FYI for anyone else who has a similar use case - I got internal services exposed rather smoothly on digital ocean following this guide: https://stackoverflow.com/questions/54119399/expose-port-80-on-digital-oceans-managed-kubernetes-without-a-load-balancer So I have two ingress controllers in my cluster now - ambassador handles public traffic through the load balancer and this seperate nginx-ingress controller handles the private "employee" traffic over wireguard for things that we want exposed outside the cluster but inside the VPC such as grafana or our self hosted ERP system etc. That way I don't need to front with a load balancer and I can also use ClusterIP on the services I want to expose. In this setup I have the Netmaker egress gateway configured on one k8's node - then all I have to do for DNS is to point the internal custom DNS in Netmaker UI to the IP of the egress gateway node. Then I can create ingresses for each one of my services on port 80/443 and they "just work" - e.g. I can create a dns entry called "grafana.internal" in netmaker UI, reference that in the grafana ingress, and then once i'm connected to the wireguard client just type in "grafana.internal" into my browser and have it take me to grafana