Networking & Content Delivery

Deploying AWS Load Balancer Controller on Amazon EKS

Customers use AWS Network Load Balancer (NLB), Classic Load Balancer (CLB), or Application Load Balancer (ALB) as load balancers or ingress with Amazon Elastic Kubernetes Service (Amazon EKS) clusters. AWS Load Balancer Controller is designed to help manage Elastic Load Balancers for a Kubernetes cluster. It satisfies Kubernetes Ingress resources by provisioning ALBs and Kubernetes Load Balancer by provisioning NLBs. To deploy AWS Load Balancer Controller on existing EKS clusters requires multiple manual steps, and it is hard to manage at scale. This post automates the manual deployment aspects of AWS Load Balancer Controller for existing EKS clusters.

The AWS Load Balancer Controller adds value by automating and streamlining the load balancer configuration process. Some of the key benefits of using the AWS Load Balancer Controller include:

  • Simplified Load Balancer Configuration: It simplifies the process of creating and configuring AWS load balancers within a Kubernetes cluster. This automation reduces the manual work required to set up and manage load balancers.
  • Integration with Kubernetes: It integrates seamlessly with Kubernetes, allowing you to define and manage load balancer resources using Kubernetes manifests and annotations.
  • Cost Optimization: ease of maintenance and lower configuration costs.
  • Automatic Target Group Registration: It can automatically register pods with the appropriate target groups based on the Kubernetes service definitions, which simplifies scaling and makes sure that traffic is directed to the correct pods.
  • Dynamic Updates: The AWS Load Balancer Controller can dynamically update load balancer configurations in response to changes in your Kubernetes services and pods. This helps make sure that your applications are highly available and can scale seamlessly.
  • Support for Advanced Features: It supports path-based routing, SSL termination, and integration with AWS WAF for security purposes.

The following figures show the anatomy and possibilities for AWS Load Balancer Controller with Amazon EKS.

Figure 1: IP target mode with AWS Load Balancer Controller and Amazon EKS

Figure 2: Instance mode with AWS Load Balancer Controller and Amazon EKS

One-click install solution overview

This AWS CloudFormation solution automates the manual deployment aspects of AWS Load Balancer Controller for an existing EKS cluster. The manual steps include: creating an AWS Identity and Access Management (IAM) policy to allow AWS Load Balancer Controller to make AWS API calls creating a Kubernetes service account and attaching the IAM policy and associated role to the service account, configuring the AWS Security Token Service endpoint type used by your Kubernetes service account, installing AWS Load Balancer controller by applying a Kubernetes manifest and cert-manager, and verifying the installation.

The Solution automates all the preceding manual steps. The following figure describes the solution, and the below CloudFormation template creates an IAM policy for the AWS Load Balancer Controller that allows it to make calls to AWS APIs by using assume-role.

  • It creates an IAM role with your provided OpenID Connect (OIDC) ID as the parameter and creates a trust policy and IAM role.
  • It also creates an AWS Lambda function that creates a Kubernetes service account named aws-load-balancer-controller annotated with the IAM role.
  • The Lambda function deploys cert-manager and AWS Load Balancer Controller by applying the default yaml files provided in the official document to the EKS cluster.

To grant the Amazon EKS API access to the Lambda function, you can follow this Amazon post to learn how to create a Lambda IAM Role and authorize the Lambda role to administer the EKS cluster.

Figure 3: Solution overview

Solution deployment

You can deploy this solution into your AWS account using a CloudFormation template.


For this walkthrough, you should have the following prerequisites:

Deploying through CloudFormation template

In this section we deploy the following:

  • IAM policy and Role for the Kubernetes service account of AWS Load Balancer Controller
    • AmazonEKSLoadBalancerControllerRole
    • AWSLoadBalancerControllerIAMPolicy
  • Lambda function
    • Create Kubernetes Service Account for AWS Load Balancer and annotate with AmazonEKSLoadBalancerControllerRole
    • Install Cert-manager
    • Install AWS Load Balancer Controller
    • Deploy IngressClss and IngressClass parameters
  • Amazon CloudWatch logs
    • LambdaLogGroupForEKSALBInstaller, with seven days retention

Steps to deploy the CloudFormation template

  1. Download the yaml file.
  2. Navigate to the CloudFormation console in your AWS account.
  3. Choose Create stack.
  4. Choose Template is ready, upload a template file, and navigate to the yaml file that you just downloaded.
  5. Choose Next.Give the stack a name (max. length 30 characters), provide your EKS cluster name, OIDC provider ID, AWS Account number, AWS Region, S3 bucket with Lambda code, and select Next. Refer to the following figure for input parameters expected for this CloudFormation stack. Figure 4: Parameters for CloudFormation stack
  6. Add tags if desired, and select Next.
  7. Scroll to Capabilities at the bottom of the screen, and check the box I acknowledge that AWS CloudFormation might create IAM resources with custom names, and then Create stack.
  8. Wait for the stack creation to complete.

Once the stack is deployed successfully, navigate to the Lambda console and run the Lambda function using the Test option with the default test event. This successfully installs the AWS Load Balancer Controller within the cluster. You can navigate to your EKS cluster to check IngressClasses under resources to verify successful installation of the AWS Load Balancer Controller. The following figure shows what a successful installation of AWS Load Balancer Controller looks like in the Amazon EKS console.

Figure 5: Successful installation of AWS Load Balancer Controller

You can test the AWS Load Balancer Controller by deploying a sample application. This solution can be reused within the account and AWS Region by changing the Cluster Name and OIDC Provider ID Environment variables of the Lambda function. Furthermore, trusted entities of the previously created IAM role need to be updated to include the OIDC Provider ID of that cluster.

Cost considerations

This solution uses a Lambda function that makes API calls. It also creates a CloudWatch logs group with seven-day retention period. All pricing details are available on the CloudWatch, and Lambda pricing pages.

Cleaning up

If you decide that you no longer want to keep the dashboard and associated resources, then you can navigate to CloudFormation in the AWS Management Console, choose the stack you deployed earlier, and choose Delete. Once that finishes, all of the resources you created should be deleted.


This solution helps you quickly install AWS Load Balancer Controller from a pre-built Lambda function that can be re-used for all your EKS clusters within your account and AWS Region.

About the authors

Karthik Chemudupati

Karthik Chemudupati is a Principal Technical Account Manager (TAM) with AWS, focused on helping customers achieve cost optimization and operational excellence. He has more than 18 years of IT experience in software engineering, cloud operations and automations. Karthik joined AWS in 2016 as a TAM and worked with more than dozen Enterprise Customers across US-West. Outside of work, he enjoys spending time with his family.

Jamie Wenzel

Jamie is a Principal SA networking specialist in the EC2 Networking. Jamie is part of the application networking organization contributing to the design of application networking products and services. He is an avid public speaker at re:invent, re:inforce, lofts, summits and twitch. He has been with amazon for 6+ years and is passionate about helping people and organizations in their cloud journeys.

Scott Chang

Scott Chang is a Solutions Architect at AWS based in San Francisco. He has over 14 years of hands-on experience in Networking also familiar with Security and Site Reliability Engineering. He works with one of major strategic customers in west region to design highly scalable, innovative and secure cloud solutions.