Skip to Content
Service DiscoveryService Managementservice_traffic_policy

Service Traffic Policies

Service traffic policies include external traffic policy and internal traffic policy, which control how traffic from external sources and internal sources is routed, respectively. You can configure the .spec.externalTrafficPolicy and .spec.internalTrafficPolicy fields to define how Kubernetes routes traffic to healthy (“ready”) backend pods.

Official documentation reference here.

externalTrafficPolicy

externalTrafficPolicy controls how external traffic (from outside the cluster) is routed. Valid values are Cluster and Local. By default, when traffic originates externally, the source IP is SNATed (source network address translated), and pods see the node’s IP as the source IP.

  • Cluster (default):

    • Traffic is routed to any node in the cluster, regardless of whether the node has running service pods. If a node lacks service pods, traffic is forwarded to a node with service pods.
    • This mode masks the client’s source IP (replaced by the node IP). Use this when preserving the source IP is unnecessary.

  • Local:

    • Traffic is only forwarded to service pods running on the node that received the traffic. If the node has no service pods, the traffic is discarded.
    • This mode preserves the client’s source IP. Use this when retaining the source IP is critical (e.g., for logging or security purposes).

internalTrafficPolicy

internalTrafficPolicy controls how internal traffic (from within the cluster) is routed. Valid values are Cluster and Local.

  • Cluster (default):

    • Traffic is routed to any node in the cluster. If a node lacks service pods, traffic is forwarded to a node with ready service pods.
    • This mode masks the client’s source IP (replaced by the node IP). Use this when source IP preservation is unnecessary.

  • Local:

    • Traffic is only routed to service pods on the same node as the client pod. If the node has no ready service pods, the traffic is discarded.
    • Even if other nodes have healthy service pods, traffic will not be forwarded to them.

ULB Traffic Policies

externalTrafficPolicy: Cluster

When set to Cluster, the ULB’s VServer backend nodes include all nodes in the cluster, regardless of whether they host service pods. This allows internal cluster traffic to access the ULB IP normally.

Example:
A cluster has 2 nodes, and a service deploys 1 pod. The ULB VServer backend will show 2 nodes.

img

externalTrafficPolicy: Local

When set to Local, the ULB’s VServer backend nodes only include nodes hosting service pods.

Note that when a service within the cluster accesses the ULB’s IP, the request is directly forwarded within the cluster without being sent to the ULB. Therefore, in Local mode, access to the Service is only successful when the client Pod and the Service’s backend are on the same node. Pods on other nodes cannot access the ULB IP.

Example:
When externalTrafficPolicy: Local is configured, the ULB backend will show only 1 node (where the service pod runs).

Common Questions about ULBNginx Ingress