Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Use topology labels to reduce cross-AZ ingress traffic with F5 CIS and EKS

This solution outlines how to use topology labels and multiple Container Ingress Services (CIS) instances to reduce cross-AZ traffic on AWS EKS cluster ingress. Requirements and background Recent...
Published May 20, 2024
Version 1.0
application delivery
AWS EKS
Container Ingress Services (CIS)
k8s
kubernetes
NGINX Ingress Controller
MichaelOLeary's avatar
Icon for Employee rankEmployee
I'm a Solution Architect at F5. Over the years I've become an expert in Kubernetes and cloud architectures. I publish articles and blog posts to share as much knowledge as possible. I love hanging out with customers and co-workers, so reach out any time!
View Profile
MichaelOLeary's avatar
MichaelOLeary
Icon for Employee rankEmployee
Jan 26, 2026

Nikoolayy1​ great point! I wrote this after dealing with a customer scenario where they controlled the application pods closely and were very concerned about cross-AZ traffic, but as you point out, it's not without room for improvement. I think in the case of priority groups I would recommend the alternateBackends configuration in CIS, but of course this would require your service to select only (or at least prefer) pods in a given topology zone. Thanks for the feedback!

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Jan 27, 2026

At the moment I think RFE if we need functionality is needed and probably as an extra argument that will suggest to CIS to build backup pool from the endpoint ip addresses not tagged with the correct topology label.

 

Outside of that in the future CIS can get the information from "topology aware hints" new beta feature to actually make this option service specific.

https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/2433-topology-aware-hints/README.md