How can I troubleshoot issues when creating a load balancer using the AWS Load Balancer Controller?

Last updated: 2021-10-29

I can't create a Network Load Balancer (NLB) or an Application Load Balancer (ALB) using the AWS Load Balancer Controller (previously known as the ALB Ingress Controller). Or, the load balancer isn't created after I created the Service or Ingress objects. How can I troubleshoot this?

Short description

To troubleshoot load balancer creation issues, do the following:

  • Make sure that all prerequisites are met.
  • Check the annotations of the Ingress (ALB) or Service (NLB) object.
  • Review the AWS Load Balancer Controller pod's logs for additional information.
  • If the cluster runs on AWS Fargate, then verify that there is a Fargate profile created for the namespace where the Ingress or Service object resides.
  • Verify whether there are unaddressed dependencies.

Resolution

Make sure that all prerequisites are met

For a list of ALB prerequisites, see Application load balancing on Amazon Elastic Kubernetes Service (Amazon EKS). For a list of NLB prerequisites, see Network load balancing on Amazon EKS.

1.    Verify that the AWS Load Balancer Controller is successfully provisioned.

2.    Check the number of subnets. ALB needs at least two subnets and NLB needs at least one subnet. For more information, see View your subnet.

3.    You must use the following tag in certain scenarios:

  • Key: "kubernetes.io/cluster/cluster-name"
  • Value: "shared" or "owned"

If you're using an Application Load Balancer

You must tag exactly one security group in the following scenarios:

  • You're using multiple security groups attached to worker node.
  • You're using the AWS Load Balancer controller version v2.1.1 or earlier.

If you're using a Network Load Balancer

If you're using the AWS Load Balancer Controller version v2.1.1 or earlier, then subnets must be tagged.

For information on adding tags from the Amazon EC2 console, see Work with tags using the console. For information on adding tags using the AWS Command Line Interface, see Work with tags using the command line.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

4.    Unless subnet IDs are explicitly specified as annotations in the Service object or the Ingress object, make sure that the subnets have the following tags. Without these tags, Subnet Auto Discovery won't work.

Private subnets tag:

  • Key: "kubernetes.io/role/internal-elb"
  • Value: "1"

Public subnets tag:

  • Key: "kubernetes.io/role/elb"
  • Value: "1"

Check the annotations of the Ingress (ALB) or Service (NLB) object

Verify annotations on the Service object or annotations on the Ingress object. The annotations needed to configure a load balancer are as follows:

Note: Other annotations use default values.

Application Load Balancer

  • kubernetes.io/ingress.class: alb (ensures that Ingress objects use the AWS Load Balancer Controller)

Network Load Balancer

  • With IP targets: service.beta.kubernetes.io/aws-load-balancer-type: “external” service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: “ip”
  • With instance targets: service.beta.kubernetes.io/aws-load-balancer-type: “external” service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: “instance”

Run one of the following commands to view the Service or the Ingress object. In the following example, replace SERVICE-NAME/INGRESS-NAME and NAMESPACE with the correct values for your use case.

kubectl describe service <SERVICE-NAME> -n <NAMESPACE>
kubectl describe ingress <INGRESS-NAME> -n <NAMESPACE>

Run one of the following commands to edit the Service or Ingress object. In the following examples, replace SERVICE-NAME/INGRESS-NAME and NAMESPACE with the correct values for your use case:

kubectl edit service <SERVICE-NAME> -n <NAMESPACE>
kubectl edit ingress <INGRESS-NAME> -n <NAMESPACE>

Review the AWS Load Balancer Controller pod's logs for additional information

Run the following command to review the AWS Load Balancer Controller logs:

kubectl logs -n kube-system deployment.apps/aws-load-balancer-controller

If none of the controller pods show logs, then make sure that the controller pods are running:

kubectl get deployment -n kube-system aws-load-balancer-controller

If the cluster runs on Fargate, then verify that there is a Fargate profile created for the namespace where the Ingress or Service object resides

Run the following commands to verify that there is a Fargate profile created for the namespace where the Ingress or Service object resides. In the following example, replace CLUSTER-NAME with the name of your cluster.

eksctl get fargateprofile --cluster <CLUSTER-NAME> -o yaml

To create a Fargate profile, run the following command. In the following example, replace CLUSTER-NAME, REGION, FARGATE-PROFILE-NAME, and NAMESPACE with the correct values for your use case.

eksctl create fargateprofile --cluster <CLUSTER-NAME> --region <REGION> --name <FARGATE-PROFILE-NAME> --namespace <NAMESPACE>

Verify whether there are unaddressed dependencies

Review the documentation to make sure all dependencies are met. For ALB, see Application load balancing on EKS. For NLB, see Network load balancing on Amazon EKS.

For example, If you're using ALB, then the Service object must specify the NodePort or LoadBalancer to use instance traffic mode.


Did this article help?


Do you need billing or technical support?