How to Secure High‑Availability Traffic with AHAS Ingress on Kubernetes
This guide explains the AHAS Application High Availability Service, its traffic‑funnel protection principles, and step‑by‑step configuration of Ingress/Nginx traffic control in an Alibaba Cloud ACK cluster, including request grouping, flow‑control rules, and performance testing.
1. Traffic Funnel Protection Principle
In distributed systems, each request passes through multiple layers such as the gateway, web server, service calls, and storage. AHAS applies the traffic‑funnel principle, adding targeted protection and fault‑tolerance at every layer and pushing control as far forward as possible, e.g., at the gateway, to prevent excess traffic from reaching backend services.
2. Ingress/Nginx Gateway Traffic Control
AHAS Sentinel provides native traffic‑control for Kubernetes Ingress and Nginx gateways. The latest AHAS Nginx plugin, built on Sentinel C++, delivers precise flow control at tens of thousands of QPS without degrading gateway performance.
Core Capabilities
Low entry cost: simple configuration to connect Nginx/Ingress to AHAS and visualize rules in the console.
Dynamic rule updates take effect instantly without reloading Nginx.
Accurate total‑traffic control: supports custom granularity (host, URL, parameters, IP) at >10k QPS.
Observability: real‑time monitoring of gateway traffic and rule effectiveness.
3. Quick Hands‑On AHAS Ingress Traffic Protection
Assume an existing Alibaba Cloud Container Service (ACK) cluster. Add the following fields to the nginx-configuration ConfigMap in the kube-system namespace:
use-sentinel: true
sentinel-params: --app=ahas-ingress-demoAfter saving, the AHAS console will display an Ingress gateway named ahas‑ingress‑demo .
Create a request group called test1 with exact host 127.0.0.1 and prefix path /test/. All matching requests are routed to this group.
When accessing http://127.0.0.1/test/demo, the console’s interface‑detail page shows traffic statistics for test1 .
Define a flow‑control rule for test1 : limit to 10 requests per second per instance. Exceeding requests receive HTTP 429 Too Many Requests (configurable via ConfigMap or console).
Load‑testing with QPS >10 demonstrates the rule in action, as shown in the interface‑detail monitoring chart.
For cluster‑wide traffic limits, configure a cluster‑level rule with a total threshold, eliminating the need to consider the number of gateway instances.
Overall Process
For self‑managed Ingress or Nginx, refer to the official Alibaba Cloud documentation:
https://help.aliyun.com/document_detail/178827.html
https://help.aliyun.com/document_detail/209640.html
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Alibaba Cloud Native
We publish cloud-native tech news, curate in-depth content, host regular events and live streams, and share Alibaba product and user case studies. Join us to explore and share the cloud-native insights you need.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.