Kubernetes networking best practices

Suggest edits

Hybrid Manager runs on Kubernetes and depends on Kubernetes networking to provide reliable connectivity for platform components, managed databases, and user access. A well-configured Kubernetes networking layer is essential for performance, resiliency, and security.

This page provides networking best practices for Kubernetes clusters that support Hybrid Manager and EDB-managed Postgres services. It complements the general Minimum and recommended Kubernetes specs and Kubernetes storage best practices.

For background on how Kubernetes is used in Hybrid Manager, see Kubernetes in Hybrid Manager.

Use multi-AZ networking for high availability

When deploying Kubernetes clusters across multiple Availability Zones (AZs), ensure your networking configuration supports:

Multi-AZ node pools (with nodes in each AZ)
Kubernetes network plugins (CNI) that support AZ-aware routing and failover
Correct configuration of public/private subnets and associated route tables

Hybrid Manager components—including Postgres clusters—benefit from AZ-spread to improve availability.

Manage Kubernetes Services types appropriately

Hybrid Manager uses Kubernetes Services to expose internal and external endpoints:

ClusterIP Services are used for internal communication between platform components and databases.
LoadBalancer Services expose public endpoints where needed (for example, UI/API access if configured).
Ingress resources may be used depending on platform (e.g. OpenShift Routes, NGINX Ingress, ALB Ingress on EKS).

Best practices:

Use ClusterIP Services for Postgres primary and replica Services.
Use LoadBalancer or Ingress only where explicitly required for user or API access.
Validate firewall rules and SecurityGroups align with expected exposure.

Apply NetworkPolicies to control traffic

Kubernetes NetworkPolicies allow fine-grained control over Pod-to-Pod and Pod-to-external traffic.

Recommended patterns:

Allow Hybrid Manager platform components to communicate with each other and with Postgres databases.
Deny all unnecessary traffic by default; explicitly allow required traffic flows.
Separate control plane and data plane traffic where applicable.

NetworkPolicies should be validated in all clusters used for Hybrid Manager to ensure consistent security posture.

Configure DNS and service discovery

Hybrid Manager depends on Kubernetes DNS to resolve internal service endpoints.

Ensure that:

Kubernetes CoreDNS or equivalent DNS service is deployed and healthy.
Kubernetes DNS domain is configured consistently across environments.
External DNS integrations (for LoadBalancer or Ingress endpoints) are configured with appropriate TTLs and monitored for updates.

Optimize for database traffic

Managed Postgres clusters require stable, performant network paths:

Prefer low-latency intra-cluster traffic for Postgres primary and replica communication.
Avoid cross-AZ database replication traffic unless explicitly configured and validated.
Monitor network latency and error rates between database Pods and consuming application Pods.

Postgres replication and HA performance is sensitive to network latency; validate networking setup accordingly.

Monitor and validate networking health

Operational best practices:

Monitor LoadBalancer and Ingress health and status.
Monitor Service endpoints to ensure expected Pods are attached.
Monitor DNS resolution times and error rates.
Validate NetworkPolicy enforcement periodically using test Pods.
Monitor key metrics such as network RTT, packet loss, and retransmits, especially for database traffic.

See Troubleshooting Kubernetes for additional guidance.

Summary checklist

Enable multi-AZ networking for availability.
Use Service types appropriately (ClusterIP, LoadBalancer, Ingress).
Apply NetworkPolicies to control traffic flows.
Validate DNS and service discovery across environments.
Optimize network paths for Postgres traffic.
Monitor and validate networking health continuously.

Could this page be better? Report a problem or suggest an addition!