NetScaler ingress controller

How to load balance ingress traffic to TCP or UDP based application

April 8, 2024

Contributed by:

C C

In a Kubernetes environment, an ingress object allows access to the Kubernetes services from outside the Kubernetes cluster. Standard Kubernetes ingress resources assume that all the traffic is HTTP-based and do not cater to non-HTTP based protocols such as TCP, UDP, and SSL. Hence, any non-HTTP applications such as DNS, FTP or LDAP cannot be exposed using the standard Kubernetes ingress.

NetScaler provides a solution using ingress annotations to load balance TCP or UDP-based ingress traffic. When you specify these annotations in the ingress resource definition, NetScaler Ingress Controller configures NetScaler to load balance TCP or UDP-based ingress traffic.

You can use the following annotations in your Kubernetes ingress resource definition to load balance the TCP or UDP-based ingress traffic:

ingress.citrix.com/insecure-service-type: This annotation enables L4 load balancing with TCP, UDP, or ANY as a protocol for NetScaler.
ingress.citrix.com/insecure-port: This annotation configures the port for HTTP, TCP or UDP traffic. It is helpful when micro service access is required on a non-standard port. By default, port 80 is configured.

For more information about annotations, see annotations.

You can also use the standard Kubernetes solution of creating a service of type LoadBalancer with NetScaler. You can find out more about Service Type LoadBalancer in NetScaler.

Sample: Ingress definition for TCP-based ingress.

kubectl apply -f - <<EOF 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.citrix.com/insecure-port: '6379'
    ingress.citrix.com/insecure-service-type: tcp
  name: redis-master-ingress
spec:
  ingressClassName: guestbook
  defaultBackend:
    service:
      name: redis-master-pods
      port:
        number: 6379
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: guestbook
spec:
  controller: citrix.com/ingress-controller
 EOF
<!--NeedCopy-->

Sample: Ingress definition for UDP-based ingress.

kubectl apply -f - <<EOF 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.citrix.com/insecure-port: "5084"
    ingress.citrix.com/insecure-service-type: "udp"
  name: udp-ingress
spec:
  defaultBackend:
    service:
      name: frontend
      port:
        name: udp-53  # Service port name defined in the service defination
EOF
<!--NeedCopy-->

Sample: Service definition where the service port name is defined as udp-53:

kubectl apply -f - <<EOF 
apiVersion: v1
kind: Service
metadata:
  name: bind
  labels:
    app: bind
spec:
  ports:
  - name: udp-53
    port: 53
    targetPort: 53
    protocol: UDP
  selector:
    name: bind
EOF
<!--NeedCopy-->

Load balance ingress traffic based on SSL over TCP

NetScaler Ingress Controller provides ingress.citrix.com/secure-service-type: ssl_tcp annotation that you can use to load balance ingress traffic based on SSL over TCP.

Sample: Ingress definition for SSL over TCP based Ingress.

kubectl apply -f - <<EOF 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.citrix.com/secure-service-type: "ssl_tcp"
    ingress.citrix.com/secure-backend: '{"frontendcolddrinks":"True"}'
  name: colddrinks-ingress
spec:
  ingressClassName: colddrink
  defaultBackend:
    service:
      name: frontend-colddrinks
      port:
        number: 443
  tls:
  - secretName: "colddrink-secret"
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: colddrink
spec:
  controller: citrix.com/ingress-controller
EOF
<!--NeedCopy-->

Monitor and improve the performance of your TCP or UDP-based applications

Application developers can closely monitor the health of TCP or UDP-based applications through rich monitors (such as TCP-ECV, UDP-ECV) in NetScaler. The ECV (extended content validation) monitors help in checking whether the application returns expected content or not. NetScaler Ingress Controller provides ingress.citrix.com/monitor annotation that can be used to monitor the health of the backend service.

Also, the application performance can be improved by using persistence methods such as Source IP. You can use these NetScaler features through Smart Annotations in Kubernetes.

The following ingress resource example uses smart annotations:

kubectl apply -f - <<EOF 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:  
    ingress.citrix.com/frontend-ip: "192.168.1.1"
    ingress.citrix.com/insecure-port: "80"
    ingress.citrix.com/lbvserver: '{"mongodb-svc":{"lbmethod":"SRCIPDESTIPHASH"}}'
    ingress.citrix.com/monitor: '{"mongodbsvc":{"type":"tcp-ecv"}}'
  name: mongodb
spec:
  rules:
  - host: mongodb.beverages.com
    http:
      paths:
      - backend:
          service:
            name: mongodb-svc
            port:
              number: 80
        path: /
        pathType: Prefix
EOF
<!--NeedCopy-->

For more information about the different deployment options supported by NetScaler Ingress Controller, see Deployment topologies.

For more information about deploying NetScaler Ingress Controller:

Deploy the NetScaler Ingress Controller using Helm charts

How to expose non-standard HTTP ports in the NetScaler CPX service

Sometimes you need to expose ports other than 80 and 443 in a NetScaler CPX service for allowing TCP or UDP traffic on other ports. This section provides information on how to expose other non-standard HTTP ports on the NetScaler CPX service when you deploy it in the Kubernetes cluster.

For Helm chart deployments

To expose non-standard HTTP ports while deploying NetScaler CPX with ingress controller using Helm charts, see the Helm chart installation guide.

For deployments using the OpenShift operator

For deployments using the OpenShift operator, you need to edit the YAML definition to create CPX with ingress controller as specified in the step 6 of Deploy the NetScaler Ingress Controller as a sidecar with NetScaler CPX using NetScaler Operator and specify the ports as shown in the following example:

servicePorts:
  - port: 80
    protocol: TCP
    name: http
  - port: 443
    protocol: TCP
    name: https
  - port: 6379
    protocol: TCP
    name: tcp
<!--NeedCopy-->

The following sample configuration is an example for deployment using the OpenShift Operator. The service port definitions are highlighted in green.

Service port .

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

How to load balance ingress traffic to TCP or UDP based application

April 8, 2024

Contributed by:

C C

April 8, 2024

Contributed by:

C C

How to load balance ingress traffic to TCP or UDP based application

Load balance ingress traffic based on SSL over TCP

Monitor and improve the performance of your TCP or UDP-based applications

How to expose non-standard HTTP ports in the NetScaler CPX service

For Helm chart deployments

For deployments using the OpenShift operator

In this article