Hi. I'm running Cerbos in a Kubernetes (more specifically an AWS EKS) cluster, and I need to expose the service, both the http and the grpc interface. I am successful exposing the http-interface, but I encouter difficulty exposing the grpc-interface. Do you have an example of doing this utilizing an AWS ALB? Or do you recommend going down the Ngninx-route? As we manage certificates and dns-handling using AWS Route53, Nginx would complicate things a bit.

Hi. What exactly is the difficulty you're having with exposing the gRPC interface? We don't have a ready-made example of using Cerbos with ALB but we are aware of other customers successfully deploying Cerbos in that configuration. I don't think there's anything special involved. Maybe this might give you some clues: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-a-grpc-based-application-on-an-amazon-eks-cluster-and-access-it-with-an-application-load-balancer.html

Okay good to hear. I have been at it for a couple of days, and I have been through the link you suggested, without luck. All attempts to reach the grpc fails with timeout, but the hhtp-interface is accessible as intended. I was reaching out to see if you were aware of some complication or issue related to this setup. But based on your information, it is something I am missing, and not a complication with the service or ALB, as there are working cases out there 👍 I'll get back to the mine, attempting more isolated cases, to see what I might have missed.

I don't work with AWS much so I am not able to give you any specific pointers, unfortunately. I've found that their documentation usually omits a crucial piece of information such as a security policy or a cluster configuration that should be there for the whole thing to work 🤷 Are the healthchecks passing? Is the ALB able to reach the gRPC port?

Yeah, that is my experience as well 😅 Yes it looks like it. The logs identified correct access, and the ALB transfers the HTTP requests to the service corectly. And when I port-froward to the service (by-passing the ALB) I am able to connect to the service. So somwhere along the way, the grpc request times out. Could be before reachign the ALB or at the ALB. Or maybe it is a security group that is missing the port? Or the source-ip not matching. Will do some additional digging, and reach out to the AWS team, to let them have a look at it. Their support is good, even if their examples as somewhat lacklustre.

Cool, let me know how it goes. I've also found another example, which you're probably already aware of...