Kubernetes LoadBalancer service: How to expose apps to the internet

Learn how Kubernetes LoadBalancer services work. Provisions an external IP via your cloud provider covers when to use it, security considerations, and how it works on Civo.

4 lessons · 11 min · Advanced

3 minutes reading time

Written by

Civo Team
Civo Team

Marketing Team at Civo

A LoadBalancer Service provisions an external IP address that routes traffic from the internet into your cluster. It is the simplest way to make a Kubernetes application publicly accessible on a cloud platform.

When you create a LoadBalancer Service, Kubernetes asks the cloud provider to provision a load balancer. Once provisioned, you get an external IP address that anyone on the internet can connect to.

When to use LoadBalancer

LoadBalancer is appropriate when:

  • You need to expose a TCP or UDP service that cannot go through an HTTP Ingress controller
  • You are doing quick testing and need external access immediately
  • Your application handles its own authentication and TLS at the application level
  • You are on Civo and want the simplest path to external access

For HTTP and HTTPS production workloads, use an Ingress controller in front of a ClusterIP Service instead. An Ingress gives you TLS termination, hostname-based routing, and path-based routing with proper access control. A LoadBalancer alone exposes your application directly to the internet without any of those protections.

loadbalancer-vs-ingress

Working example

Start with a NodePort or ClusterIP Service already applied to the example namespace. Change the type to LoadBalancer:

apiVersion: v1
kind: Service
metadata:
name: node-application
namespace: example
spec:
type: LoadBalancer
selector:
run: node-application
ports:
- name: http
protocol: TCP
port: 3000
targetPort: 8080
kubectl apply -f manifests/service.yaml -n example

Watch for the external IP to be assigned:

kubectl get service -n example -w

Expected output while provisioning:

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
node-application LoadBalancer 10.96.145.23 <pending> 3000:31520/TCP 5s

Expected output once the external IP is assigned:

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
node-application LoadBalancer 10.96.145.23 74.220.16.43 3000:31520/TCP 30s

<pending> means the cloud provider is still provisioning the load balancer. On Civo this typically resolves within seconds.

Verify all resources:

kubectl get all -n example

You can now access your application at http://74.220.16.43:3000 from anywhere on the internet.

Security considerations

A LoadBalancer Service makes your application publicly accessible on the internet without TLS, authentication, or rate limiting. Anyone who knows the IP address and port can connect to it.

This is acceptable for:

  • Quick demos and testing where you will tear down the service afterwards
  • TCP/UDP services like databases or game servers where you control access at the network or application level
  • Applications that implement their own authentication

This is not acceptable for:

  • Production HTTP/HTTPS applications without an Ingress controller providing TLS termination
  • Services containing sensitive data exposed without authentication
  • Long-running services left open without monitoring

For production HTTP workloads, create a ClusterIP Service for your application and put an Ingress controller such as nginx or Traefik in front of it. The Ingress handles TLS, hostname routing, and path routing. The application stays internal.

How LoadBalancer works on Civo

On Civo Kubernetes (k3s), LoadBalancer Services are provisioned using ServiceLB (formerly Klipper). ServiceLB creates a DaemonSet of pods on each node that handle the external traffic forwarding. The external IP is assigned from the node pool's public IPs.

This is different from AWS, GKE, and AKS where the cloud provider provisions a dedicated external load balancer resource. On Civo the provisioning happens in seconds because it uses the existing node infrastructure rather than provisioning a separate cloud resource.

kubectl get all -n example

You will see the ServiceLB DaemonSet pods alongside your application pods. These are created automatically by Civo when a LoadBalancer Service is applied.

Provider comparison

ProviderHow it worksProvisioning time

Civo (k3s)

ServiceLB DaemonSet on each node

Seconds

AWS

AWS Elastic Load Balancer provisioned

1 to 3 minutes

GKE

Google Cloud Load Balancer provisioned

1 to 2 minutes

AKS

Azure Load Balancer provisioned

1 to 3 minutes

Civo Team
Civo Team

Marketing Team at Civo

Civo is the Sovereign Cloud and AI platform designed to help developers and enterprises build without limits. We bridge the gap between the openness of the public cloud and the rigorous security of private environments, delivering full cloud parity across every deployment. As a team, we are dedicated to providing scalable compute, lightning-fast Kubernetes, and managed services that are ready in minutes. Through CivoStack Enterprise and our FlexCore appliance, we empower organizations to maintain total data sovereignty on their own hardware.

Our mission is to make the cloud faster, simpler, and fairer. By providing enterprise-grade NVIDIA GPUs and streamlined model management, we ensure that high-performance AI and machine learning are accessible to everyone. Built for transparency and performance, the Civo Team is here to give you total control over your infrastructure, your data, and your spend.

View author profile
Course complete

Nice work, you finished Kubernetes Services: Exposing your Applications Inside and Outside the Cluster.

Your next step is up to you - keep building on what you've learned, or put it into practice on Civo.

Put it into practice

Spin up your first cluster on Civo

Get $250 free credit and launch a production-ready Kubernetes cluster in under 90 seconds.