AWS EKS 1.22 AWS Load balancer controller v2.4.1 : Use and Internet facing Network load balancer on top of internal ingress controller

Question

I have the following cluster running in AWS EKS:

Kubernetes Version: 1.22
AWS load balancer controller version: v2.4.1
Node type: Managed Node

I was reading an article where we can top an NLB with an Ingress Controller (Internal) by using NGINX Load balancer Controller. Link

---

I want to implement the same using the AWS Load balancer controller as I have to integrate AWS WAF with the Application load balancer which comes with the Ingress controller, Now only using the Ingress controller alongside NodePort Service causing intermittent connection issue and I can see it is a known one Link

But I want to use AWS Load balancer controller only

---

I have implemented the Service which deploys an internet-facing network load balancer which seems to be working fine.

service.yaml (Network Load Balancer)

apiVersion: v1
kind: Service
metadata:
  name: my-app-svc
  namespace: test
  annotations:
    # Note that the backend talks over HTTP.
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <Certificate ARN>
    # Only run SSL on the port named "https" below.
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "300"
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
    #Network Load Balancer Annotations
    service.beta.kubernetes.io/aws-load-balancer-type: external
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
spec:
  selector:
    run: my-app-backend-deployment
  ports:
  - name: https
    protocol: TCP
    port: 443
    targetPort: 7000
  - name: http
    protocol: TCP
    port: 80
    targetPort: 7000
  type: LoadBalancer

---

Now, what will be the required configuration for the Ingress controller which will work internally and without causing me any intermittent connection issues?

Present configuration(Using NodePort as backend service and Ingress for internet facing using Application Load Balancer):

---
apiVersion: v1
kind: Service
metadata:
  namespace: dev
  name: my-backend-svc
spec:
  ports:
  - name: http
    port: 80
    targetPort: 80
  type: NodePort
  selector:
    run: my-app-backend-deployment
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: dev
  name: my-ingress
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/certificate-arn: <My Certificate IAM ARN>
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/connection-idle-timeout: "300"
   
spec:
  ingressClassName: alb
  rules:
    - host: my.web.host.fqdn
      http:
        paths:
          - backend:
              service:
                name: ssl-redirect
                port:
                  name: use-annotation
            path: /*
            pathType: ImplementationSpecific
          - backend:
              service:
                name: my-backend-svc
                port:
                  number: 80
            path: /*
            pathType: ImplementationSpecific

Answer 1

There was a mistake on my side regarding the configuration of the Application load balancer the tagging of subnets was somewhat wrong, for my case I have used the below annotation.

alb.ingress.kubernetes.io/subnets: <Subnet ID(s)>

Link

Also, I have used "NodePort" as service.

ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: my-namespace
  name: my-ingress
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: instance
    alb.ingress.kubernetes.io/subnets: <subnet1>,<subn.et2
    alb.ingress.kubernetes.io/certificate-arn: <Certificate-ARN>
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/connection-idle-timeout: "7200"
    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=4000
    # Health Check Settings
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP 
    alb.ingress.kubernetes.io/healthcheck-port: traffic-port
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '300'
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '10'
    alb.ingress.kubernetes.io/success-codes: '200'
    alb.ingress.kubernetes.io/healthy-threshold-count: '5'
    alb.ingress.kubernetes.io/unhealthy-threshold-count: '5'
spec:
  ingressClassName: alb
  rules:
    - host: my.host.com
      http:
        paths:
          - backend:
              service:
                name: ssl-redirect
                port:
                  name: use-annotation
            path: /
            pathType: Prefix
          - backend:
              service:
                name: my-svc
                port:
                  number: 443
            path: /
            pathType: Prefix
          - backend:
              service:
                name: my-svc
                port:
                  number: 80
            path: /
            pathType: Prefix

I am requesting all to please mention any findings or opinion