Set up Load balancers using MetalLB

Overview

MetalLB provides load balancing for Kubernetes clusters running on bare metal or private cloud infrastructure. By default, load balancer services are not reachable from outside the cluster because egress packets are dropped by security groups. Without the Expose LB feature, you would need to manually allow traffic from the external IP pool specified in the MetalLB address pool, or create a custom security group with the required ingress ports open.

The Expose LB feature simplifies this by letting you configure allowed addresses and inbound ports in one place, eliminating the need to edit security groups on individual worker nodes.

Prerequisites

MetalLB add-on is enabled during cluster creation.

The Expose LB feature is enabled only if the MetalLB add-on was enabled during cluster creation.

Configure MetalLB load balancing

Navigate to Infrastructure > Clusters.
Select the cluster you want to configure.
Select Expose LB.
In the Allowed Addresses field, specify the IP addresses or CIDR ranges that MetalLB can assign to load balancer services. Enter either a specific IP address or a CIDR range from your MetalLB address pool. You should ensure that the IP addresses or CIDR range does not conflict with:
1. The serviceCIDR (10.96.0.0./16)
2. The podCIDR (10.244.0.0/16)
3. The worker node IPs in your environment

The following examples show valid IP address formats:

Single IP address:

   10.10.0.5

CIDR range:

   10.10.62.0/24

Modifying the Allowed Addresses field triggers a restart of existing worker nodes.

In the Inbound Port Details section, define the ports and protocols that external services can use to communicate with your cluster.
Field
Description
Example
Name
Identifier for the port rule. Must start with a lowercase letter and contain only lowercase letters, numbers, and hyphens.
custom-load-balancer
Port
Port number or range for external traffic.
80 or 3000-3500
Protocol
Network protocol. Select TCP or UDP.
TCP
IP Address or CIDR
Source IP address or subnet allowed to send traffic through this port.
10.10.0.7 or 10.10.0.0/9
Select Submit.

Set up MetalLB with L2 mode

In your Kubernetes cluster, create a corresponding IPAddressPool and L2Advertisement resource. For example:

apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: default-pool
  namespace: metallb-system
spec:
  addresses:
  # Note: This is the allocatable range of IPs from your address pool. 
  - 10.10.62.1-10.10.62.254

apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: default-l2
  namespace: metallb-system
spec:
  ipAddressPools:
  - default-pool

Verify load balancer service works

Create an nginx deployment and expose it via a loadbalancer service:

$ kubectl create deployment nginx --image=nginx
$ kubectl expose deployment nginx \
  --port=80 --target-port=80 \
  --type=LoadBalancer \
  --name=nginx-lb

Get the service IP:

$ kubectl get svc nginx-lb  
NAME       TYPE           CLUSTER-IP      EXTERNAL-IP    PORT(S)        AGE
nginx-lb   LoadBalancer   10.96.130.137   10.10.63.241   80:32456/TCP   5h33m

Use curl to get the default nginx page:

$ curl 10.10.63.241:80 -I
HTTP/1.1 200 OK
Server: nginx/1.29.6
Date: Mon, 23 Mar 2026 16:30:44 GMT
Content-Type: text/html
Content-Length: 896
Last-Modified: Tue, 10 Mar 2026 15:29:07 GMT
Connection: keep-alive
ETag: "69b038c3-380"
Accept-Ranges: bytes

PreviousCluster Networking NextCreate Virtualized Cluster with GPU support

Last updated 9 days ago

Was this helpful?

Good night

hashtagOverview

hashtagPrerequisites

hashtagConfigure MetalLB load balancing

hashtagSet up MetalLB with L2 mode

hashtagVerify load balancer service works

Overview

Prerequisites

Configure MetalLB load balancing

Set up MetalLB with L2 mode

Verify load balancer service works