How to expose an application to the internet
Once you have an application with a Service, you can make it available from the internet using an Ingress. Creating an Ingress object will automatically configure our load-balancer to send requests to your application.
For non-HTTP use cases, use a NodePort
Use this method to expose web applications to the internet via a domain name.
If you want direct access to a containers from inside the NYU network, use a NodePort instead.
Load balancer information
Our load balancer uses the IP 216.165.12.42
. The subdomains *.hsrn.nyu.edu
will resolve to that IP. We also have a certificate which covers all those subdomains, so your application can benefit from HTTPS without further configuration.
Using our load balancer with our domain
For example, to expose a Service called my-application
with port 8000
at my-application.hsrn.nyu.edu
, use the following Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-application-at-hsrn
annotations:
kubernetes.io/ingress.class: haproxy
# The following 2 lines redirect HTTP traffic to HTTPS for you
haproxy.org/ssl-redirect: "true"
haproxy.org/ssl-redirect-code: "301"
# The following line record the user's IP address in the 'X-Forwarded-For' header
haproxy.org/forwarded-for: "true"
# Soon only NYU networks will be allowed by default, uncomment this to allow the whole internet
#hpc.nyu.edu/access: "public"
spec:
rules:
- host: my-application.hsrn.nyu.edu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
# This is the name and port of your Service
name: my-application
port:
number: 8000
Using our load balancer with your own domain
If you want to use another domain name, rather than hsrn.nyu.edu
, you will have to point it at our IP address: 216.165.12.42
. This is done using an A record
. Depending on the registrar from whom you bought your domain, the procedure will be different, but they should all support this operation.
For example, to expose a Service called my-application
with port 8000
at my-application.example.org
, use the following Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-application-own-domain
annotations:
kubernetes.io/ingress.class: haproxy
# Soon only NYU networks will be allowed by default, uncomment this to allow the whole internet
#hpc.nyu.edu/access: "public"
spec:
rules:
- host: my-application.example.org
http:
paths:
- path: /
pathType: Prefix
backend:
service:
# This is the name and port of your Service
name: my-application
port:
number: 8000
If you have a TLS certificate for your domain, you can upload it to the cluster as a Secret:
You can then use it in your Ingress to enable HTTPS:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-application-own-domain
annotations:
kubernetes.io/ingress.class: haproxy
# The following 2 lines redirect HTTP traffic to HTTPS for you
haproxy.org/ssl-redirect: "true"
haproxy.org/ssl-redirect-code: "301"
# The following line record the user's IP address in the 'X-Forwarded-For' header
haproxy.org/forwarded-for: "true"
spec:
rules:
- host: my-application.example.org
http:
paths:
- path: /
pathType: Prefix
backend:
service:
# This is the name and port of your Service
name: my-application
port:
number: 8000
tls:
- hosts:
- my-application.example.org
secretName: my-application.example.org
Access control
By default, ingresses allow access from the internet. We will soon make a change to only allow access from NYU networks.
You can keep allowing access from the whole internet using the following annotation. Make sure you have appropriate controls in place to avoid leaking data or letting unauthorized users onto our systems:
You can restrict an ingress to NYU networks using the following annotation. It will soon become unnecessary as we will change the default:
You can also allow specific IP addresses and prefixes using this annotation:
Please use public internet access responsibly. In the future, we may need to control who can make ingresses open to the public internet.