = 443
|
|
|
|
default_action {
|
|
type = "forward"
|
|
target_group_arn = module.workers.target_group_https
|
|
}
|
|
}
|
|
|
|
# Target group of controllers
|
|
resource "aws_lb_target_group" "controllers" {
|
|
name = "${var.cluster_name}-controllers"
|
|
vpc_id = aws_vpc.network.id
|
|
target_type = "instance"
|
|
|
|
protocol = "TCP"
|
|
port = 6443
|
|
|
|
# TCP health check for apiserver
|
|
health_check {
|
|
protocol = "TCP"
|
|
port = 6443
|
|
|
|
# NLBs required to use same healthy and unhealthy thresholds
|
|
healthy_threshold = 3
|
|
unhealthy_threshold = 3
|
|
|
|
# Interval between health checks required to be 10 or 30
|
|
interval = 10
|
|
}
|
|
}
|
|
|
|
# Attach controller instances to apiserver NLB
|
|
resource "aws_lb_target_group_attachment" "controllers" {
|
|
count = var.controller_count
|
|
|
|
target_group_arn = aws_lb_target_group.controllers.arn
|
|
target_id = aws_instance.controllers.*.id[count.index]
|
|
port = 6443
|
|
}
|
|
|