Back to Blog
DevOpsKubernetes NetworkingNetworkingTutorial

Understanding Kubernetes Networking: Services vs Ingress

Complete DevOps tutorial on Kubernetes Networking. Learn ClusterIP, NodePort, LoadBalancer, Ingress controllers (Nginx), CNI.

Daniel Urbano
October 27, 2025
10 min read
Understanding Kubernetes Networking: Services vs Ingress

Understanding Kubernetes Networking: Services vs Ingress

Kubernetes is a powerful orchestration platform that facilitates the management of containerized applications. One of the foundational aspects of Kubernetes is its networking model, which encompasses several crucial components, including Services and Ingress. Understanding the differences and appropriate use cases for these networking elements is essential for effective cluster management and application deployment.

When deploying applications in Kubernetes, the communication between microservices and external traffic management becomes paramount. Kubernetes Services provide stable endpoints for accessing pods, while Ingress manages external access to services, often providing additional features like SSL termination and load balancing. This tutorial will explore the key scenarios where these networking components come into play, helping DevOps/SRE professionals optimize their Kubernetes networking strategy.

Prerequisites

Before diving into Kubernetes networking, ensure you have the following:

  • Kubernetes cluster: A running cluster in a cloud provider (like GKE, AKS, or EKS) or locally (with Minikube or kind).
  • kubectl: The Kubernetes command-line tool installed and configured to communicate with your cluster.
  • Ingress Controller: For this tutorial, we will use the Nginx Ingress Controller, which should be installed on your cluster.
  • Container Network Interface (CNI): Familiarity with CNI plugins (like Calico or Flannel) for advanced networking scenarios.
  • Optional: helm for package management (if deploying applications with Helm).

Core Concepts

Kubernetes Services

Kubernetes Services are abstractions that define a logical set of pods and a policy for accessing them. There are four primary types of Services:

  • ClusterIP: The default service type, which exposes the service on a cluster-internal IP. It is only accessible within the cluster.
  • NodePort: Exposes the service on each node's IP at a static port. This allows external traffic to access the service through any node's IP.
  • LoadBalancer: Integrates with cloud provider load balancers to expose the service externally by creating a load balancer that routes traffic to the service.
  • Headless Service: A service without a ClusterIP, allowing direct access to the pods for more complex use cases.

Ingress

Ingress is an API object that manages external access to services, typically HTTP. Ingress allows you to define rules for routing external traffic to your services based on hostnames and paths. An Ingress Controller (like Nginx) is required to implement the Ingress rules.

Container Network Interface (CNI)

The CNI is a specification and set of libraries for configuring network interfaces in Linux containers. Kubernetes relies on CNI plugins to manage pod-to-pod and pod-to-external networking.

Limitations and Pricing

  • ClusterIP: Limited to internal traffic only.
  • NodePort: Not suitable for production due to potential port conflicts and lack of load balancing.
  • LoadBalancer: May incur additional costs from cloud providers.
  • Ingress: Requires an Ingress controller; complexity increases with advanced routing rules.

Syntax/Configuration

Service Definitions

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  type: ClusterIP  # Change to NodePort or LoadBalancer as needed
  ports:
    - port: 80
      targetPort: 80
  selector:
    app: my-app  # Pods with this label will be selected

Ingress Definition

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
spec:
  rules:
    - host: myapp.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-service
                port:
                  number: 80

Practical Examples

Example 1: Create a ClusterIP Service

kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: clusterip-service
spec:
  type: ClusterIP
  selector:
    app: my-app
  ports:
    - port: 80
      targetPort: 80
EOF

Example 2: Create a NodePort Service

kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: nodeport-service
spec:
  type: NodePort
  selector:
    app: my-app
  ports:
    - port: 80
      targetPort: 80
      nodePort: 30080  # specify a port in the range 30000-32767
EOF

Example 3: Create a LoadBalancer Service

kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: loadbalancer-service
spec:
  type: LoadBalancer
  selector:
    app: my-app
  ports:
    - port: 80
      targetPort: 80
EOF

Example 4: Deploy Nginx Ingress Controller

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml

Example 5: Create an Ingress Resource

kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
    - host: myapp.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: loadbalancer-service
                port:
                  number: 80
EOF

Example 6: Accessing a NodePort Service

curl http://<node-ip>:30080

Example 7: Accessing a LoadBalancer Service

kubectl get services
# Note the EXTERNAL-IP of the LoadBalancer service
curl http://<external-ip>

Example 8: Testing Ingress

# Ensure that your /etc/hosts file points the hostname to the Ingress controller's IP
echo "<ingress-controller-ip> myapp.example.com" | sudo tee -a /etc/hosts
curl http://myapp.example.com

Real-World Scenarios

Scenario 1: Internal Microservices Communication

For a microservices architecture, using ClusterIP Services allows seamless communication between services within the cluster. Each service can be accessed by its name, enabling easy discovery and reduced complexity.

Scenario 2: Exposing an Application to the Internet

When an application needs to be publicly accessible, a LoadBalancer Service is often the best choice. It provides a single point of entry and integrates with cloud provider load balancers, ensuring traffic is distributed to the backend pods.

Scenario 3: Advanced Routing with Ingress

An e-commerce application can benefit from an Ingress setup that routes traffic based on defined rules, such as directing /products to the product service and /checkout to the checkout service, providing better organization and SSL termination.

Best Practices

  1. Use ClusterIP by Default: Utilize ClusterIP services for internal communications unless external access is required.
  2. Secure Ingress: Always secure your Ingress with TLS to protect sensitive data in transit.
  3. Limit NodePort Usage: Avoid using NodePort in production; prefer LoadBalancer or Ingress.
  4. Monitor Network Performance: Implement monitoring tools to observe network performance and traffic patterns.
  5. Automate Ingress Management: Use Helm or custom scripts to manage Ingress resources to ensure consistency and reduce manual errors.

Common Errors

Error 1: Error from server (NotFound): services "<service-name>" not found

Cause: The specified service does not exist.

Fix: Ensure the service name is correct and the service is created.

Error 2: connection refused

Cause: The service is not reachable, possibly due to misconfiguration or the pods not being ready.

Fix: Check the pod status and service configuration.

Error 3: Error: unable to connect to the server: dial tcp <ip>:<port>: connect: connection refused

Cause: The cluster is not accessible.

Fix: Verify your kubeconfig and ensure the cluster is running.

Error 4: 404 Not Found

Cause: The Ingress rule does not match the incoming request.

Fix: Review the Ingress resource and ensure the rules are configured correctly.

Related Services/Tools

Feature ClusterIP NodePort LoadBalancer Ingress
Internal Access
External Access
Load Balancing ✅ (with external load balancer)
SSL Termination
Cost Low Low Variable Variable (depends on cloud provider)

Automation Script

Here is a simple bash script to set up a ClusterIP service and an Ingress resource.

#!/bin/bash

# Create a ClusterIP service
kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: automated-service
spec:
  type: ClusterIP
  selector:
    app: my-app
  ports:
    - port: 80
      targetPort: 80
EOF

# Create an Ingress resource
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: automated-ingress
spec:
  rules:
    - host: myapp.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: automated-service
                port:
                  number: 80
EOF

echo "ClusterIP service and Ingress resource created."

Conclusion

Understanding Kubernetes networking, specifically Services and Ingress, is crucial for any DevOps/SRE professional. By leveraging the right type of service for your use case and implementing Ingress for external access, you can ensure robust, scalable, and secure application deployments. As you advance your Kubernetes knowledge, explore additional features like network policies and service mesh for enhanced networking capabilities.

Next Steps

References