Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

Inside the Cluster: Ingress in Focus — How External Traffic Reaches Your Services

KELVI MANAVADARIA
4 min readApr 23, 2025

In the dynamic landscape of Kubernetes, one of the most critical aspects is managing how external traffic enters your cluster and reaches the appropriate services. At the heart of this process is Kubernetes Ingress — an elegant solution that acts as the gateway between the outside world and your containerized applications. Let’s dive deep into how Ingress works, why it’s essential, and how traffic flows from a user’s browser all the way to your application pods.

The Challenge: Getting Traffic Into Your Cluster

Before we explore Ingress, let’s understand the fundamental challenge it solves. In a Kubernetes environment, pods are ephemeral — they come and go, change IP addresses, and scale up or down based on demand. This dynamic nature creates a significant challenge: how do you reliably route external traffic to these constantly changing pods?

The naive approach would be to use Kubernetes Service resources with type LoadBalancer for every application that needs external access. However, this introduces several problems:

  1. Cost inefficiency: Each LoadBalancer typically provisions an actual cloud load balancer, which adds to your cloud bill.
  2. Limited routing capabilities: Basic load balancers don’t support advanced HTTP routing based on paths or hostnames.
  3. Certificate management complexity: SSL/TLS certificates would need to be managed separately for each service.
  4. No unified control point: Security policies, rate limiting, and authentication would be scattered across different resources.

Enter Ingress — Kubernetes’ solution to these challenges.

Ingress: The Traffic Orchestrator

Kubernetes Ingress is not just another resource; it’s an architectural pattern that centralizes and standardizes how external HTTP/HTTPS traffic enters your cluster. It consists of two key components:

  1. Ingress Resources: Kubernetes API objects that define routing rules.
  2. Ingress Controllers: The actual implementation that fulfills these rules.

This separation of concerns is powerful — it allows you to define what you want (the rules) separately from how it’s implemented (the controller).

The Anatomy of an Ingress Resource

An Ingress resource is essentially a collection of rules that tell Kubernetes how to route external HTTP/HTTPS traffic to internal services. Here’s a simple example of nginx ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx
  rules:
  - host: myapp.example.com
    http:
      paths:
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: api-service
            port:
              number: 80
      - path: /
        pathType: Prefix
        backend:
          service:
            name: frontend-service
            port:
              number: 80
  tls:
  - hosts:
    - myapp.example.com
    secretName: myapp-tls-secret

This resource tells Kubernetes:

  • Route traffic for myapp.example.com/api/* to the api-service
  • Route all other traffic for myapp.example.com to the frontend-service
  • Use the TLS certificate stored in the myapp-tls-secret for HTTPS

The beauty of this approach is that all routing logic is centralized in one resource, making it easy to understand and manage.

Ingress Controllers: Where the Magic Happens

While the Ingress resource defines rules, it’s the Ingress Controller that actually implements them. An Ingress Controller is essentially a specialized application running inside your cluster that:

  1. Watches for Ingress resources
  2. Configures itself based on those resources
  3. Routes traffic accordingly

Popular Ingress Controllers include:

  • NGINX Ingress Controller: Based on the powerful NGINX web server
  • Traefik: A modern HTTP reverse proxy with automatic HTTPS
  • HAProxy Ingress: Leveraging the high-performance HAProxy load balancer
  • AWS ALB Ingress Controller: Specifically designed for AWS environments
  • Istio Ingress Gateway: Part of the Istio service mesh ecosystem

Each controller has its own strengths, ecosystem, and configuration options, but they all serve the same fundamental purpose: implementing your Ingress rules.

The Traffic Journey: From Browser to Pod

Now, let’s follow a request from a user’s browser all the way to your application pod:

  1. DNS Resolution: The user types myapp.example.com in their browser, which resolves to the IP address of your Ingress Controller's load balancer.
  2. Load Balancer: The cloud provider’s load balancer (created when you deployed the Ingress Controller) receives the request and forwards it to one of the Ingress Controller pods.
  3. Ingress Controller: The controller pod:
  • Terminates TLS (if configured)
  • Examines the HTTP request to determine the host and path
  • Matches the request against Ingress rules
  • Selects the appropriate backend service

4. Service: The Kubernetes Service acts as an internal load balancer, selecting one of the available pods based on its selection algorithm (typically round-robin).

5.Pod: Finally, the request reaches an application pod, which processes it and generates a response.

6. Return Journey: The response follows the same path in reverse: Pod → Service → Ingress Controller → Load Balancer → User’s Browser.

This entire journey happens in milliseconds, and the user experiences it as a seamless interaction with your application.

IngressClass: The Traffic Director

As Kubernetes clusters grow in complexity, organizations often need multiple Ingress Controllers for different purposes. This is where IngressClass comes into play.

IngressClass solves the “which controller should handle this Ingress?” problem by explicitly binding Ingress resources to specific controllers. Here’s how it works:

  1. Define IngressClass resources for each controller type:
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: external-lb
spec:
  controller: example.com/ingress-controller-external
  1. Reference the class in your Ingress resources:
spec:
  ingressClassName: external-lb
  # other specifications...

This explicit binding ensures that:

  • Each Ingress resource is handled by the appropriate controller
  • Multiple teams can use different controllers without conflicts
  • Specialized controllers can be used for specific purposes (e.g., external vs. internal traffic)

Conclusion

Kubernetes Ingress transforms how we manage external access to services in a cluster. By centralizing routing logic, simplifying certificate management, and enabling advanced traffic patterns, Ingress has become an indispensable part of Kubernetes architecture.

Note: Refer to my another blog if you want to implement AWS ALB Ingress Controller and Resource — Kubernetes Ingress with AWS ALB Ingress Controller: A Complete Setup Guide

Kuberenetes
DevOps
AWS
Cloud Computing
Ingresscontroller

--

--

KELVI MANAVADARIA
KELVI MANAVADARIA

Written by KELVI MANAVADARIA

53 followers
12 following

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech