How to Setup Ingress Controller

In modern cloud-native environments, managing external access to services running inside a Kubernetes cluster is a critical task. This is where an Ingress Controller plays a pivotal role. An Ingress Controller acts as a reverse proxy and load balancer, routing incoming HTTP and HTTPS traffic to the appropriate services within your cluster based on defined rules. Unlike the basic Kubernetes Service types (ClusterIP, NodePort, LoadBalancer), Ingress provides advanced routing capabilities such as host-based routing, path-based routing, TLS termination, and integration with external authentication and caching systems.

Setting up an Ingress Controller correctly ensures that your applications are not only accessible from the internet but also secure, scalable, and performant. Whether youre deploying a web application, API gateway, or microservices architecture, mastering Ingress Controller configuration is essential for any DevOps engineer or Kubernetes administrator.

This comprehensive guide walks you through everything you need to know to successfully set up an Ingress Controllerfrom choosing the right controller for your use case to implementing best practices and troubleshooting common issues. By the end of this tutorial, youll have the knowledge and confidence to deploy, configure, and optimize an Ingress Controller in any production-ready Kubernetes environment.

Step-by-Step Guide

Understanding the Components

Before diving into setup, its crucial to understand the key components involved in an Ingress architecture:

• Ingress Resource: A Kubernetes object that defines routing rulessuch as hostnames and pathsto direct traffic to backend Services.
• Ingress Controller: A separate application (often deployed as a Pod) that watches for Ingress resources and configures a reverse proxy (like NGINX, Traefik, or HAProxy) to enforce those rules.
• Backend Service: A Kubernetes Service (ClusterIP or NodePort) that exposes one or more Pods running your application.
• Load Balancer (optional): In cloud environments, a cloud providers Load Balancer may sit in front of the Ingress Controller to distribute traffic across multiple replicas.

Think of it this way: The Ingress Resource is the rulebook, the Ingress Controller is the traffic officer enforcing those rules, and the backend Services are the destinations.

Prerequisites

Before proceeding, ensure you have the following:

• A running Kubernetes cluster (version 1.19 or later recommended).
• kubectl installed and configured to communicate with your cluster.
• Access to create and manage resources in the cluster (appropriate RBAC permissions).
• A domain name (optional but recommended for production use).
• SSL/TLS certificate (for HTTPS; can be generated via Lets Encrypt using cert-manager).

If youre using a managed Kubernetes service like Google Kubernetes Engine (GKE), Amazon EKS, or Azure Kubernetes Service (AKS), ensure you have the necessary cloud provider permissions to provision external load balancers.

Step 1: Choose an Ingress Controller

There are multiple Ingress Controller implementations, each with different features, performance characteristics, and ecosystem integrations. The most popular options include:

• NGINX Ingress Controller: The most widely used, based on the NGINX web server. Offers excellent performance, rich configuration options, and strong community support.
• Traefik: Modern, cloud-native controller with dynamic configuration, automatic service discovery, and built-in metrics and dashboard.
• HAProxy Ingress: High-performance, enterprise-grade option ideal for high-traffic applications.
• Envoy Ingress Controller: Built on the Envoy proxy, often used in service mesh architectures like Istio.
• Contour: Built on Envoy, designed for Kubernetes with strong CRD support and integration with cert-manager.

For this guide, well use the NGINX Ingress Controller due to its broad adoption, extensive documentation, and compatibility with most environments.

Step 2: Install the NGINX Ingress Controller

The NGINX Ingress Controller can be installed using Helm or direct YAML manifests. Well demonstrate both methods.

Method A: Install Using Helm (Recommended)

Helm is the package manager for Kubernetes and simplifies deployment with templating and versioning.

1. Add the NGINX Ingress Helm repository:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

2. Install the controller in the ingress-nginx namespace (create it if it doesnt exist):

kubectl create namespace ingress-nginx
helm install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--set controller.service.type=LoadBalancer

The --set controller.service.type=LoadBalancer flag ensures that the controller is exposed via a cloud providers external load balancer (if available). In on-premises environments, you may use NodePort or HostNetwork instead.

Method B: Install Using YAML Manifests

If Helm is not available, deploy using the official manifests:

1. Download the latest release manifest:

curl -L https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml -o ingress-nginx.yaml

2. Apply the manifest:

kubectl apply -f ingress-nginx.yaml

3. Verify the deployment:

kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginx

Wait until the external IP is assigned to the service. In cloud environments, this may take 15 minutes. For local clusters (like Minikube or Kind), use:

minikube service ingress-nginx-controller -n ingress-nginx

Step 3: Verify the Ingress Controller is Running

Once deployed, confirm the controller is operational:

kubectl get all -n ingress-nginx

You should see:

• One or more Pods running nginx-ingress-controller
• A Service of type LoadBalancer with an external IP
• A ConfigMap and Secret (if TLS is configured)

Check the logs for any startup errors:

kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx

If you see messages like Successfully updated configuration or Starting NGINX process, the controller is ready.

Step 4: Create a Sample Backend Service

To test the Ingress Controller, deploy a simple application. Well use a basic HTTP server.

1. Create a Deployment:

cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: sample-app
labels:
app: sample-app
spec:
replicas: 2
selector:
matchLabels:
app: sample-app
template:
metadata:
labels:
app: sample-app
spec:
containers:
- name: app
image: hashicorp/http-echo:latest
args:
- "-text=Hello from Sample App"
ports:
- containerPort: 5678
EOF

2. Create a Service to expose the Deployment:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: sample-app-service
spec:
selector:
app: sample-app
ports:
- protocol: TCP
port: 80
targetPort: 5678
type: ClusterIP
EOF

Step 5: Define an Ingress Resource

Now create an Ingress resource to route traffic to the service.

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sample-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sample-app-service
port:
number: 80
EOF

Important notes:

• ingressClassName: nginx specifies which Ingress Controller should handle this resource (required in Kubernetes 1.19+).
• host: example.com defines the domain name that triggers this rule. In production, replace this with your actual domain.
• path: / with Prefix type matches any URL starting with /.
• The rewrite-target annotation ensures requests to / are forwarded correctly to the backend.

Step 6: Test the Ingress Setup

Once the Ingress resource is applied, wait for the controller to reload its configuration (usually under 10 seconds).

Get the external IP of the Ingress Controller:

kubectl get svc -n ingress-nginx

Output example:

NAME                       TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                      AGE
ingress-nginx-controller   LoadBalancer   10.96.123.45    203.0.113.10    80:30080/TCP,443:30443/TCP   5m

Now test connectivity:

1. Use curl with the host header:

curl -H "Host: example.com" http://203.0.113.10

You should see:

Hello from Sample App

If youre using a real domain, update your DNS records to point example.com to the external IP. Wait for DNS propagation, then visit http://example.com in your browser.

Step 7: Enable HTTPS with TLS

For production, always use HTTPS. You can secure your Ingress with a TLS certificate.

1. Create a TLS secret using a certificate and private key:

kubectl create secret tls sample-tls-secret \
--cert=path/to/cert.pem \
--key=path/to/key.pem \
-n default

Alternatively, automate certificate issuance using cert-manager (see Tools and Resources section).

2. Update your Ingress resource to include TLS:

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sample-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
tls:
- hosts:
- example.com
secretName: sample-tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sample-app-service
port:
number: 80
EOF

Now access https://example.comyour browser should show a secure connection.

Step 8: Configure Advanced Routing

Ingress supports sophisticated routing patterns:

Path-Based Routing

Route different paths to different services:

rules:
- host: example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
- path: /web
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80

Host-Based Routing

Route different domains to different services:

rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
- host: www.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80

Multiple Ingress Resources

You can define multiple Ingress objects in the same namespace. The Ingress Controller merges them automatically, as long as they dont conflict.

Best Practices

Use IngressClass for Multi-Controller Environments

When multiple Ingress Controllers exist in a cluster (e.g., NGINX and Traefik), always specify ingressClassName in your Ingress resources. This prevents ambiguity and ensures predictable routing behavior.

Enable Health Checks and Readiness Probes

Ensure your backend services have proper readinessProbe and livenessProbe configurations. The Ingress Controller relies on these to determine which Pods are healthy and ready to receive traffic.

Implement Rate Limiting and Security

Use NGINX annotations to enforce rate limiting and security policies:

annotations:
nginx.ingress.kubernetes.io/limit-rps: "10"
nginx.ingress.kubernetes.io/limit-whitelist: "192.168.1.0/24"
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"

These prevent abuse, mitigate DDoS attacks, and ensure compliance with security standards.

Use Annotations Wisely

NGINX Ingress supports over 100 annotations for fine-tuning behavior. Common ones include:

• nginx.ingress.kubernetes.io/ssl-redirect: "true" Forces HTTPS.
• nginx.ingress.kubernetes.io/use-regex: "true" Enables regex matching in paths.
• nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" If backend services use HTTPS.
• nginx.ingress.kubernetes.io/affinity: "cookie" Enables session affinity.

Always refer to the official documentation for your chosen controller to understand annotation behavior.

Monitor and Log

Enable access logs and metrics for observability:

annotations:
nginx.ingress.kubernetes.io/access-log-path: /var/log/nginx/access.log
nginx.ingress.kubernetes.io/custom-http-errors: "404,502,503"

Integrate with Prometheus and Grafana to visualize request rates, latency, and error rates. Use Loki or Fluentd for centralized log aggregation.

Scale the Ingress Controller

Deploy multiple replicas of the Ingress Controller for high availability:

helm install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--set controller.replicaCount=3 \
--set controller.nodeSelector."node-role\.kubernetes\.io/ingress"="true"

Use node affinity to pin Ingress Controllers to dedicated nodes, separating control plane traffic from application traffic.

Regularly Update and Patch

Ingress Controllers, like any network-facing component, are potential attack surfaces. Subscribe to security advisories and update your controller regularly. Use tools like Trivy or Clair to scan container images for vulnerabilities.

Use Network Policies

Restrict traffic to the Ingress Controller Pods using Kubernetes Network Policies. Allow only traffic from trusted sources (e.g., cloud load balancers, internal services) and block direct access from the internet to Pods.

Tools and Resources

Core Tools

• Helm: Package manager for deploying Ingress Controllers and other Kubernetes applications. helm.sh
• cert-manager: Automates issuance and renewal of TLS certificates from Lets Encrypt and other CAs. Essential for secure Ingress setups. cert-manager.io
• kubectl: Command-line tool for interacting with Kubernetes clusters. kubernetes.io/docs/reference/kubectl/
• kubectx / kubens: Tools to switch between contexts and namespaces quickly. GitHub - ahmetb/kubectx

Monitoring and Observability

• Prometheus + Grafana: Collect metrics from Ingress Controller (e.g., request count, latency, HTTP status codes). Use the nginx-ingress exporter or built-in metrics endpoint.
• Jaeger / OpenTelemetry: Distributed tracing for end-to-end request flow across microservices.
• Loki + Grafana: Log aggregation for Ingress access logs and error messages.

Testing and Validation

• curl: Test HTTP headers, status codes, and responses.
• Postman / Insomnia: GUI tools for testing API endpoints behind Ingress.
• Kube-ops-view: Web UI to visualize cluster state, including Ingress resources.

Learning Resources

• Official NGINX Ingress Documentation: kubernetes.github.io/ingress-nginx
• NGINX Ingress Annotations Reference: Annotations Reference
• Learn Kubernetes Ingress with Hands-on Labs: Katacoda
• YouTube Playlist: Kubernetes Ingress Explained: Search for Kubernetes Ingress Deep Dive by TechWorld with Nana.

Cloud Provider Integrations

• AWS: Use AWS Load Balancer Controller with ALB/NLB for native integration.
• Google Cloud: GKE has built-in Ingress with Google Cloud Load Balancer.
• Azure: Use Azure Application Gateway Ingress Controller (AGIC).

When using cloud provider Ingress controllers, avoid deploying NGINX or Traefik unless you need advanced features not provided by the native solution.

Real Examples

Example 1: Multi-Tenant SaaS Application

A SaaS platform hosts multiple customers under subdomains: customer1.yourapp.com, customer2.yourapp.com, etc. Each customer has their own backend service.

Ingress configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: saas-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
tls:
- hosts:
- "*.yourapp.com"
secretName: wildcard-tls
rules:
- host: customer1.yourapp.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: customer1-service
port:
number: 80
- host: customer2.yourapp.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: customer2-service
port:
number: 80

This setup allows dynamic scaling of customer tenants without modifying the Ingress resource each timeintegration with cert-manager automatically provisions wildcard TLS certificates.

Example 2: API Gateway with Versioned Endpoints

An API exposes v1 and v2 endpoints:

• /api/v1/users ? v1 backend
• /api/v2/users ? v2 backend

Ingress configuration:

spec:
rules:
- host: api.example.com
http:
paths:
- path: /api/v1
pathType: Prefix
backend:
service:
name: api-v1-service
port:
number: 80
- path: /api/v2
pathType: Prefix
backend:
service:
name: api-v2-service
port:
number: 80

Combined with canary deployments and blue-green releases, this allows safe rollout of new API versions.

Example 3: Internal Services with Basic Auth

Some services (e.g., monitoring dashboards) should be accessible only to internal teams. Use basic authentication:

annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'

Generate the secret:

htpasswd -c basic-auth user1
kubectl create secret generic basic-auth --from-file=auth

This adds a login prompt before accessing the serviceideal for internal tools like Prometheus or Grafana.

FAQs

What is the difference between Ingress and a Service?

A Service exposes Pods within the cluster (ClusterIP, NodePort, LoadBalancer). Ingress is an API object that defines how external HTTP/HTTPS traffic is routed to Services based on hostnames and paths. Ingress provides Layer 7 (application layer) routing, while Services operate at Layer 4 (transport layer).

Can I use Ingress without a cloud provider?

Yes. In on-premises or bare-metal environments, you can use NodePort or HostNetwork for the Ingress Controller. Alternatively, use MetalLB to provide a load-balancer IP on bare metal.

Why is my Ingress not working even though the controller is running?

Common causes:

• Missing or incorrect ingressClassName.
• Backend Service not reachable (check endpoints: kubectl get endpoints <service-name>).
• Wrong host header in curl test.
• DNS not pointing to the external IP.
• Firewall or security group blocking port 80/443.

How do I update the Ingress Controller without downtime?

Use Helm to upgrade with helm upgrade. Ensure you have multiple replicas and use rolling updates. For major version upgrades, review the changelog and test in staging first.

Can I use multiple Ingress Controllers in the same cluster?

Yes. Assign each Ingress resource to a specific controller using ingressClassName. For example, one controller handles public traffic, another handles internal services.

Is Ingress only for HTTP/HTTPS traffic?

Yes. Ingress is designed for HTTP(S). For TCP/UDP traffic (e.g., databases, gRPC), use Ingress TCP/UDP configurations (supported in NGINX Ingress via ConfigMap) or a Service of type LoadBalancer.

How do I debug Ingress issues?

Check:

• Ingress status: kubectl describe ingress <name>
• Controller logs: kubectl logs -n ingress-nginx <pod-name>
• Events: kubectl get events --sort-by='.lastTimestamp'
• NGINX config: kubectl exec -n ingress-nginx <pod-name> -- cat /etc/nginx/nginx.conf

Do I need a separate Load Balancer in front of the Ingress Controller?

In cloud environments, the Ingress Controllers Service of type LoadBalancer creates one automatically. In on-prem, you may need an external LB (e.g., HAProxy or F5) to distribute traffic across multiple Ingress Controller replicas.

What happens if the Ingress Controller crashes?

If you have multiple replicas, traffic is automatically rerouted to healthy instances. Always configure liveness and readiness probes to ensure quick recovery. Use Pod Disruption Budgets (PDB) to prevent all replicas from being down during maintenance.

Conclusion

Setting up an Ingress Controller is a foundational skill for managing modern Kubernetes applications. From routing traffic based on hostnames and paths to securing communications with TLS and enforcing access policies, Ingress provides the flexibility and control needed for scalable, secure microservices architectures.

This guide has walked you through selecting the right controller, installing and configuring NGINX Ingress, securing traffic with TLS, implementing advanced routing, and following industry best practices. Youve also seen real-world examples that demonstrate how Ingress enables complex deployment patterns like multi-tenancy, API versioning, and internal service protection.

Remember: Ingress is not just about connectivityits about governance, security, and observability. As your applications grow, so should your Ingress strategy. Regularly audit your rules, monitor performance, and automate certificate management to keep your infrastructure resilient.

By mastering Ingress Controller setup, youre not just enabling access to your servicesyoure building the backbone of a modern, cloud-native application platform. Whether youre deploying a startup MVP or a global enterprise system, a well-configured Ingress Controller ensures your users get fast, reliable, and secure access to your applicationsevery time.