Scenarios where services like external databases in cloud-native apps are deployed outside a Kubernetes cluster but services inside the cluster must access them are common. Kubernetes provides the ExternalName service to access these resources. However, this can bypass the proxy, which means features like traffic management, policy enforcement, and fail-over management might not be available.
In this post, we take you through configuring Citrix ADC to resolve the domain names so you can leverage these features and get the most out of your ADC.
Using Citrix ADC to Reach External Services
The benefits of using Citrix ADC to reach external services include:
- Advanced Traffic Management: With features such as auth, rewrite, responder, and WAF, you can achieve advanced traffic management and comprehensive security for your services.
- Hybrid deployment: This enables hybrid deployment of your services. You can integrate non-Kubernetes-based services with Kubernetes-based services for apps in the early phase of migration to Kubernetes environment.
- Holistic Observability: This provides high visibility of external services on the Citrix Application Delivery Management (ADM) service graph to ensure faster troubleshooting.
Traffic Management of External Services with Citrix ADC CPX
The diagram below shows the access flow of a microservice to an external service with a Citrix ADC CPX acting as the proxy.
In this example, a microservice sends a DNS query for www.externalsvc.com, which would be resolved to the Citrix ADC CPX service.
Using the annotation ingress.citrix.com/external-service with Citrix Ingress Controller, we can configure a domain-based service group on Citrix ADC to resolve the domain www.externalsvc.com. The value for ingress.citrix.com/external-service is a list of external services with their corresponding domain names.
When the client connects to Citrix ADC CPX, it resolves the domain www.externalsvc.com and forwards the request to the external service.
Configuring Citrix ADC CPX to Load Balance External Services
First, define the CPX service to reach the Citrix ADC.
apiversion: v1
kind: Service
metadata:
name: cpx-svc
spec:
selector:
app: cpx
ports:
- protocol: TCP
port: 80Then, define an ingress and specify the external-service annotation as shown in the dbs-ingress.yaml file. When you specify this annotation, the Citrix Ingress Controller creates DNS servers on the Citrix ADC and binds those servers to the corresponding service group.
annotations: ingress.citrix.com/external-service: '{"cpx-svc": {"domain": "www.externalsvc.com"}}'
Finally, add the IP address of the DNS server on Citrix ADC using ConfigMap. Please note, this step is applicable only to Citrix ADC VPX.
apiversion: v1
kind: ConfigMap
metadata:
name: nameserver-cmap
namespace: default
data:
NS_DNS_NAMESERVER: '[]'In this blog post, we have explored how to use Citrix ADC to provide a way for Kubernetes services to access external services so we can enforce the advanced traffic management and security policies, all while communicating with the external services. For detailed information on this feature, check out our Traffic Management for External Services product documentation.
