Question
Expose Kubernetes service over VPC
- Posted on July 10, 2020
- KubernetesDigitalOcean Managed KubernetesNetworking
Asked by bartv
Hi,
I have 2 Kubernetes clusters in the same VPC. One of those clusters has a database running (let’s call it cluster A). I’d like to access that database from the other cluster (let’s call this one cluster B).
Now, I have service (db-service) on cluster A which exposes the port for the correct deployment. On cluster B, I’d like to connect to that service via the VPC. I don’t want to expose the database to the internet, because of security reasons. But I can’t find a way to accomplish this. I can access the internal IP of the node running the database pod, but these IP’s can change and it’s not a very nice solution when you’re running multiple nodes.
Is there any way to do this?
I’ve also tried a LoadBalancer, but I can’t configure the firewall of the LoadBalancer.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
Hello @bartv ,
If you would like to communicate via private IP between a managed database and a managed kubernetes cluster, you need to add both of the clusters to the same VPC: https://www.digitalocean.com/docs/networking/vpc/
However, it is not possible to directly communicate between pods in the different clusters even in the same VPC network. You need to make a service setups like LB or NodePort. https://kubernetes.io/docs/concepts/services-networking/service/
Coming to the firewall query, unfortunately, we do not support putting LoadBalancer’s behind our Cloud Firewalls. This is a limitation not of DOKS but of the current LoadBalancer product.
However, there is a way to accomplish this by exposing an ingress controller via LoadBalancer. You could then use the plethora of annotations to determine and handle the traffic. You could tell your ingress controller drop or block traffic before reaching your applications using a whitelist. https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
I hope this helps!
Best Regards, Purnima Kumari Developer Support Engineer II, DigitalOcean