AVI/NSX-ALB HostRule and Ingress for Path Rewriting to Kubernetes Services

Products

VMware Avi Load Balancer

Issue/Introduction

External requests targeting the /subtext context path need to be rewritten to exclude this prefix and correctly routed to a Kubernetes backend service of type NodePort. The solution leverages AVI’s HostRule, Ingress, and HTTPPolicySet to modify request URLs and ensure they reach the intended microservice

Environment

VMware Avi Load Balancer

VMware vSphere Kubernetes Service

Cause

Requests arrive at: https://api.example.internal/wcbdc/ubc/v1/ReqMessage?... But the backend service expects: https://api.example.internal/ubc/v1/ReqMessage?...
The /subtext prefix causes routing mismatches and failed responses.

Resolution

Define HTTPPolicySet via AVI CLI Create a blank policy set named url_rewrite_subtext_httppolicyset to strip the /subtext prefix from incoming request paths. This policy enables URL transformation before ingress routing occurs (a blank httppolicyset is created as we will be adding rules through GUI). If you are planning to includes rules in the httppolicyset follow docs

Apply HostRule Resource Deploy a HostRule custom resource that binds the above HTTPPolicySet to the virtual host api.example.internal. This configuration activates the rewrite behavior and includes TLS and listener settings for traffic over port 443.

apiVersion: ako.vmware.com/v1beta1
kind: HostRule
metadata:
  name: alpha-x
  namespace: test-subtext
spec:
  virtualhost:
    enableVirtualHost: true
    fqdn: api.example.internal
    fqdnType: Exact
    httpPolicy:
      overwrite: false
      policySets:
      - url_rewrite_subtext_httppolicyset
    tcpSettings:
      listeners:
      - enableSSL: true
        port: 443
      loadBalancerIP: 192.0.2.38
    tls:
      sslKeyCertificate:
        name: alpha-x-cert
        type: ref
      sslProfile: edge-ssl-profile
      termination: edge

Update HTTPPolicy via AVI GUI Log in to the AVI Controller UI, navigate to the virtual service for the target FQDN, and bind the HTTPPolicySet url_rewrite_subtext_httppolicyset. This enables runtime rewrite behavior in the ingress layer. Add required rules on the AVI GUI as shown below

Apply Ingress Resource in Kubernetes Define an Ingress object with the same hostname (api.example.internal) and direct requests to the backend service cd-fsp over NodePort 8091. This allows AVI to route traffic to the correct pod after rewriting the URL path.

kind: Ingress
metadata:
  name: data-proxy
  namespace: test-subtext
spec:
  ingressClassName: avi-lb
  rules:
  - host: api.example.internal
    http:
      paths:
      - backend:
          service:
            name: data-proxy
            port:
              number: 8091
        path: /cd
        pathType: ImplementationSpecific

Additional Information

Docs for the HTTP request policy with token

https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/30-2/load-balancing-overview/virtual-services/virtual-service-policies.html

Once http request policy is created then use HOstrule CRD to apply it to ingress

https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-kubernetes-operator/1-13/avi-kubernetes-operator-guide-1-13/avi-kubernetes-operator-deployment-guide/setting-up-routing-rules-using-crds/hostrule.html