Topic 10: External Traffic Policy
External Traffic Policy — Local
By Default, ingress traffic to the Services will SNATed to the Node IP before it is routed to the Pods of the Service.
To reflect the Source IP of the Ingress Traffic at the PODs, change the `.spec.externalTrafficPolicy` value of the `Service` to `Local`.
If you specify `externalTrafficPolicy: local`, Kube-Proxy will create NodePort (NodeIP:<portNumber>) specific for the Service Pods deployed into the same (local) Node. It ensures that the Services’ traffic reaching the Nodes will only load balance to the Pods running at the same Node.
Pros:
- Preserve SourceIP.
- Less Inter Node Network Traffic.
- Recommended for Latency Sensitive Workloads.
Cons:
- Potential Imbalanced traffic distribution across the Nodes. The issue can be mitigated via `AntiAffinity` rules.
- Works only for Service of Type LoadBalancer & NodePort.
External Traffic Policy — Cluster [Default Policy]
If you leave the External Traffic Policy to its Default Value of `Cluster,` the Kube-Proxy Programs the Service Configuration to randomly Routes the Traffic to all of its Pods, irrespective of its `host.` To enable the distribution of the traffic across the Nodes, the Source IP will be SNATed to the Proxy Node’s IP Address.
Pros:
- Better Load Balancing Across the Service Pods.
- Works for all Types of Services.
- Default Configuration. No Need to add the parameter in the Service Spec.
Cons:
- Since Traffic will be SNATed to its Proxy Node IP Address, the destination Pod Couldn’t `see` the Source IP Address.
- Distribution of Traffic Across the Pods of the Service Deployed into Multiple Pods may add to the Latency.
