Learn the vocabulary of routing external HTTP traffic to internal Services through a single entry point.
0 / 5 completed
1 / 5
At standup, a dev mentions a single external entry point that routes incoming HTTP requests to different internal Services based on hostname or path, instead of giving every Service its own external load balancer. What is this mechanism called?
An Ingress, backed by an Ingress controller such as nginx or Traefik, is a single external entry point that routes incoming HTTP requests to different internal Services based on hostname or path, avoiding a separate external load balancer per Service. A ClusterIP Service has no external address at all, so it can't serve this routing role on its own. This single-entry-point routing is what keeps a cluster's external exposure manageable as the number of internal Services grows.
2 / 5
During a design review, the team wants TLS termination handled at the edge, with the Ingress controller presenting a certificate stored in a referenced Secret rather than every backend Service handling its own TLS. Which capability supports this?
TLS termination configured directly on the Ingress resource lets the Ingress controller present a certificate from a referenced Secret and decrypt traffic at the edge, so backend Services don't each need their own TLS setup. Requiring every backend Service to terminate its own TLS duplicates certificate management across every single Service in the cluster. This edge termination is what centralizes certificate handling behind one controller instead of scattering it across many backends.
3 / 5
In a code review, a dev notices Ingress rules matching a request's path prefix, like /api or /admin, route it to a different backend Service entirely. What does this represent?
Path-based routing rules within an Ingress resource match a request's path prefix, like /api or /admin, and send it to a different backend Service accordingly, letting one Ingress front multiple applications. Routing every request to the same single backend regardless of path defeats the purpose of having distinct backend Services in the first place. This path-based routing is a core feature of how an Ingress consolidates traffic for many applications behind one external address.
4 / 5
An incident report shows users hitting an unrecognized path received a raw, unstyled connection error straight from the underlying node, because the Ingress had no default backend configured for a request that matched none of its routing rules. What practice would prevent this?
Configuring a default backend on the Ingress handles any request that doesn't match a defined routing rule, returning a consistent, informative response instead of an unhandled failure. Leaving no default backend configured is exactly what let an unmatched request fall through to the raw, unstyled error this incident describes. This default-backend configuration is a standard safeguard for any Ingress fronting more than one application's routing rules.
5 / 5
During a PR review, a teammate asks why the team routes all external traffic through one shared Ingress instead of provisioning a separate external load balancer for every individual Service. What is the reasoning?
Provisioning a separate external load balancer per Service multiplies both cost and operational overhead, since a cloud provider typically bills per load balancer and each one needs its own management. One Ingress controller consolidates routing and TLS termination behind a single external entry point, scaling far more cheaply as the number of internal Services grows. The tradeoff is that the Ingress controller itself becomes a shared, critical piece of infrastructure that needs its own availability and capacity planning.