I recently tried to figure out how an Azure Loadbalancer in front of an Azure AKS cluster actually routes traffic to the cluster nodes.
Our (quite basic) setup:
- AKS cluster version 1.23.x with the default Azure Loadbalancer in front of it
- Traefik Ingress controller deployed with service type Loadbalancer
Maybe someone can answer me the following questions:
The Ingress backend pool contains ALL cluster nodes, not just the ones where the ingress pods are running (also they only show the pod's private IP). If I understand the docs (https://docs.microsoft.com/en-us/azure/aks/concepts-network#services) correctly, the loadbalancer distributes traffic between ALL cluster nodes, and from there, it is forwarded to the nodes which actually run the Ingress controller pods. Potentially, this adds unnessesary hops and wastes bandwidth due to the forwarding. Is my understanding here correct?
I have troubles to understand how traffic is forwarded from the loadbalancer to the cluster nodes. The backend pool contains entries with the nodes private IPs (no k8s service IPs or pod IPs), and the loadbalancing rule shows port 443 as source and destination port. However, there is no process listening on port 443 on any of the cluster nodes. Can someone explain to me (or point me to the docs I failed to find) that explain how this works?