# Configure External Access Layer

[](/en/operations/kubernetes/configuration/ingress.html.md "View as Markdown") 

The Vespa Operator automatically provisions Kubernetes `Service` resources to enable external access for feeding and querying data. This behavior is controlled by the `VespaSet` Custom Resource configuration.

Load balancers are provisioned exclusively for Container clusters. Content clusters communicate internally and do not require external load balancing services. The type of service provisioned is determined by the `spec.ingress.endpointType` field in the `VespaSet`.

## Supported Endpoint Types

The operator supports four endpoint types to cover different infrastructure requirements.

| Endpoint Type | Kubernetes Service Type | Use Case |
| --- | --- | --- |
| `LOAD_BALANCER` | `LoadBalancer` | Provision the cloud-native (AWS, GCP, Azure) load-balancer. |
| `CLUSTER_IP` | `ClusterIP` | Each Container Pod will expose an internal IP address. Should not be used for production use-cases. |
| `NONE` | N/A | An external access layer will not be provisioned. Custom networking setups (Istio, Ingress Controllers) where no automatic service is desired. |

## LOAD\_BALANCER

This is the recommended configuration for production deployments on cloud providers (EKS, GKE, AKS). The operator creates a standard Kubernetes `LoadBalancer` service, triggering the cloud provider to provision a managed load balancer (e.g., AWS NLB).

**Configuration:**

```
ingress:
  endpointType: LOAD_BALANCER
```

On AWS, the ConfigServer automatically applies the annotation `service.beta.kubernetes.io/aws-load-balancer-internal: "true"` to all Container pods. This provisions an **internal** Network Load Balancer (NLB) accessible only within the VPC where the EKS cluster nodes reside.

## CLUSTER\_IP

This type restricts access to within the Kubernetes cluster. It provides a stable internal IP and DNS name (e.g., `lb-default.vespa.svc.cluster.local`) but assigns no external IP.

**Configuration:**

```
ingress:
  endpointType: CLUSTER_IP
```

The `CLUSTER_IP` service is ideal for architectures where the clients (e.g., front-end applications or ingestion services) run inside the same Kubernetes cluster as Vespa.

## NONE

This option disables automatic Service provisioning. Use this if you intend to manually define `Ingress` resources, use a Service Mesh (like Istio or Linkerd), or have complex networking requirements not covered by the standard types.

**Configuration:**

```
ingress:
  endpointType: NONE
```

## Traffic Routing & Labeling

To ensure zero-downtime deployments, the ConfigServer manages traffic routing dynamically using Kubernetes labels. The created Services use the selector `vespa.ai/tenant-lb: backend`. When the Pod is provisioned, these labels are automatically attached.

During a rolling upgrade, the label is removed from the terminating Pod(s) before they are shut down. This provides a window for the remaining traffic to drain before the Pod is upgraded.

**Note**: The Service exposes port **80** (plaintext) and **443** (TLS) externally, mapping them to the container's port 4443.

 Copyright © 2026 - [Cookie Preferences](#)

### On this page:

- [Configure External Access Layer](#page-title)
- [Supported Endpoint Types](#)
- [LOAD\_BALANCER](#)
- [CLUSTER\_IP](#)
- [NONE](#)
- [Traffic Routing & Labeling](#)