The __Ingress__ resource, a service for Services

__Ingress__ is a collection of rules that direct external inbound connections to a set of services within the cluster.  

In GKE, an ingress resource exposes those services using s single public IP address bound to an HTTP or HTTPS load balancer provisioned with NGCP.  
In GKE, k8s' ingress resources are implemented using Clound load balancing. When you create an ingress resource in your cluster, GKE creates an HTTP or HTTPS load balancer and configures it to route traffic to your app.

Ingress can direct traffic to:
- NodePort services
- Load balancer services

---

```
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
    name: test-ingress
spec:
    rules:
    - host: demo1.example.com
      http:
          paths:
          - path: /demoexample1path
            backend:
                serviceName: demo1
                servicePort: 80
          - path: /demo2path # multiple paths
            backend:
                serviceName: demo2
                servicePort: 80
    - host: demo2.anotherdomain.com # multiple hosts
      http:
          paths:
          - path: /labpath
            backend:
                serviceName: lab1
                servicePort: 80
```

```
kubectl edit ingress [NAME]

kubectl replace -f [FILE]
```

Cloud IAP (Cloud identity aware proxy) provides granular access control at the aplication level. With this, authenticated users can have HTTPS access to the application within a cluster withouit any VPN setup.

Cloud Armor provides built-in protection against distributed denial of service and web attacks for the cluster using HTTP(S) load balancer. Can set up security rules to whitelist/blacklist IP address ranges. You can also use predefined rules to defend against cross-site scripting or SQL injection application aware attacks.

Cloud CDN (Cloud content delivery network) allows you to bring your application's content closer to the users.

Additional Ingress features

- Ingress provides __TLS termination__ support at the load balancer at the edge of the network. From there, the load balancer creates another connection to the destination.   

- Although the second connection isn't secure by default, but it can be secured. This allows you to manage all your SSL certificates in one place. __Multiple SSL certificate__.

- you can use __GRPC along with HTTP/2__ to create performant low latency scalable micro-services within your cluster.

| Kubernetes object |	How implemented in GKE |	Typical usage scenario |
|--|--|--|
| Service of type ClusterIP |	GKE networking |	Cluster-internal applications and microservices |
| Service of type LoadBalancer |	GCP Network Load Balancer (regional) |	Application front ends |
| Ingress object, backed by a Service of type NodePort |	GCP HTTP(S) Load Balancer (global) |	Application front ends; gives access to advanced features like Cloud Armor, Identity-Aware Proxy (beta) |