Configure external load balancers

External load balancers (ELB) expose services outside the organization from a pool's IP addresses assigned to the organization from the larger instance-external IP pool.

ELB Virtual IP (VIP) addresses don't conflict between organizations and are unique across all organizations. For this reason, you must use ELB services only for services that clients outside the organization necessarily have to access.

Workloads running inside the organization can access ELB services as long as you enable the workloads to exit the organization. This traffic pattern effectively requires outbound traffic from the organization before returning to the internal service.

Create external load balancers in GDCH by creating a Kubernetes Service of type LoadBalancer in a user cluster.

To create an ELB service, do the following:

  1. Create a YAML file for the Service definition of type LoadBalancer.

    The following Service object is an example of an ELB service:

    apiVersion: v1
    kind: Service
      name: ELB_SERVICE_NAME
      namespace: PROJECT
      - port: 1235
        protocol: TCP
        targetPort: 1235
        k8s-app: my-app
      type: LoadBalancer

    Replace the following:

    • ELB_SERVICE_NAME: the name of the ELB service.
    • PROJECT: the namespace of your project that contains the backend workloads.

    The port field configures the frontend port you expose on the VIP address. The targetPort field configures the backend port to which you want to forward the traffic on the backend workloads. The load balancer supports Network Address Translation (NAT). The frontend and backend ports can be different.

  2. On the selector field of the Service definition, specify pods or virtual machines as the backend workloads.

    The selector defines which workloads to take as backend workloads for this service, based on matching the labels you specify with labels on the workloads. The Service can only select backend workloads in the same project and same cluster where you define the Service.

    For more information about service selection, see

  3. Save the Service definition file in the same project as the backend workloads.

  4. Apply the Service definition file to the cluster:

    kubectl apply -f ELB_FILE

    Replace ELB_FILE with the name of the Service definition file for the ELB service.

When you create an ELB, the service gets two IP addresses. One is an internal IP address accessible only from within the same cluster. The other is the external IP address, accessible from inside and outside the organization. You can obtain the IP addresses of the ELB service by viewing the service status:

kubectl -n PROJECT get svc ELB_SERVICE_NAME

Replace the following:

  • PROJECT: the namespace of your project that contains the backend workloads.
  • ELB_SERVICE_NAME: the name of the ELB service.

You must obtain an output similar to the following example:

NAME                    TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S)          AGE
elb-service             LoadBalancer      1235:31931/TCP   22h

The EXTERNAL-IP is the IP address of the service that is accessible from outside the organization.

If you don't obtain an output, ensure that you created the ELB service successfully.