Global Accelerator does not work in front of EKS ALB ingress controller

0

Hi I have ALB ingress that works perfectly. But when I put AWS Global Accelerator in front of it, the page returns 404. This is the ingress conf:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd
  namespace: argocd
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    # it will not work for ArgoCD if the target-type: is instance
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/load-balancer-name: argocd1
    alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:eu-central-1:etc..."
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443' # Redirect all HTTP to HTTPS
    alb.ingress.kubernetes.io/subnets: subnet-x1, subnet-x2, subnet-x3
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
  ingressClassName: alb
  rules:
  - host: argocd1.test.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: argocd-server
            port:
              number: 443

This setup works perfectly when I access the page directly over ALB, but with AWS Global Accelerator no. Listeners in GA are all healthy. With curl I can see this response:

HTTP/2 404 
server: awselb/2.0
date: Thu, 08 Aug 2024 10:35:07 GMT
content-type: text/plain; charset=utf-8
content-length: 0

So it somehow gets to ALB but can't respond back.

3 Answers
0

Try to enable the access logs on the ALB and compare between the requests made directly to the ALB and through the global accelerator.

How are you pointing your client through the Global Accelerator? are you creating a CNAME (or alias if the domain is on Route 53) that maps the custom domain to the global accelerator domain? (see here)

If you are using the Global Accelerator domain (<something>.awsglobalaccelerator.com) instead of the custom domain when making the request it will not be matched by your ingress rule that only forwards request to your backend servers in case the host is argocd1.test.com.

profile pictureAWS
EXPERT
answered 2 months ago
  • I'm using my custom domain hosted on AWS (it's not test.com) and alias pointing to Global Accelerator. I tried both alias and A records that point to IP addresses of Global Accelerator but the result is the same 404 error.

  • Please share the access logs (redact any sensitive information). It will help to better understand the difference.

  • Unfortunately, there are no access logs if it goes through Global Accelerator. Only the ones going directly connecting to ALB.

  • In a test I made in my account I could see access logs in both scenarios - when sending request directly to ALB and via the Global Accelerator. Are you sure your global accelerator is associated with this specific ALB? You can verify by navigating in the management console to this ALB -> Integration -> AWS Global Accelerator.

  • I'm using Cross-account attachment option so I have "No Integration detected" in ALB -> Integration -> AWS Global Accelerator on this account. But in other account where I have the GA, I can see it's healthy. Endpoint type ALB, Client IP address Enabled, Health status Healthy, Weight 128.

0

Hello,

Please try this it will be helpful for you.

To fix the 404 Error when using AWS Global Accelerator with an ALB ingress controller, start by look that the security group associated with your ALB allows inbound traffic from Global Accelerator's IP ranges on ports 80 and 443. Next verify that Global Accelerator is correctly configured to point to your ALB and that its endpoints are healthy. Check that your ALB listeners are set up to properly route traffic based on the host (Name) and path (/) specified in your Ingress rules. Finally confirm that your ALB target groups have healthy targets and review your Kubernetes Ingress configuration to e it aligns with your routing and backend service requirements.

are you creating a CNAME or alias if the domain is on Route 53. [https://docs.aws.amazon.com/global-accelerator/latest/dg/dns-addressing-custom-domains.mapping-your-custom-domain.html]

https://docs.aws.amazon.com/global-accelerator/latest/dg/about-accelerators.alb-accelerator.html

https://medium.com/ovice/manage-aws-global-accelerator-from-kubernetes-resources-55133253d0a2

https://medium.com/@ruchira.karunatissa/eks-deployment-with-alb-load-balancer-controller-and-ingress-with-correct-load-balancer-controller-f79a448b724c

EXPERT
answered 2 months ago
  • I wrote in the question that the endpoints are healthy. In the config you can see there are no sec. groups blocking the traffic and if the listeners are not correctly done, the site would not work without GA. This was also mentioned in the question.

0

on your AGA configuration you have port 443 but the curl you are doing port 80 (HTTP). Do you have security group opened for port 80? Can you enable and try again? do you get issues if you try to connect via browser using application url via HTTPS? Secu

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions