---
title: Service with external load balancer
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Service with external load balancer
---

# Service with external load balancer

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `terraform-kubernetes-service-with-external-load-balancer` 

**Provider:** Kubernetes

**Platform:** Terraform

**Severity:** Medium

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service)

### Description{% #description %}

This rule applies to `kubernetes_service` resources with `spec.type == "LoadBalancer"`, which exposes the service via an external load balancer and can make it accessible from other networks and the Internet. `metadata.annotations` should be set to indicate an internal load balancer when the service must not be externally exposed. Supported internal annotation keys include `networking.gke.io/load-balancer-type: Internal`, `cloud.google.com/load-balancer-type: Internal`, `service.beta.kubernetes.io/aws-load-balancer-internal: "true"`, and `service.beta.kubernetes.io/azure-load-balancer-internal: "true"`.

## Compliant Code Examples{% #compliant-code-examples %}

```terraform
resource "kubernetes_service" "example3" {
  metadata {
    name = "terraform-example3"
    annotations = {
      "service.beta.kubernetes.io/aws-load-balancer-internal" = "true"
    }
  }
  spec {
    selector = {
      app = kubernetes_pod.example.metadata.0.labels.app
    }
    session_affinity = "ClientIP"
    port {
      port        = 8080
      target_port = 80
    }

    type = "LoadBalancer"
  }
}
```

```terraform
resource "kubernetes_service" "example2" {
  metadata {
    name = "terraform-example2"
    annotations = {
      "service.beta.kubernetes.io/azure-load-balancer-internal" = "true"
    }
  }
  spec {
    selector = {
      app = kubernetes_pod.example.metadata.0.labels.app
    }
    session_affinity = "ClientIP"
    port {
      port        = 8080
      target_port = 80
    }

    type = "LoadBalancer"
  }
}

resource "kubernetes_service" "example3" {
  metadata {
    name = "terraform-example3"
    annotations = {
      "networking.gke.io/load-balancer-type" = "Internal"
    }
  }
  spec {
    selector = {
      app = kubernetes_pod.example.metadata.0.labels.app
    }
    session_affinity = "ClientIP"
    port {
      port        = 8080
      target_port = 80
    }

    type = "LoadBalancer"
  }
}

resource "kubernetes_service" "example4" {
  metadata {
    name = "terraform-example4"
    annotations = {
      "cloud.google.com/load-balancer-type" = "Internal"
    }
  }
  spec {
    selector = {
      app = kubernetes_pod.example.metadata.0.labels.app
    }
    session_affinity = "ClientIP"
    port {
      port        = 8080
      target_port = 80
    }

    type = "LoadBalancer"
  }
}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```terraform
resource "kubernetes_service" "example1" {
  metadata {
    name = "terraform-example1"
    annotations = {
      "service.beta.kubernetes.io/aws-load-balancer-internal" = "false"
    }
  }
  spec {
    selector = {
      app = kubernetes_pod.example.metadata.0.labels.app
    }
    session_affinity = "ClientIP"
    port {
      port        = 8080
      target_port = 80
    }

    type = "LoadBalancer"
  }
}

resource "kubernetes_service" "example2" {
  metadata {
    name = "terraform-example2"
  }
  spec {
    selector = {
      app = kubernetes_pod.example.metadata.0.labels.app
    }
    session_affinity = "ClientIP"
    port {
      port        = 8080
      target_port = 80
    }

    type = "LoadBalancer"
  }
}
```

```terraform
resource "kubernetes_service" "example2" {
  metadata {
    name = "terraform-example2"
    annotations = {
      "service.beta.kubernetes.io/azure-load-balancer-internal" = "false"
    }
  }
  spec {
    selector = {
      app = kubernetes_pod.example.metadata.0.labels.app
    }
    session_affinity = "ClientIP"
    port {
      port        = 8080
      target_port = 80
    }

    type = "LoadBalancer"
  }
}

resource "kubernetes_service" "example3" {
  metadata {
    name = "terraform-example3"
    annotations = {
      "networking.gke.io/load-balancer-type" = "External"
    }
  }
  spec {
    selector = {
      app = kubernetes_pod.example.metadata.0.labels.app
    }
    session_affinity = "ClientIP"
    port {
      port        = 8080
      target_port = 80
    }

    type = "LoadBalancer"
  }
}

resource "kubernetes_service" "example4" {
  metadata {
    name = "terraform-example4"
    annotations = {
      "cloud.google.com/load-balancer-type" = "External"
    }
  }
  spec {
    selector = {
      app = kubernetes_pod.example.metadata.0.labels.app
    }
    session_affinity = "ClientIP"
    port {
      port        = 8080
      target_port = 80
    }

    type = "LoadBalancer"
  }
}
```