EKS NLB target groups protocol change to https

Question

Hi, how to change the target groups protocol to https? The listener is TLS with cert binding is working however the backend forward to the pod is not working, I unable to find the annotation to change the protocol from tcp (current) to https, can you share the correct annotations.

annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb-ip"
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "2"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "2"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:xxxxxxxxxxxx

Accepted Answer

Hello,

The NLB [Listeners support](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html) the following protocols: TCP, TLS, UDP, TCP_UDP.

The annotation `service.beta.kubernetes.io/aws-load-balancer-backend-protocol` specifies whether to use TLS for the backend traffic between the load balancer and the kubernetes pods.

If you specify `ssl` as the backend protocol, NLB uses TLS connections for the traffic to your kubernetes pods in case of TLS listeners

You can specify `ssl` or `tcp` (default). HTTPS is not supported. If you want to configure HTTPS listener, you will need to implement Kubernetes ingress to create ALB instead of NLB and Kubernetes Service.

Refer to [doc](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/service/annotations/#backend-protocol) to know more.

EKS NLB target groups protocol change to https

Relevanter Inhalt