Kubernetes Services, LoadBalancing & Ingress: Full Summary
Vishnu MohanTable of contents
- 𧩠Core Types of Kubernetes Services
- π¦ Pod + Service Relationships
- π NodePort Limitations (and when to use)
- βοΈ LoadBalancer Services: Simpler External Exposure (Cloud-Only)
- π¦ Cloud Controller Manager (CCM) vs Ingress Controller
- π§ Ingress: Smart, Scalable HTTP Gateway
- π‘ Why Ingress > LoadBalancer at Scale
- π οΈ What About Self-Hosted Clusters (e.g., kubeadm)?
- π Flow Summary: How Traffic Reaches Pods
- π Final Takeaways β Your Breakthroughs
𧩠Core Types of Kubernetes Services
| Service Type | Purpose | Exposed To | Notes |
ClusterIP | Internal-only service (default) | Within the cluster | Most common; used for pod-to-pod or service-to-service comms |
NodePort | Exposes service on static port on each node | External (via <NodeIP>:<Port>) | Limited range (30000β32767), basic, not scalable |
LoadBalancer | Provisions external cloud LB automatically | External (cloud-managed) | Routes traffic via NodePorts under the hood |
ExternalName | Maps service to an external DNS name | Internal clients | Rarely used; DNS alias only; no IP or port involved |
π¦ Pod + Service Relationships
A Pod can be backed by multiple Services (e.g., one for internal access, another for external).
Services use label selectors to target Pods.
Pods are ephemeral β Services offer a stable IP (ClusterIP) + DNS to reliably route to them.
Even
NodePortandLoadBalancerservices have a ClusterIP internally β used within the cluster.
π NodePort Limitations (and when to use)
Each NodePort must be unique across the cluster.
You canβt expose two different services on the same NodePort (e.g., both on 30080).
You can have many apps listening on container port 80/443 β the problem is only at the NodePort level.
NodePort doesn't support:
TLS termination
Path/host-based routing
DNS (you manage that)
NodePort is manual, basic, and not suitable for scale.
βοΈ LoadBalancer Services: Simpler External Exposure (Cloud-Only)
type: LoadBalancercreates a real cloud load balancer (e.g., AWS ELB/NLB).Kubernetes leverages the Cloud Controller Manager (CCM) to:
Create the external LB
Assign it a public IP/DNS
Hook it into NodePorts
Uses NodePort under the hood β LoadBalancer routes traffic to all healthy nodes.
β¨ Your Breakthrough:
βEven though LoadBalancer is a K8s resource, it reaches outside and provisions real infra like AWS ELB β via the CCM!β
π¦ Cloud Controller Manager (CCM) vs Ingress Controller
| Feature | Cloud Controller Manager (CCM) | Ingress Controller (e.g., NGINX) |
| Lives | Control Plane | Runs inside the cluster |
| Purpose | Talks to Cloud APIs | Routes HTTP/S traffic to services |
| Handles LoadBalancers | β Yes | β No |
| Handles Ingress resources | β No | β Yes |
π§ Ingress: Smart, Scalable HTTP Gateway
π₯ Your Key Insight:
βSo LoadBalancer exposes a single service, but Ingress can expose many services behind a single LB using DNS/path rules β that's powerful!β
𧱠Components:
Ingress Resource: Defines rules (host/path) for routing traffic.
Ingress Controller: The actual software (e.g., NGINX, Traefik) that applies those rules.
Ingress exposes services via Layer 7 (HTTP/HTTPS) β with support for:
TLS termination
Custom domains (host-based routing)
Path-based routing
Middleware (rate limiting, auth, etc.)
π‘ Why Ingress > LoadBalancer at Scale
| Feature | Service: LoadBalancer | Ingress |
| Layer | 4 (TCP/UDP) | 7 (HTTP/S) |
| TLS Termination | β Manual | β Built-in with cert-manager |
| Host/Path Routing | β No | β Yes |
| Cost in Cloud | πΈ Per service | π° Single LB for all apps |
| Ease of DNS Management | β Manual | β Just one DNS + rules |
Real-World Analogy:
Using LoadBalancer for every app is like giving each microservice its own road to the city. Using Ingress is like building a highway with smart exits.
π οΈ What About Self-Hosted Clusters (e.g., kubeadm)?
β Breakthrough:
βSo
type: LoadBalancerdoes nothing useful unless you have a cloud provider? Got it.β
π‘ Your Options:
| Option | Description | Best For |
| NodePort + external NGINX | Run LB yourself, manually forward traffic | Total control, DIY setups |
| MetalLB | Bring LoadBalancer support to bare metal | Home labs, private DCs |
| Ingress + NodePort/MetalLB | Use smart HTTP proxy with internal services | Scalable, TLS-enabled |
π Flow Summary: How Traffic Reaches Pods
Using LoadBalancer:
plaintextCopyEditClient β Cloud LoadBalancer (AWS ELB) β NodePort on Nodes β ClusterIP β Pod
Using Ingress:
plaintextCopyEditClient β Cloud LoadBalancer β Ingress Controller (NGINX) β ClusterIP β Pod
Using NodePort (direct):
plaintextCopyEditClient β NodeIP:NodePort β ClusterIP β Pod
π Final Takeaways β Your Breakthroughs
Ingress β Ingress Controller β Ingress is just a config; the Controller does the real work.
LoadBalancer β Smart Router β Itβs a raw L4 passthrough. For TLS, DNS, routing, use Ingress.
Pods are ephemeral, Services are stable β Service discovery is all about ClusterIP and DNS stability.
NodePort is minimalistic, suitable for dev/test or when using external NGINX/HAProxy.
LoadBalancer is ideal in cloud, but Ingress is the smarter, scalable, multi-service entrypoint.
CCM provisions infra, while Ingress Controller routes app traffic.
Subscribe to my newsletter
Read articles from Vishnu Mohan directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Vishnu Mohan
Vishnu Mohan
Software Engineer | Cloud Security