How to Create an API Gateway using Ambassador on Kubernetes

Krishna Modi
Jan 17, 2019 · 7 min read
API Gateway using Ambassador on Kubernetes

API Gateway is an important aspect in your Kubernetes deployment for your services. It acts as an single entry point and can help simplify a lot of tasks like Service Discovery, Distributed Tracing, Routing, Rate Limiting. It can offer a great flexibility and better configuration for your services.

Envoy is one of the very popular API gateways currently available which can handle extensive loads. With Kubernetes, Ambassador is the most popular and efficient way to use Envoy.

Today, I’ll walk you through the detailed steps to deploy Ambassador on a Kubernetes cluster we deployed in my previous post, and configure it to use AWS load balancer for incoming traffic and route it to various services based on rules.

This post was originally published on my blog


Before you begin this guide you’ll need the following:

  • Kubernetes cluster as per my previous post
  • SSL certificate using ACM for Domain
  • Linux machine as deployment server, preferably Ubuntu 16.04 or later

Step 1 — Deploy Ambassador on Kubernetes Cluster

Deploying Ambassador is easiest with Kubernetes as the YAML configuration is readily available on Ambassador’s site. If you have referred to my previous article about creating a Kubernetes cluster on AWS then you already have RBAC enabled.

Refer Ambassador’s official documentation in case you do not have RBAC enable or any issues with the above command.

Log on to your deployment server and execute the following kubectl command,

You can also use Helm to deploy Ambassador.

Firstly add the Helm repo as maintained by Datawire (Ambassador team)

Now deploy Ambassador with Helm as,

This will take some time and create Ambassador deployment and pods in your default namespace. Verify if the pods were created using the following command,

Expect following output

If you can see 3 Ambassador pods running then you’ve successfully setup Ambassador. Let’s move to next step where we’ll create a load balancer endpoint to expose our API Gateway.

Step 2 — Create Ambassador Service and Loadbalancer

All the incoming traffic to our Kubernetes services needs to be routed through our API Gateway Ambassador.

Ambassador uses a load balancer from AWS to receive all the traffic and routes them to Ambassador service to be able to apply rules and route them further to configured services.

Before creating our load balancer, let us have a HTTPS certificate ready using AWS ACM service for our domain and secondary domain . You may add up to 8 secondary domains as per your requirements.

Let us now create a service for Ambassador. Create a file as

Now using VIM or nano editor, open the file and insert the following yaml content,

In the above yaml, the annotations section specifies our load balancer details. As AWS ALB is not supported with Kubernetes currently, this will create a classic load balancer for Ambassador.

  • Value for field is the ARN of our certificate from AWS ACM
  • Value for states our HTTPS port for load balancer
  • The key is optional and allows us to add extra security group rules and attach them to our load balancer by specifying security group id as its value.

In the specs section, is again an optional key used to restrict access to load balancer using its default security group. We have kept it open, this is just for demonstration purpose. You can remove this field or change the value as per your requirements.

Let us create the service now.

This should immediately create a service and initiate a load balancer creation in your AWS EC2 console.

To avoid specifying DNS mapping for each sub domain, point to this load balancer in AWS Route53 service.

Step 3 — Deploy Services and Route using Ambassador

To test our Ambassador setup and its features, we’ll deploy 2 services on Kubernetes and route traffic to them via Ambassador using annotations.

Let us first create a development namespace for our new services.

Save the above json as and execute the following kubectl command to create namespace

Now let us create httpd pod using a deployment and expose it to ambassador using a service.

Save the above yaml as .

In the above yaml, we have created an annotation which is used for ambassador configuration. These annotations can be configured in Ambassador service if you wish to manage them centrally.

In this annotation, we have mapped ambassador configuration to a service and specified the name as .

For routing purpose, we have asked Ambassador to route all requests coming for host with base route to service where is the service name, is namespace and is port exposed for the service.

Let us create this httpd service in Kubernetes by the following kubectl command,

This should take a minute to create the pod for our deployment and be available. Verify if the pod is available using the following,

Expect following output,

Now go to your browser, and enter the url , you should be able to see output as below

Httpd web server default page

Similarly, let us create Nginx pod using a deployment and expose it to ambassador using a service as,

Save the above yaml as and execute,

This should again take a minute to create the pod. Verify if the pod was created successfully using the following,

Expect following output,

In this yaml, we have pointed domain with route to Nginx service.

In your browser, try the url and expect the following screen,

Nginx web server default page

Try adding more pods and expose them using service with Ambassador annotations to be able to route and manage them. Refer Ambassador documentation for more configuration options.

Additional Steps

Ambassador has a diagnostic UI which can be used for debugging and diagnostic purposes. Every Ambassador pod exposes this UI at port 8877. We can create a service to expose this UI running at port 8877 of pods and can map it to a domain

Let’s create a service to expose diagnostic UI as following:

Now just visit and you should be able to see something like this UI:


We created an API Gateway for our services hosted in Kubernetes. With this, we are able to route traffic to a specific service based on request headers like hostname, URI, etc. We will use this in future to expose more services via our Ambassador API Gateway.

Join our community Slack and read our weekly Faun topics ⬇

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author! ⬇


The Must-Read Publication for Aspiring Developers & DevOps Enthusiasts. Medium’s largest DevOps publication.

Krishna Modi

Written by

the DevOps guy



The Must-Read Publication for Aspiring Developers & DevOps Enthusiasts. Medium’s largest DevOps publication.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade