Hello Community,
I am trying to use Kong API Gateway with my Amazon EKS cluster.
I deployed Kong as a Kubernetes Service of type LoadBalancer with AWS Network Load Balancer (NLB) annotations. The NLB was created successfully, and everything works fine over HTTP.
Later, I updated my configuration to enable SSL/HTTPS on the external NLB. After this change, I started getting the following error:
400 Bad Request
The plain HTTP request was sent to the HTTPS port
To resolve this, I added additional annotations related to SSL configuration. After that, the error changed to:
400 Bad Request
request_id: 103ee7323641d85b7bf1787634bab05e
Below are my current Kubernetes service and Kong configurations:
proxy:
enabled: true
type: LoadBalancer # ← CRITICAL: This prevents NLB
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-type: "nlb-ip"
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "<ACM_ARN>"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels:
enable-metrics: "true"
http:
enabled: false
tls:
enabled: true
servicePort: 443
containerPort: 8443
parameters:
- http2
admin:
enabled: true
type: ClusterIP
http:
enabled: true
servicePort: 8001
containerPort: 8001
tls:
enabled: false
ingressController:
enabled: true
env:
database: "off"
trusted_ips: 0.0.0.0/0,::/0
proxy_listen: "0.0.0.0:8443 ssl http2 proxy_protocol"
manager:
enabled: true
type: ClusterIP
I would appreciate help understanding:
-
Why Kong is still returning
400 Bad Requestafter enabling SSL on the NLB -
Whether SSL should be terminated at the NLB or at Kong
-
What annotations or Kong settings are required for HTTPS to work correctly with NLB
Below are my Gateway, GatewayClass, Deployment and Service YAML configurations:
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: kong
annotations:
konghq.com/gatewayclass-unmanaged: "true"
spec:
controllerName: konghq.com/kic-gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: kong
spec:
gatewayClassName: kong
listeners:
- name: proxy
port: 443
protocol: HTTPS
allowedRoutes:
namespaces:
from: All
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: backend
spec:
parentRefs:
- name: kong
sectionName: proxy
hostnames:
- <Domain>
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: backend
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
spec:
replicas: 1
selector:
matchLabels:
app: backend
version: v1
template:
metadata:
labels:
app: backend
version: v1
spec:
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: backend
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: backend
labels:
app: backend
service: backend
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: backend
Thanks in advance for your help!