Load balancing, Kubernetes Ingress Controllers, and Istio service mesh β from basics to production traffic management.
10
Chapters
30+
Configs
100%
Free
01π
Traffic Management Overview
Why Load Balancing & Service Mesh Matter
Every production application needs to handle traffic intelligently β distribute requests across servers, route based on URL paths, encrypt with TLS, and manage microservice communication. This guide covers three essential tools: HAProxy (traditional load balancer), Kubernetes Ingress (K8s-native routing), and Istio (service mesh for microservices).
βοΈ
HAProxy
High-performance TCP/HTTP load balancer. Routes traffic to backend servers. Used standalone or in front of Kubernetes. Handles millions of connections.
πͺ
K8s Ingress
Kubernetes-native way to expose HTTP services. Routes based on hostname and path. Uses Ingress Controllers like Nginx or Traefik.
πΈοΈ
Istio
Service mesh for microservices. Handles traffic routing, security (mTLS), observability, and retries between services inside Kubernetes.
Feature
HAProxy
K8s Ingress
Istio
Layer
L4/L7
L7
L4/L7
Where
Standalone/K8s
Inside K8s only
Inside K8s only
Best For
High-performance LB
Simple HTTP routing
Microservice traffic management
TLS
Yes
Yes
mTLS (automatic)
Observability
Stats page
Basic
Full (Kiali, Jaeger, Prometheus)
02βοΈ
HAProxy Basics
High-Performance Load Balancer
HAProxy (High Availability Proxy) is a free, open-source load balancer. It sits in front of your servers and distributes incoming requests. If one server dies, HAProxy stops sending traffic to it. Used by GitHub, Reddit, Twitter, and most large-scale web applications.
How HAProxy Works
Client sends request to HAProxy IP. HAProxy picks a backend server using a load balancing algorithm (round-robin, least connections, etc.). Backend server processes the request and sends the response back through HAProxy. The client never talks to the backend directly.
HAPROXY# /etc/haproxy/haproxy.cfg
global
maxconn 50000
log /dev/log local0
stats socket /run/haproxy/admin.sock mode 660
defaults
mode http
timeout connect 5s
timeout client 30s
timeout server 30s
option httplog
option forwardfor # Pass client IP to backend
# Stats dashboard (http://haproxy-ip:8404/stats)
frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
# Main HTTP frontend
frontend web_frontend
bind *:80
bind *:443 ssl crt /etc/ssl/certs/myapp.pem
# Route based on hostname
acl is_api hdr(host) -i api.myapp.com
acl is_web hdr(host) -i www.myapp.com
use_backend api_servers if is_api
default_backend web_servers
# Backend: web application servers
backend web_servers
balance roundrobin
option httpchk GET /health
server web1 10.0.1.10:3000 check
server web2 10.0.1.11:3000 check
server web3 10.0.1.12:3000 check
# Backend: API servers
backend api_servers
balance leastconn
option httpchk GET /api/health
server api1 10.0.2.10:8080 check
server api2 10.0.2.11:8080 check
Health Checks
The "check" keyword tells HAProxy to ping each server periodically. If a server fails the health check, HAProxy stops sending traffic to it. When the server recovers, traffic resumes automatically. This is how zero-downtime is achieved.
04πͺ
Kubernetes Ingress
HTTP Routing in K8s
Ingress is the Kubernetes-native way to expose HTTP and HTTPS services to the outside world. Instead of creating a LoadBalancer Service for every app, you create ONE Ingress that routes traffic based on hostname and URL path.
Ingress Controller Installation
TERMINAL# Install Nginx Ingress Controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.9.0/deploy/static/provider/cloud/deploy.yaml
# Verify
kubectl get pods -n ingress-nginx
# NAME READY STATUS
# ingress-nginx-controller-xxx 1/1 Running
# It creates a LoadBalancer Service automatically
kubectl get svc -n ingress-nginx
Istio is a service mesh β it manages ALL communication between your microservices inside Kubernetes. It injects a sidecar proxy (Envoy) into every pod that intercepts all network traffic. This gives you: automatic mTLS encryption, traffic routing, retries, circuit breaking, and full observability β WITHOUT changing your application code.
Installation
TERMINAL# Download Istio
curl -L https://istio.io/downloadIstio | sh -
cd istio-*
export PATH=$PWD/bin:$PATH
# Install Istio into Kubernetes
istioctl install --set profile=demo -y
# Enable automatic sidecar injection for a namespace
kubectl label namespace default istio-injection=enabled
# Verify
kubectl get pods -n istio-system
# istiod, istio-ingressgateway, istio-egressgateway
Sidecar Proxy
Every pod gets an Envoy sidecar automatically. Your app container talks to the sidecar, the sidecar talks to other sidecars. All traffic is encrypted (mTLS), measured (metrics), and controlled (routing rules). Zero code changes needed.
Istio gives you full observability out of the box β see which service calls which, how fast they respond, where errors happen, and trace requests across 10 microservices.
π
Kiali
Service mesh dashboard. Visualizes service-to-service communication. Shows traffic flow, health, and error rates in a graph.
π
Jaeger
Distributed tracing. Follow a single request as it travels through multiple microservices. Find which service is slow.
π
Prometheus + Grafana
Istio exports metrics automatically. Request rate, latency, error rate per service β without any code changes.
βUse rate limiting on Ingress to prevent abuse and DDoS
βHealth checks on HAProxy backends β never send traffic to dead servers
βKeep Istio version updated β security patches are critical for service mesh
10πΌ
Interview Questions
Traffic Management Q&A
What is a load balancer?
Distributes incoming traffic across multiple servers. Prevents any single server from being overwhelmed. If one server dies, traffic goes to healthy ones. Types: L4 (TCP) and L7 (HTTP). HAProxy, Nginx, AWS ALB/NLB.
HAProxy vs Nginx?
HAProxy: purpose-built for load balancing, better performance at scale, TCP and HTTP. Nginx: web server + reverse proxy + load balancer, more versatile. Both excellent. HAProxy for pure LB, Nginx for web serving + LB.
What is K8s Ingress?
L7 load balancer native to Kubernetes. Routes HTTP traffic based on hostname and URL path to Services. Needs an Ingress Controller (Nginx, Traefik, HAProxy). Single entry point for multiple services.
What is a Service Mesh?
Infrastructure layer that manages service-to-service communication. Handles encryption (mTLS), retries, circuit breaking, observability. Istio and Linkerd are popular. Implemented via sidecar proxies in each pod.
Ingress vs LoadBalancer Service?
LoadBalancer: one external IP per Service (expensive, simple). Ingress: one external IP for many Services, routes by hostname/path (cost-effective, flexible). Use Ingress for HTTP, LoadBalancer for TCP/UDP.
What is mTLS?
Mutual TLS β both client and server verify each other certificates. Istio does this automatically between all pods. All inter-service traffic is encrypted without code changes.
Canary deployment?
Release new version to small percentage of traffic (5-10%). Monitor for errors. Gradually increase to 100%. If issues found, route all traffic back to old version. Istio VirtualService controls the traffic split.
Circuit breaker pattern?
If a service starts failing (5xx errors), stop sending traffic to it temporarily. Prevents cascade failure across microservices. Istio DestinationRule with outlierDetection implements this automatically.
