{"id":48539,"date":"2025-02-19T02:54:15","date_gmt":"2025-02-19T02:54:15","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=48539"},"modified":"2026-02-21T07:26:05","modified_gmt":"2026-02-21T07:26:05","slug":"comprehensive-rpc-grpc-feature-requirement-for-kubernetes-in-aws","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/comprehensive-rpc-grpc-feature-requirement-for-kubernetes-in-aws\/","title":{"rendered":"Comprehensive RPC \/ gRPC Feature Requirement for Kubernetes in AWS?"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><\/h2>\n\n\n\n<p><strong>Legend:<\/strong> \u2705 = supported \u2022 \u26a0\ufe0f = limited\/indirect \u2022 \u274c = not supported<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>#<\/th><th>Capability<\/th><th>K8s Service (ClusterIP \/ NodePort)<\/th><th><strong>AWS NLB<\/strong> (L4)<\/th><th><strong>AWS ALB<\/strong> (L7)<\/th><th><strong>Amazon API Gateway<\/strong> (REST\/HTTP\/WebSocket)<\/th><th><strong>Istio \/ Envoy \/ Traefik<\/strong> (service mesh \/ gateways)<\/th><\/tr><\/thead><tbody><tr><td>1<\/td><td>Basic gRPC communication<\/td><td>\u2705 (in-cluster TCP\/HTTP\/2)<\/td><td>\u2705 (TCP\/TLS pass-through)<\/td><td>\u2705 (HTTP\/2 end-to-end incl. gRPC) (<a href=\"https:\/\/aws.amazon.com\/blogs\/aws\/new-application-load-balancer-support-for-end-to-end-http-2-and-grpc\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services, Inc.<\/a>)<\/td><td>\u274c (no native gRPC; use translation\/proxy)<\/td><td>\u2705<\/td><\/tr><tr><td>2<\/td><td><strong>Internal<\/strong> service-to-service gRPC<\/td><td>\u2705 (ClusterIP)<\/td><td>\u26a0\ufe0f possible via <strong>internal NLB<\/strong>, uncommon<\/td><td>\u26a0\ufe0f possible via <strong>internal ALB<\/strong>, uncommon<\/td><td>\u274c (private APIs exist, but not gRPC)<\/td><td>\u2705 (the mesh sweet spot)<\/td><\/tr><tr><td>3<\/td><td><strong>External<\/strong> gRPC exposure<\/td><td>\u274c (ClusterIP), \u26a0\ufe0f NodePort (raw)<\/td><td>\u2705<\/td><td>\u2705 (<a href=\"https:\/\/docs.aws.amazon.com\/prescriptive-guidance\/latest\/patterns\/deploy-a-grpc-based-application-on-an-amazon-eks-cluster-and-access-it-with-an-application-load-balancer.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u274c (not native gRPC)<\/td><td>\u2705 (via ingress gateway)<\/td><\/tr><tr><td>4<\/td><td>gRPC load balancing<\/td><td>\u2705 (per-connection RR)<\/td><td>\u2705 (L4)<\/td><td>\u2705 (L7; HTTP\/2 to targets) (<a href=\"https:\/\/aws.amazon.com\/blogs\/aws\/new-application-load-balancer-support-for-end-to-end-http-2-and-grpc\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services, Inc.<\/a>)<\/td><td>\u274c<\/td><td>\u2705 (advanced, per-method, etc.)<\/td><\/tr><tr><td>5<\/td><td><strong>Path-based<\/strong> routing (L7, gRPC aware)<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u2705<\/td><td>\u274c for gRPC (yes for HTTP)<\/td><td>\u2705<\/td><\/tr><tr><td>6<\/td><td><strong>Host-based<\/strong> routing (virtual hosts)<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u2705 (Host header rules) (<a href=\"https:\/\/aws.amazon.com\/blogs\/aws\/new-host-based-routing-support-for-aws-application-load-balancers\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services, Inc.<\/a>)<\/td><td>\u2705 (via custom domains; see notes)<\/td><td>\u2705<\/td><\/tr><tr><td>7<\/td><td><strong>Weighted routing<\/strong> (canary\/A-B)<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u2705 (weighted target groups) (<a href=\"https:\/\/aws.amazon.com\/blogs\/aws\/new-application-load-balancer-simplifies-deployment-with-weighted-target-groups\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services, Inc.<\/a>)<\/td><td>\u2705 (stage canaries) (<a href=\"https:\/\/docs.aws.amazon.com\/apigateway\/latest\/developerguide\/canary-release.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u2705<\/td><\/tr><tr><td>8<\/td><td>Circuit breaking<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u2705<\/td><\/tr><tr><td>9<\/td><td>gRPC retries &amp; timeouts<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u274c (only idle timeouts)<\/td><td>\u26a0\ufe0f timeouts yes, retries limited<\/td><td>\u2705<\/td><\/tr><tr><td>10<\/td><td><strong>mTLS (client cert auth)<\/strong><\/td><td>\u274c (done in app)<\/td><td>\u274c mTLS at NLB (can pass through to app) (<a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/network\/load-balancer-listeners.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u2705 (ALB mTLS verify\/passthrough modes) (<a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/application\/mutual-authentication.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u2705 (custom domains mTLS) (<a href=\"https:\/\/docs.aws.amazon.com\/apigateway\/latest\/developerguide\/rest-api-mutual-tls.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u2705<\/td><\/tr><tr><td>11<\/td><td>API auth (JWT\/OIDC\/OAuth\/keys)<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u2705 (Cognito\/OIDC authenticate action) (<a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/application\/listener-authenticate-users.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u2705 (JWT\/OIDC\/keys) (<a href=\"https:\/\/docs.aws.amazon.com\/apigateway\/latest\/developerguide\/http-api.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u2705 (JWT, OPA\/Ext AuthZ)<\/td><\/tr><tr><td>12<\/td><td>Rate limiting \/ throttling<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u2705 via <strong>AWS WAF<\/strong> on ALB (<a href=\"https:\/\/docs.aws.amazon.com\/waf\/latest\/developerguide\/waf-rule-statement-type-rate-based.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u2705 (built-in)<\/td><td>\u2705<\/td><\/tr><tr><td>13<\/td><td>Request\/response <strong>transforms<\/strong><\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u26a0\ufe0f headers only (no body transform)<\/td><td>\u2705 (mapping templates\/param mapping) (<a href=\"https:\/\/docs.aws.amazon.com\/apigateway\/latest\/developerguide\/http-api-parameter-mapping.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u2705 (filters\/Lua\/Envoy)<\/td><\/tr><tr><td>14<\/td><td><strong>Header-based<\/strong> routing<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u2705 (rule conditions) (<a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/APIReference\/API_RuleCondition.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u2705 <strong>(new)<\/strong> dynamic routing by headers\/base path (custom domains) (<a href=\"https:\/\/aws.amazon.com\/blogs\/compute\/dynamically-routing-requests-with-amazon-api-gateway-routing-rules\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services, Inc.<\/a>)<\/td><td>\u2705<\/td><\/tr><tr><td>15<\/td><td>TLS termination (HTTPS for gRPC)<\/td><td>\u274c (app terminates)<\/td><td>\u2705 (TLS listener; watch h2c to backends) (<a href=\"https:\/\/kubernetes-sigs.github.io\/aws-load-balancer-controller\/v2.4\/guide\/use_cases\/nlb_tls_termination\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">kubernetes-sigs.github.io<\/a>)<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><\/tr><tr><td>16<\/td><td>Observability (logs\/metrics\/traces)<\/td><td>\u26a0\ufe0f (via app\/Prometheus)<\/td><td>\u26a0\ufe0f (CloudWatch metrics)<\/td><td>\u26a0\ufe0f (CW metrics + access logs)<\/td><td>\u2705 (CW logs\/metrics, X-Ray)<\/td><td>\u2705 (Prometheus\/Jaeger\/OTel)<\/td><\/tr><tr><td>17<\/td><td>\u201cAPI gateway\u201d features (quotas, keys, usage plans)<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u2705<\/td><td>\u2705 (via gateway add-ons)<\/td><\/tr><tr><td>18<\/td><td>WebSocket &amp; streaming support<\/td><td>\u2705 (TCP)<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705 (WebSocket APIs)<\/td><td>\u2705<\/td><\/tr><tr><td>19<\/td><td><strong>Service discovery<\/strong><\/td><td>\u2705 (kube-DNS)<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u2705 (mesh SD)<\/td><\/tr><tr><td>20<\/td><td>Canary \/ blue-green deployments<\/td><td>\u26a0\ufe0f (via K8s\/rollouts)<\/td><td>\u274c<\/td><td>\u2705 (weighted TG) (<a href=\"https:\/\/aws.amazon.com\/blogs\/aws\/new-application-load-balancer-simplifies-deployment-with-weighted-target-groups\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services, Inc.<\/a>)<\/td><td>\u2705 (stage canary %) (<a href=\"https:\/\/docs.aws.amazon.com\/apigateway\/latest\/developerguide\/canary-release.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u2705<\/td><\/tr><tr><td>21<\/td><td><strong>Multi-cluster<\/strong> gRPC routing<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u2705 (Istio multi-cluster)<\/td><\/tr><tr><td>22<\/td><td>Obs dashboards (Grafana\/Jaeger\/Prom)<\/td><td>\u26a0\ufe0f (DIY)<\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u26a0\ufe0f (CW\/X-Ray dashboards)<\/td><td>\u2705<\/td><\/tr><tr><td>23<\/td><td>Integrate with <strong>AWS Lambda<\/strong><\/td><td>\u274c<\/td><td>\u274c<\/td><td>\u2705 (Lambda targets) (<a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/application\/lambda-functions.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/td><td>\u2705 (native)<\/td><td>\u274c<\/td><\/tr><tr><td>24<\/td><td>Auto-failover \/ self-healing<\/td><td>\u26a0\ufe0f via K8s readiness\/endpoints<\/td><td>\u2705 (health-based)<\/td><td>\u2705 (health-based)<\/td><td>\u2705 (regional HA)<\/td><td>\u2705 (retries\/outlier detection)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Notes &amp; gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>API Gateway &amp; gRPC:<\/strong> API Gateway doesn\u2019t natively terminate\/route <strong>gRPC<\/strong>. If you need an API fa\u00e7ade in front of gRPC, use <strong>grpc-gateway<\/strong> (REST\u2194\ufe0egRPC translation) or put <strong>ALB<\/strong> (or CloudFront) in front of your gRPC origin. (<a href=\"https:\/\/grpc-ecosystem.github.io\/grpc-gateway\/docs\/operations\/aws_gateway_integration\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">grpc-ecosystem.github.io<\/a>)<\/li>\n\n\n\n<li><strong>ALB + gRPC:<\/strong> ALB supports <strong>HTTP\/2 end-to-end<\/strong> and <strong>gRPC health checks<\/strong>\u2014this is the recommended L7 option on AWS for public gRPC. (<a href=\"https:\/\/aws.amazon.com\/blogs\/aws\/new-application-load-balancer-support-for-end-to-end-http-2-and-grpc\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services, Inc.<\/a>)<\/li>\n\n\n\n<li><strong>mTLS:<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>ALB<\/strong> now supports <strong>mTLS<\/strong> (verify mode with trust stores or passthrough). (<a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/application\/mutual-authentication.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/li>\n\n\n\n<li><strong>NLB<\/strong> <strong>does not<\/strong> do client-certificate auth (mTLS). You can either terminate TLS at your app (TCP listener pass-through) or switch to ALB for mTLS. (<a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/network\/load-balancer-listeners.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/li>\n\n\n\n<li><strong>API Gateway<\/strong> supports <strong>mTLS<\/strong> on <strong>custom domains<\/strong> for REST\/HTTP APIs. (<a href=\"https:\/\/docs.aws.amazon.com\/apigateway\/latest\/developerguide\/rest-api-mutual-tls.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Header-based routing with API Gateway:<\/strong> Newly added in 2026 for <strong>custom domains<\/strong>; you can route by <strong>HTTP header values<\/strong> and\/or base path (this is HTTP\/REST\u2014still not gRPC). (<a href=\"https:\/\/aws.amazon.com\/blogs\/compute\/dynamically-routing-requests-with-amazon-api-gateway-routing-rules\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services, Inc.<\/a>)<\/li>\n\n\n\n<li><strong>Weighted routing:<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>ALB<\/strong>: multiple <strong>weighted target groups<\/strong> in a forward action (great for canary\/blue-green). (<a href=\"https:\/\/aws.amazon.com\/blogs\/aws\/new-application-load-balancer-simplifies-deployment-with-weighted-target-groups\/?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services, Inc.<\/a>)<\/li>\n\n\n\n<li><strong>API Gateway<\/strong>: <strong>stage canaries<\/strong> (% traffic). (<a href=\"https:\/\/docs.aws.amazon.com\/apigateway\/latest\/developerguide\/canary-release.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/li>\n\n\n\n<li><strong>NLB<\/strong>: no weighted rule concept. (<a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/network\/load-balancer-target-groups.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Auth at ALB (OIDC\/Cognito):<\/strong> ALB \u201cauthenticate\u201d action (HTTPS only). Use it for <strong>browser flows<\/strong>; headless gRPC clients won\u2019t follow redirects\u2014prefer JWT at gateway\/mesh for programmatic RPC. (<a href=\"https:\/\/docs.aws.amazon.com\/elasticloadbalancing\/latest\/application\/listener-authenticate-users.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/li>\n\n\n\n<li><strong>Rate limiting on ALB:<\/strong> attach <strong>AWS WAF rate-based rules<\/strong> to the ALB. (<a href=\"https:\/\/docs.aws.amazon.com\/waf\/latest\/developerguide\/waf-rule-statement-type-rate-based.html?utm_source=chatgpt.com\" target=\"_blank\" rel=\"noopener\">AWS Documentation<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>If you want, I can export this as a one-page PDF\/cheat sheet and tailor it to <em>your<\/em> stack (what you actually plan to run where).<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Legend: \u2705 = supported \u2022 \u26a0\ufe0f = limited\/indirect \u2022 \u274c = not supported # Capability K8s Service (ClusterIP \/ NodePort) AWS NLB (L4) AWS ALB (L7) Amazon API Gateway (REST\/HTTP\/WebSocket) Istio \/ Envoy \/ Traefik (service mesh \/ gateways) 1 Basic gRPC communication \u2705 (in-cluster TCP\/HTTP\/2) \u2705 (TCP\/TLS pass-through) \u2705 (HTTP\/2 end-to-end incl. gRPC) (Amazon&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-48539","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=48539"}],"version-history":[{"count":3,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48539\/revisions"}],"predecessor-version":[{"id":58901,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48539\/revisions\/58901"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=48539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=48539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=48539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}