In the example below, you can find how to use an AWS Network Load Balancer to connect externally to a cluster that has TLS setup.
# One-line installer creates a secure cluster named 'nats'$ curl -sSL https://nats-io.github.io/k8s/setup.sh | sh​# Create AWS Network Load Balancer service$ echo 'apiVersion: v1kind: Servicemetadata:name: nats-nlbnamespace: defaultlabels:app: natsannotations:service.beta.kubernetes.io/aws-load-balancer-type: "nlb"spec:type: LoadBalancerexternalTrafficPolicy: Localports:- name: natsport: 4222protocol: TCPtargetPort: 4222selector:app: nats' | kubectl apply -f -​$ kubectl get svc nats-nlb -o wideNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTORnats-nlb LoadBalancer 10.100.67.123 a18b60a948fc611eaa7840286c60df32-9e96a2af4b5675ec.elb.us-east-2.amazonaws.com 4222:30297/TCP 151m app=nats​$ nats-pub -s nats://a18b60a948fc611eaa7840286c60df32-9e96a2af4b5675ec.elb.us-east-2.amazonaws.com:4222 -creds nsc/nkeys/creds/KO/A/test.creds test.foo bar
Also, it would be recommended to set no_advertise to true
in order to avoid gossiping internal addresses from pods in Kubernetes to NATS clients.
With the following, you can create a 3-node NATS Server cluster:
kubectl apply -f https://raw.githubusercontent.com/nats-io/k8s/b55687a97a5fd55485e1af302fbdbe43d2d3b968/nats-server/leafnodes/nats-cluster.yaml
The configuration map from the NATS cluster that was created can be found below.
---apiVersion: v1kind: ConfigMapmetadata:name: nats-configdata:nats.conf: |pid_file: "/var/run/nats/nats.pid"http: 8222# debug: trueping_interval: 30s​cluster {port: 6222no_advertise: true​routes: [nats://nats-0.nats.default.svc:6222nats://nats-1.nats.default.svc:6222nats://nats-2.nats.default.svc:6222]}​leaf {port: 7422authorization {timeout: 3susers = [{ user: "foo", pass: "bar" }]}}
Now let's expose the NATS Server by creating an L4 load balancer on Azure:
kubectl apply -f https://raw.githubusercontent.com/nats-io/k8s/b55687a97a5fd55485e1af302fbdbe43d2d3b968/nats-server/leafnodes/lb.yaml
Confirm the public IP that was allocated to the nats-lb
service that was created, in this case it is 52.155.49.45
:
$ kubectl get svc -o wideNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTORkubernetes ClusterIP 10.0.0.1 <none> 443/TCP 81d <none>nats ClusterIP None <none> 4222/TCP,6222/TCP,8222/TCP,7777/TCP,7422/TCP,7522/TCP 7h46m app=natsnats-lb LoadBalancer 10.0.107.18 52.155.49.45 4222:31161/TCP,7422:30960/TCP 7h40m app=nats
Notice that the leafnode configuration requires authorization, so in order to connect to it we will need to configuration as follows:
leaf {remotes = [{url: "nats://foo:[email protected]:7422"}]}
You can also add a NATS Streaming cluster into the cluster connecting to the port 4222:
kubectl apply -f https://raw.githubusercontent.com/nats-io/k8s/b55687a97a5fd55485e1af302fbdbe43d2d3b968/nats-server/leafnodes/stan-server.yaml
Now if you create two NATS Servers that connect to the same leafnode port, they will be able to receive messages to each other:
nats-server -c leafnodes/leaf.conf -p 4222 &nats-server -c leafnodes/leaf.conf -p 4223 &​$ nats-sub -s localhost:4222 foo &$ nats-pub -s localhost:4223 foo hello​Listening on [foo][#1] Received on [foo] : 'hello'