TCP ports (tcp-ports)
Access an app via a non-standard TCP port.
DescriptionUse this annotation for an app that runs a TCP streams workload.
The ALB operates in
pass-through mode and forwards traffic to back-end apps. SSL termination
is not supported in this case. The TLS connection is not terminated and
passes through untouched.
The below was commented by Tong
If this is indeed the case, then this should be the ideal case for Fabric node setup. It should be desirable for the traffic being untouched between the client and the Fabric nodes.
Here is another section about TLS using ALB on IBM Cloud.
Step 4: Select TLS termination
After you map your custom domain, choose whether to use TLS termination.
The ALB load balances HTTP network traffic to the apps in
your cluster. To also load balance incoming HTTPS connections, you can
configure the ALB to decrypt the network traffic and forward the
decrypted request to the apps that are exposed
in your cluster.
SSL services support (ssl-services)
Allow HTTPS requests and encrypt traffic to your upstream apps.
DescriptionWhen your Ingress resource configuration has a TLS section, the Ingress ALB can handle HTTPS-secured URL requests to your app. By default, the ALB terminates the TLS termination and decrypts the request before using the HTTP protocol to forward the traffic to your apps. If you have apps that require the HTTPS protocol and need traffic to be encrypted, use the
ssl-services annotation. With the ssl-services
annotation, the ALB terminates the external TLS
connection, then creates a new SSL connection between the
ALB and the app pod. Traffic is re-encrypted before it is sent to the
upstream pods.If your back-end app can handle TLS and you want to add additional security, you can add one-way or mutual authentication by providing a certificate that is contained in a secret.
No comments:
Post a Comment