This tutorial shows you how to set up a global App Hub application for multiple projects and then view the application's resources. Using multiple service projects, you set up an internal Application Load Balancer in a Shared VPC environment. Then, in a global application on the App Hub host project, you register and monitor all the infrastructure resources from the service projects as App Hub services and workloads.
This tutorial is intended for people who set up and administer App Hub. You should have some experience with Cloud Load Balancing.
Objectives
- Set up a Global App Hub application that contains resources spanning multiple projects.
- Monitor the resources through system metrics for the application.
Costs
For an estimate of the cost of the Google Cloud resources that the load balanced managed VM solution uses, see the precalculated estimate in the Google Cloud Pricing Calculator.
Use the estimate as a starting point to calculate the cost of your deployment. You can modify the estimate to reflect any configuration changes that you plan to make for the resources that are used in the solution.
The precalculated estimate is based on assumptions for certain factors, including the following:
- The Google Cloud locations where the resources are deployed.
- The amount of time that the resources are used.
For more information on App Hub costs, see the Pricing page.
Before you begin
Before you set up this tutorial, decide on the roles and permissions for your projects and then create four Google Cloud projects. One of these projects is the App Hub host project and the other three are App Hub service projects.Required roles and permissions
If you are the project creator, you are granted the
basic Owner role
(roles/owner
). By default, this Identity and Access Management (IAM) role
includes the permissions necessary for full access to most Google Cloud
resources.
If you are not the project creator, required permissions must be granted on the project to the appropriate principal. For example, a principal can be a Google Account (for end users) or a service account (for applications and workloads).
To get the permissions that you need to manage access to a project, folder, or organization, ask your administrator to grant you the following IAM roles on the resource that you want to manage access for (project, folder, or organization):
-
To manage access to a project:
-
App Hub Admin (
roles/apphub.admin
) -
Cloud Infrastructure Manager (
roles/config.admin
) -
Compute Shared VPC Admin role (
roles/compute.xpnAdmin
) -
Project IAM Admin (
roles/resourcemanager.projectIamAdmin
) -
Service Usage Admin (
roles/serviceusage.services.enable
) -
Service Account Admin (
roles/iam.serviceAccounts.create
)
-
App Hub Admin (
-
To manage access to a folder:
Compute Shared VPC Admin role (
roles/compute.xpnAdmin
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create App Hub host and service projects
In the Google Cloud console, go to the project selector page.
Select or create a Google Cloud project, to be your App Hub host project.
-
Enable the App Hub, Compute Engine, Service Management, and Service Usage APIs.
In the same folder as the App Hub host project, create three new Google Cloud projects. These are the App Hub service projects for the App Hub host project.
Make sure that billing is enabled for all your Google Cloud projects.
-
Enable the App Hub, Compute Engine, Service Management, and Service Usage APIs.
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Make sure that the most recent version of Google Cloud CLI is installed. Run the following command from the Cloud Shell:
gcloud components update
Create or select a new project,
, to be the host project for App Hub.HOST_PROJECT_ID Create a Google Cloud project:
gcloud projects create
HOST_PROJECT_ID Select the Google Cloud project that you created:
gcloud config set project
HOST_PROJECT_ID
Make sure that billing is enabled for all your Google Cloud projects.
Enable the App Hub, Compute Engine, Service Management, and Service Usage APIs:
gcloud services enable apphub.googleapis.com \ compute.googleapis.com \ servicemanagement.googleapis.com \ serviceusage.googleapis.com
Create three new Google Cloud projects to be the App Hub service projects for the App Hub host project.
Create a service project:
gcloud projects create
SERVICE_PROJECT_1_ID Replace
SERVICE_PROJECT_1_ID
with the ID of Service Project 1.Select the service project that you created:
gcloud config set project
SERVICE_PROJECT_1_ID Enable the Compute Engine, Service Management, and Service Usage APIs:
gcloud services enable compute.googleapis.com \ servicemanagement.googleapis.com \ serviceusage.googleapis.com
Set the configuration variable used in this tutorial:
export SERVICE_PROJECT_1_NUMBER= $(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')
Repeat these previous step to create SERVICE_PROJECT_2_ID and SERVICE_PROJECT_3_ID, enable the APIS, and set the configuration variable.
Prepare the environment
If you already have an internal Application Load Balancer in a Shared VPC environment set up in multiple projects, proceed to the Grant IAM permissions section in this document.
If not, to set up an internal Application Load Balancer in a Shared VPC environment, follow these steps:
- In Service Project 1, configure a Shared VPC network and two subnets.
- In Service Project 2, create the load balancer's backend service with two managed instance groups as the backends.
- In Service Project 3, create another load balancer's backend service with two managed instance groups as the backends.
- In Service Project 1, create the load balancer's frontend components and URL map.
The following is the request processing flow of the topology that the load balanced managed VM solution deploys.
From the Shared VPC network, the client VM makes an HTTP request to the internal Application Load Balancer in Service project 1.
The load balancer uses the information in the URL map and backend services to route the request to its managed instance group backends.
Configure the network and subnets in the Shared VPC host project
You need a Shared VPC network with two subnets: one for the load balancer's frontend and backends and one for the load balancer's proxies.
This example uses the following network, region, and subnets:
Network. The network is named
lb-network
.Subnet for load balancer's frontend and backends. A subnet named
lb-frontend-and-backend-subnet
in theus-west1
region uses10.1.2.0/24
for its primary IP range.Subnet for proxies. A subnet named
proxy-only-subnet
in theus-west1
region uses10.129.0.0/23
for its primary IP range.
In this tutorial, designate Service Project 1 as the Shared VPC host project. All the steps in this section must be performed in Service Project 1.
Configure the subnet for the load balancer's frontend and backends
This step does not need to be performed every time you want to create a new load balancer. You only need to ensure that the service projects have access to a subnet in the Shared VPC network (in addition to the proxy-only subnet).
- In the Google Cloud console, go to the VPC networks page.
- Click Create VPC network.
- In the Name field, enter
lb-network
. - Set the Subnet creation mode to Custom.
In the New subnet section, enter the following information:
Name:
lb-frontend-and-backend-subnet
Region:
us-west1
IP address range:
10.1.2.0/24
Click Done.
Click Create.
Set the project as Service Project 1:
gcloud config set project
SERVICE_PROJECT_1_ID Create a VPC network with the
gcloud compute networks create
command:gcloud compute networks create lb-network --subnet-mode=custom
Create a subnet in the
lb-network
network in theus-west1
region:gcloud compute networks subnets create lb-frontend-and-backend-subnet \ --network=lb-network \ --range=10.1.2.0/24 \ --region=us-west1
Configure the proxy-only subnet
The proxy-only subnet is used by all regional Envoy-based load
balancers in the us-west1
region, in the lb-network
VPC network. There can only be one
active proxy-only subnet per region, per network.
Don't perform this step if there is already a proxy-only subnet reserved in the
us-west1
region in this network.
- In the Google Cloud console, go to the VPC networks page.
- Click the name of the Shared VPC network:
lb-network
. - Click the Subnets tab and click Add subnet.
- In the Add a subnet pane, in the Name field, enter
proxy-only-subnet
. - In the Region list, select
us-west1
. - Set Purpose to Regional Managed Proxy.
- In the IP address range field, enter
10.129.0.0/23
. - Click Add.
Create the proxy-only subnet with the gcloud compute networks subnets
create
command:
gcloud compute networks subnets create proxy-only-subnet \ --purpose=REGIONAL_MANAGED_PROXY \ --role=ACTIVE \ --region=us-west1 \ --network=lb-network \ --range=10.129.0.0/23
Give service project admins access to the backend subnet
Service project administrators require access to the
lb-frontend-and-backend-subnet
subnet so that they can provision the load
balancer's backends.
A Shared VPC Admin must grant access to the backend subnet to service project administrators (or developers who deploy resources and backends that use the subnet). For instructions, see Service Project Admins for some subnets.
Configure firewall rules in Service Project 1
This example uses the following firewall rules:
fw-allow-health-check
. An ingress rule, applicable to the instances being load balanced, that allows all TCP traffic from the Google Cloud health checking systems in130.211.0.0/22
and35.191.0.0/16
. This example uses the target tagload-balanced-backend
to identify the instances to which it should apply.fw-allow-proxies
. An ingress rule, applicable to the instances being load balanced, that allows TCP traffic on ports80
,443
, and8080
from the load balancer's managed proxies. This example uses the target tagload-balanced-backend
to identify the instances to which it should apply.fw-allow-ssh
. An ingress rule, applicable to the instances being load balanced, that allows incoming SSH connectivity on TCP port22
from any address. You can choose a more restrictive source IP range for this rule. For example, you can specify just the IP ranges of the system from which you initiate SSH sessions. This example uses the target tagallow-ssh
to identify the virtual machines (VMs) to which the firewall rule applies.
Without these firewall rules, the default deny ingress rule blocks incoming traffic to the backend instances.
In the Google Cloud console, go to the Firewall policies page.
- Click Create firewall rule to create the rule to allow Google Cloud health checks:
- Name:
fw-allow-health-check
- Network:
lb-network
- Direction of traffic: Ingress
- Action on match: Allow
- Targets: Specified target tags
- Target tags:
load-balanced-backend
- Source filter: IPv4 ranges
- Source IPv4 ranges:
130.211.0.0/22
and35.191.0.0/16
- Protocols and ports:
- Choose Specified protocols and ports.
- Select the TCP checkbox and enter
80
for the port number.
As a best practice, limit this rule to just the protocols and ports that match those used by your health check. If you use
tcp:80
for the protocol and port, Google Cloud can use HTTP on port80
to contact your VMs, but it can't use HTTPS on port443
to contact them. - Click Create.
- Click Create firewall rule to create the rule to allow Google Cloud health checks:
- Name:
fw-allow-proxies
- Network:
lb-network
- Direction of traffic: Ingress
- Action on match: Allow
- Targets: Specified target tags
- Target tags:
load-balanced-backend
- Source filter: IPv4 ranges
- Source IPv4 ranges:
10.129.0.0/23
- Protocols and ports:
- Choose Specified protocols and ports.
- Select the TCP checkbox and enter
80, 443, 8080
for the port numbers.
- Click Create.
- Click Create firewall rule to create the rule to allow Google Cloud health checks:
- Name:
fw-allow-ssh
- Network:
lb-network
- Direction of traffic: Ingress
- Action on match: Allow
- Targets: Specified target tags
- Target tags:
allow-ssh
- Source filter: IPv4 ranges
- Source IPv4 ranges:
0.0.0.0/0
- Protocols and ports:
- Choose Specified protocols and ports.
- Select the TCP checkbox and enter
22
for the port number.
- Click Create.
Create the
fw-allow-health-check
firewall rule to allow Google Cloud health checks. This example allows all TCP traffic from health check probers. However, you can configure a narrower set of ports to meet your needs.gcloud compute firewall-rules create fw-allow-health-check \ --network=lb-network \ --action=allow \ --direction=ingress \ --source-ranges=130.211.0.0/22,35.191.0.0/16 \ --target-tags=load-balanced-backend \ --rules=tcp
Create the
fw-allow-proxies
firewall rule to allow traffic from the Envoy proxy-only subnet to reach your backends:gcloud compute firewall-rules create fw-allow-proxies \ --network=lb-network \ --action=allow \ --direction=ingress \ --source-ranges=10.129.0.0/23 \ --target-tags=load-balanced-backend \ --rules=tcp:80,tcp:443,tcp:8080
Create the
fw-allow-ssh
firewall rule to allow SSH connectivity to VMs with the network tagallow-ssh
:gcloud compute firewall-rules create fw-allow-ssh \ --network=lb-network \ --action=allow \ --direction=ingress \ --target-tags=allow-ssh \ --rules=tcp:22
Reserve a static internal IPv4 address
Service Project Admins can reserve an internal IPv4 or IPv6 address in a subnet of a Shared VPC network. The IP address configuration object is created in the service project, while its value comes from the range of available IPv4 addresses in the chosen shared subnet.
To reserve a standalone internal IP address in the service project, complete the following steps.
- Set up Shared VPC.
In the Google Cloud console, go to the Shared VPC page.
Sign in as a Shared VPC Admin.
Select the service project from the project picker.
Go to VPC network >IP addresses.
In the IP addresses page, click Reserve internal static IP address.
In the Name field, enter
l7-ilb-ip-address
as the IP address name.In the IP version list, select IPv4.
In the Network, select
lb-network
.In the Subnetwork lists, select
lb-frontend-and-backend-subnet
.Click Reserve.
If you have not already, authenticate to the Google Cloud CLI as a Shared VPC Service Project Admin.
gcloud auth login
SERVICE_PROJECT_ADMIN Replace
SERVICE_PROJECT_ADMIN
with the name of the Shared VPC Service Project Admin. These values must have the format username@yourdomain, for example, 222larabrown@gmail.com.Use the
compute addresses create
command to reserve an IP address:gcloud compute addresses create l7-ilb-ip-address \ --project
SERVICE_PROJECT_1_ID \ --subnet=lb-frontend-and-backend-subnet \ --region=us-west1 \ --ip-version=IPV4
Additional details for creating IP addresses are published in the SDK documentation.
Set up Shared VPC in Service Project 1
To set up Shared VPC in Service Project 1, you designate Service Project 1 as the Shared VPC host project and Service Projects 2 and 3 as the Shared VPC service projects. Later in this tutorial, when you create the MIG backends in Service Projects 2 and 3, you'll be able to use the same VPC network and subnets previously created in Service Project 1.
- Enable a host project.
- Attach a service project.
Grant the Compute Network User role (
roles/compute.networkUser
) to Service Projects 2 and 3:In the Google Cloud console, go to the IAM page.
Click
Grant access. The Grant access pane opens.In the New principals field, enter
SERVICE_PROJECT_2_NUMBER@cloudservices.gserviceaccount.com
.Note that you can obtain the service project numbers from the Dashboard of the project:
Click Select a role and in the Filter field, enter
Compute Network User
.Select the Compute Network User role and click Save.
Repeat the preceding steps to grant the
Compute Network User
role to Service Project 3 (SERVICE_PROJECT_3_NUMBER@cloudservices.gserviceaccount.com
).
In Service Project 1, grant the Compute Network User role to Service Project 2.
gcloud projects add-iam-policy-binding
SERVICE_PROJECT_1_ID \ --member='serviceAccount:SERVICE_PROJECT_2_NUMBER @cloudservices.gserviceaccount.com' \ --role='roles/compute.networkUser'Replace
SERVICE_PROJECT_2_NUMBER
with the project number of Service Project 2.In Service Project 1, grant the Compute Network User role to Service Project 3.
gcloud projects add-iam-policy-binding
SERVICE_PROJECT_1_ID \ --member='serviceAccount::SERVICE_PROJECT_3_NUMBER @cloudservices.gserviceaccount.com' \ --role='roles/compute.networkUser'Replace
SERVICE_PROJECT_3_NUMBER
with the project number of Service Project 3.
Create a backend service and MIGs in Service Project 2
All the steps in this section must be performed in Service Project 2.
Create an instance template. In the Google Cloud console, go to the Instance templates page.
- Click Create instance template.
- Enter a Name for the instance template:
tutorial-ig-template-sp2
. - In the Location section, select Regional (recommended) and us-west1(Oregon) as the Region.
- In the Machine configuration section, select N2 as the series.
- Ensure that the Boot disk is set to a Debian image, such as
Debian GNU/Linux 12 (bookworm). These instructions use commands
that are only available on Debian, such as
apt-get
. If you need to change the Boot disk, click Change.- For Operating System, select Debian.
- For Version, select one of the available Debian images such as Debian GNU/Linux 12 (bookworm).
- Click Select.
- Click Advanced options, and then click Networking.
- Enter the following Network
tags:
allow-ssh
,load-balanced-backend
. - In the Network interfaces section, select Networks shared with me (from host project: SERVICE_PROJECT_1_ID).
- Select the
lb-frontend-and-backend-subnet
subnet from thelb-network
network. - Click Management. For Management, insert the following
script into the Startup script field.
#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | tee /var/www/html/index.html systemctl restart apache2
- Click Create.
Create a managed instance group. In the Google Cloud console, go to the Instance groups page.
- Click Create instance group.
- Choose New managed instance group (stateless). For more information, see Stateless or stateful MIGs.
- Enter a Name for the instance group:
tutorial-sp2-mig-a
. - For Instance template, select tutorial-ig-template-sp2.
- For Location, select Single zone.
- For Region, select
us-west1
. Specify the number of instances that you want to create in the group.
For this example, specify the following options for Autoscaling:
- For Autoscaling mode, select
Off:do not autoscale
. - For Maximum number of instances, enter
2
.
- For Autoscaling mode, select
Click Create.
Create a regional backend service. As a part of this step we'll also create the health check and add backends to the backend service. In the Google Cloud console, go to the Backends page.
- Click Create backend service.
- In the Create backend service dialog, click Create beside Regional backend service.
- Enter a Name for the backend service:
tutorial-backend-service-sp2
. - For Region, select us-west1.
- For Load balancer type, select Regional internal Application Load Balancer (INTERNAL_MANAGED).
- Set Backend type to Instance group.
- In the Backends section, set the following fields:
- Set Instance group to tutorial-sp2-mig-a.
- Enter the Port numbers:
80
. - Set Balancing mode to Utilization.
- Click Done.
- In the Health check section, click Create a health check
and set the following fields:
- Name:
tutorial-regional-health-check
- Protocol:
HTTP
- Port:
80
- Click Save.
- Name:
- Click Continue.
- Click Create.
Repeat the earlier steps and create a managed instance group,
tutorial-sp2-mig-b
and add it to the backend service,tutorial-backend-service-sp2
.
- Select the service project that you created:
gcloud config set project
SERVICE_PROJECT_2_ID Create a VM instance template,
tutorial-ig-template-sp2
with an HTTP server:gcloud compute instance-templates create tutorial-ig-template-sp2 \ --region=us-west1 \ --network=projects/
SERVICE_PROJECT_1_ID /global/networks/lb-network \ --subnet=projects/SERVICE_PROJECT_1_ID /regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \ --tags=allow-ssh,load-balanced-backend \ --image-family=debian-12 \ --image-project=debian-cloud \ --metadata=startup-script='#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2' \ --project=SERVICE_PROJECT_2_ID Replace the following:
SERVICE_PROJECT_1_ID
: the project ID for the Shared VPC host project.SERVICE_PROJECT_2_ID
: the project ID for the service project, where the load balancer's backends and the backend service are being created.
Create a managed instance group,
tutorial-sp2-mig-a
in the region:gcloud compute instance-groups managed create tutorial-sp2-mig-a \ --region=us-west1 \ --size=2 \ --template=tutorial-ig-template-sp2 \ --project=
SERVICE_PROJECT_2_ID Define the HTTP health check,
tutorial-regional-health-check
:gcloud compute health-checks create http tutorial-regional-health-check \ --region=us-west1 \ --use-serving-port \ --project=
SERVICE_PROJECT_2_ID Define the backend service,
tutorial-backend-service-sp2
:gcloud compute backend-services create tutorial-backend-service-sp2 \ --load-balancing-scheme=INTERNAL_MANAGED \ --protocol=HTTP \ --health-checks=tutorial-regional-health-check \ --health-checks-region=us-west1 \ --region=us-west1 \ --project=
SERVICE_PROJECT_2_ID Add backends to the backend service with the
gcloud compute backend-services add-backend
command:gcloud compute backend-services add-backend tutorial-backend-service-sp2 \ --balancing-mode=UTILIZATION \ --instance-group=tutorial-sp2-mig-a \ --instance-group-region=us-west1 \ --region=us-west1 \ --project=
SERVICE_PROJECT_2_ID Create another managed instance group,
tutorial-sp2-mig-b
in the region:gcloud compute instance-groups managed create tutorial-sp2-mig-b \ --region=us-west1 \ --size=2 \ --template=tutorial-ig-template-sp2 \ --project=
SERVICE_PROJECT_2_ID Add backends to the backend service:
gcloud compute backend-services add-backend tutorial-backend-service-sp2 \ --balancing-mode=UTILIZATION \ --instance-group=tutorial-sp2-mig-b \ --instance-group-region=us-west1 \ --region=us-west1 \ --project=
SERVICE_PROJECT_2_ID
Create a backend service and MIGs in Service Project 3
All the steps in this section must be performed in Service Project 3.
Create an instance template. In the Google Cloud console, go to the Instance templates page.
- Click Create instance template.
- Enter a Name for the instance template:
tutorial-ig-template-sp3
. - In the Location section, select Regional (recommended) and us-west1(Oregon) as the Region.
- In the Machine configuration section, select N2 as the series.
- Ensure that the Boot disk is set to a Debian image, such as
Debian GNU/Linux 12 (bookworm). These instructions use commands
that are only available on Debian, such as
apt-get
. If you need to change the Boot disk, click Change.- For Operating System, select Debian.
- For Version, select one of the available Debian images such as Debian GNU/Linux 12 (bookworm).
- Click Select.
- Click Advanced options, and then click Networking.
- Enter the following Network
tags:
allow-ssh
,load-balanced-backend
. - In the Network interfaces section, select Networks shared with me (from host project: SERVICE_PROJECT_1_ID).
- Select the
lb-frontend-and-backend-subnet
subnet from thelb-network
network. - Click Management. For Management, insert the following
script into the Startup script field.
#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | tee /var/www/html/index.html systemctl restart apache2
- Click Create.
Create a managed instance group. In the Google Cloud console, go to the Instance groups page.
- Click Create instance group.
- Choose New managed instance group (stateless). For more information, see Stateless or stateful MIGs.
- Enter a Name for the instance group:
tutorial-sp3-mig-a
. - For Instance template, select tutorial-ig-template-sp3.
- For Location, select Single zone.
- For Region, select
us-west1
. Specify the number of instances that you want to create in the group.
For this example, specify the following options for Autoscaling:
- For Autoscaling mode, select
Off:do not autoscale
. - For Maximum number of instances, enter
2
.
- For Autoscaling mode, select
Click Create.
Create a regional backend service. As a part of this step we'll also create the health check and add backends to the backend service. In the Google Cloud console, go to the Backends page.
- Click Create backend service.
- In the Create backend service dialog, click Create beside Regional backend service.
- Enter a Name for the backend service:
tutorial-backend-service-sp3
. - For Region, select us-west1.
- For Load balancer type, select Regional internal Application Load Balancer (INTERNAL_MANAGED).
- Set Backend type to Instance group.
- In the Backends section, set the following fields:
- Set Instance group to tutorial-sp3-mig-a.
- Enter the Port numbers:
80
. - Set Balancing mode to Utilization.
- Click Done.
- In the Health check section, click Create a health check
and set the following fields:
- Name:
tutorial-regional-health-check
- Protocol:
HTTP
- Port:
80
- Click Save.
- Name:
- Click Continue.
- Click Create.
Repeat the earlier steps and create a managed instance group,
tutorial-sp3-mig-b
and add it to the backend service,tutorial-backend-service-sp3
.
- Select the service project that you created:
gcloud config set project
SERVICE_PROJECT_3_ID Create a VM instance template,
tutorial-ig-template-sp3
with an HTTP server:gcloud compute instance-templates create tutorial-ig-template-sp3 \ --region=us-west1 \ --network=projects/
SERVICE_PROJECT_1_ID /global/networks/lb-network \ --subnet=projects/SERVICE_PROJECT_1_ID /regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \ --tags=allow-ssh,load-balanced-backend \ --image-family=debian-12 \ --image-project=debian-cloud \ --metadata=startup-script='#! /bin/bash apt-get update apt-get install apache2 -y a2ensite default-ssl a2enmod ssl vm_hostname="$(curl -H "Metadata-Flavor:Google" \ http://metadata.google.internal/computeMetadata/v1/instance/name)" echo "Page served from: $vm_hostname" | \ tee /var/www/html/index.html systemctl restart apache2' \ --project=SERVICE_PROJECT_3_ID Replace the following:
SERVICE_PROJECT_1_ID
: the project ID for the Shared VPC host project.SERVICE_PROJECT_3_ID
: the project ID for the service project, where the load balancer's backends and the backend service are being created.
Create a managed instance group,
tutorial-sp3-mig-a
in the region:gcloud compute instance-groups managed create tutorial-sp3-mig-a \ --region=us-west1 \ --size=2 \ --template=tutorial-ig-template-sp3 \ --project=
SERVICE_PROJECT_3_ID Define the HTTP health check,
tutorial-regional-health-check
:gcloud compute health-checks create http tutorial-regional-health-check \ --region=us-west1 \ --use-serving-port \ --project=
SERVICE_PROJECT_3_ID Define the backend service,
tutorial-backend-service-sp3
:gcloud compute backend-services create tutorial-backend-service-sp3 \ --load-balancing-scheme=INTERNAL_MANAGED \ --protocol=HTTP \ --health-checks=tutorial-regional-health-check \ --health-checks-region=us-west1 \ --region=us-west1 \ --project=
SERVICE_PROJECT_3_ID Add backends to the backend service with the
gcloud compute backend-services add-backend
command:gcloud compute backend-services add-backend tutorial-backend-service-sp3 \ --balancing-mode=UTILIZATION \ --instance-group=tutorial-sp3-mig-a \ --instance-group-region=us-west1 \ --region=us-west1 \ --project=
SERVICE_PROJECT_3_ID Create another managed instance group,
tutorial-sp3-mig-b
in the region:gcloud compute instance-groups managed create tutorial-sp3-mig-b \ --region=us-west1 \ --size=2 \ --template=tutorial-ig-template-sp3 \ --project=
SERVICE_PROJECT_3_ID Add backends to the backend service:
gcloud compute backend-services add-backend tutorial-backend-service-sp3 \ --balancing-mode=UTILIZATION \ --instance-group=tutorial-sp3-mig-b \ --instance-group-region=us-west1 \ --region=us-west1 \ --project=
SERVICE_PROJECT_3_ID
Create the URL Map and forwarding rule in Service Project 1
All the steps in this section must be performed in Service Project 1.
Start your configuration
In the Google Cloud console, go to the Load balancing page.
- Click Create load balancer.
- For Type of load balancer, select Application Load Balancer (HTTP/HTTPS) and click Next.
- For Public facing or internal, select Internal and click Next.
- For Cross-region or single region deployment, select Best for regional workloads and click Next.
- Click Configure.
Basic configuration
- Enter a Name for the load balancer,
tutorial-url-maps
. - In the Region list, select
us-west1
. In the Network list, select lb-network (from Project: SERVICE_PROJECT_1_ID).
If you see a Proxy-only subnet required in Shared VPC network warning, confirm that the host project administrator has created the
proxy-only-subnet
in theus-west1
region in thelb-network
Shared VPC network. Load balancer creation succeeds even if you don't have permission to view the proxy-only subnet on this page.Keep the window open to continue.
Configure the backend
- Click Backend configuration.
- Click Cross-project backend services.
- In the Project ID field, enter the project ID for Service Project 2.
- In the Backend service name field, enter the name of the backend
service from Service Project 2 that you want to use. For this example,
it's
tutorial-backend-service-sp2
. - Click Add backend service.
- In the Project ID field, enter the project ID for Service Project 3.
- In the Backend service name field, enter the name of the backend
service from Service Project 3 that you want to use. For this example,
it's
tutorial-backend-service-sp3
. - Click Add backend service.
Configure the routing rules
- Click Routing rules.
- In the Host and path rules section, in the Host 2 field,
enter
*
. - In the Paths 2 field, enter
/*
. - From the Backend 2 drop-down list, select
tutorial-backend-service-sp2
. - Click Add host and path rule.
- In the Host 3 field, enter
tutorial-host
. - In the Paths 3 field, enter
/*
. From the Backend 3 drop-down list, select
tutorial-backend-service-sp3
.Look for the blue checkmark to the left of Host and Path Rules and click the Update button.
For information about traffic management, see Setting up traffic management.
Configure the frontend
For cross-project service referencing to work, the frontend must use
the same network (lb-network
) from the Shared VPC host project
that was used to create the backend service.
- Click Frontend configuration.
- Enter a Name for the forwarding rule:
l7-ilb-forwarding-rule
. - Set the Protocol to
HTTP
. - Set the Subnetwork to
lb-frontend-and-backend-subnet
. Don't select the proxy-only subnet for the frontend even if it is an option in the list. - Set the Port to
80
. - In the IP address field, retain the default option, Ephemeral (Automatic).
- Click Done.
Review and finalize the configuration
- Click Create.
Select the service project that you created:
gcloud config set project
SERVICE_PROJECT_1_ID Create the URL map,
tutorial-url-maps
and set the default service to the backend service created in Service Project 1:gcloud compute url-maps create tutorial-url-maps \ --default-service=projects/
SERVICE_PROJECT_2_ID /regions/us-west1/backendServices/tutorial-backend-service-sp2 \ --region=us-west1 \ --project=SERVICE_PROJECT_1_ID Replace the following:
SERVICE_PROJECT_2_ID
: the project ID for Service Project 2, where the load balancer's backends and the backend service are created.SERVICE_PROJECT_1_ID
: the project ID for Service Project 1, where the load balancer's frontend is being created.
Create the target proxy,
tutorial-http-proxy
:gcloud compute target-http-proxies create tutorial-http-proxy \ --url-map=tutorial-url-maps \ --url-map-region=us-west1 \ --region=us-west1 \ --project=
SERVICE_PROJECT_1_ID Create the forwarding rule,
l7-ilb-forwarding-rule
to handle HTTP traffic. For cross-project service referencing to work, the forwarding rule must use the same network (lb-network
) from the Shared VPC host project that was used to create the backend service.gcloud compute forwarding-rules create l7-ilb-forwarding-rule \ --load-balancing-scheme=INTERNAL_MANAGED \ --network=projects/
SERVICE_PROJECT_1_ID /global/networks/lb-network \ --subnet=projects/SERVICE_PROJECT_1_ID /regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \ --address=l7-ilb-ip-address \ --ports=80 \ --region=us-west1 \ --target-http-proxy=tutorial-http-proxy \ --target-http-proxy-region=us-west1 \ --project=SERVICE_PROJECT_1_ID To send traffic to the backend service, link the URL map with the backend service. For more information, see Use URL maps.
Link the backend service
tutorial-backend-service-sp2
in Service Project 2 with the URL map,tutorial-url-maps
and path matcher name,tutorial-path-matcher-sp2
:gcloud compute url-maps add-path-matcher tutorial-url-maps \ --path-matcher-name=tutorial-path-matcher-sp2 \ --default-service=projects/
SERVICE_PROJECT_2_ID /regions/us-west1/backendServices/tutorial-backend-service-sp2 \ --region=us-west1Link the backend service,
tutorial-backend-service-sp3
in Service Project 3 with the URL map,tutorial-url-maps
and path matcher name,tutorial-path-matcher-sp3
. Add new host rule,tutorial-host
with the given hosts so that the path matcher is tied to the new host rulegcloud compute url-maps add-path-matcher tutorial-url-maps \ --path-matcher-name=tutorial-path-matcher-sp3 \ --default-service=projects/
SERVICE_PROJECT_3_ID /regions/us-west1/backendServices/tutorial-backend-service-sp3 \ --region=us-west1 \ --new-hosts=tutorial-host
Test the load balancer
To test the load balancer, first create a sample client VM. Then establish an SSH session with the VM and send traffic from this VM to the load balancer.
Create a test VM instance
Clients can be located in either the Shared VPC host project or any connected service project. In this example, you test that the load balancer is working by deploying a client VM in Service Project 1 that is designated as the Shared VPC host project. The client must use the same Shared VPC network and be in the same region as the load balancer.
All the steps in this section must be performed in Service Project 2.
In the Google Cloud console, go to the VM instances page.
Click Create instance.
In the Name field, enter
client-vm
.Set the Zone to us-west1-b.
Click Advanced options, and then click Networking.
Enter the following Network tags:
allow-ssh
,load-balanced-backend
.In the Network interfaces section, select Networks shared with me (from host project: SERVICE_PROJECT_1_ID).
Select the
lb-frontend-and-backend-subnet
subnet from thelb-network
network.Click Create.
Create a test VM instance.
gcloud compute instances create client-vm \ --image-family=debian-12 \ --image-project=debian-cloud \ --subnet=projects/SERVICE_PROJECT_1_ID /regions/us-west1/subnetworks/lb-frontend-and-backend-subnet \ --zone=us-west1-b \ --tags=allow-ssh \ --project=SERVICE_PROJECT_2_ID
Send traffic to the load balancer
Use SSH to connect to the instance that you just created and test that HTTP(S) services on the backends are reachable through the internal Application Load Balancer's forwarding rule IP address and that traffic is being load balanced across the backend instances.
Retrieve the value of the load balancer's IP address:
gcloud compute addresses list --filter="name=( 'l7-ilb-ip-address')"
You see output similar to the following:
NAME: l7-ilb-ip-address ADDRESS/RANGE: 10.1.2.2 TYPE: INTERNAL PURPOSE: GCE_ENDPOINT NETWORK: REGION: us-west1 SUBNET: lb-frontend-and-backend-subnet STATUS: IN_USE
Copy the service
ADDRESS/RANGE
, for example,10.1.2.2
from the output to use in the next steps.Connect to the client instance with SSH:
gcloud compute ssh client-vm \ --zone=us-west1-b \ --project=
SERVICE_PROJECT_2_ID Verify that the load balancer's IP address is serving its hostname:
Verify that the IP address is serving its hostname in Service Project 2:
curl 10.1.2.2
You see output similar to the following:
Page served from: tutorial-sp2-mig-a-10xk
Verify that the IP address is serving its hostname in Service Project 3:
curl -H "Host: tutorial-host" 10.1.2.2
You see output similar to the following:
Page served from: tutorial-sp3-mig-a-3d5h
Grant IAM permissions
Provide the appropriate IAM roles and permissions to the App Hub host and service projects.
In the Google Cloud console, go to the project selector page.
In the Google Cloud console, go to the IAM page.
Click
Grant access. The Grant access pane opens.In the New principals field, enter the email address of the individual who will administer App Hub, the App Hub Admin role in the App Hub host project.
Click Select a role and in the Filter field, enter
App Hub
.Select the App Hub Admin role and click Save.
In each of the App Hub service projects, grant the App Hub Admin role to the same user.
To grant the roles to individuals who will use App Hub, repeat the following command by replacing the IAM roles, as required. For more information, see App Hub roles and permissions.
gcloud projects add-iam-policy-binding
HOST_PROJECT_ID \ --member='user:HOST_PROJECT_ADMIN ' \ --role='roles/apphub.admin'Replace
HOST_PROJECT_ADMIN
with the user who has the App Hub Admin role in the App Hub host project. This value has the formatusername@yourdomain
, for example,222larabrown@gmail.com
.Grant the App Hub Admin role in the service project to the individuals who administer App Hub. They must have the App Hub Admin role to add service projects to the host project. You need at least one person with this role for each service project.
gcloud projects add-iam-policy-binding
SERVICE_PROJECT_ID \ --member='user:HOST_PROJECT_ADMIN ' \ --role='roles/apphub.admin'Replace
SERVICE_PROJECT_ID
with the ID of the service projects.
Attach the service projects
Service projects are Google Cloud projects that contain infrastructure resources that you can register to an App Hub application. For more information, see Service projects. Attach the service projects on which you deployed the resources to the App Hub host project.
In the Google Cloud console, go to the App Hub Settings page.
On the Settings page, click Attach projects.
On the pane that opens, search for projects from the displayed list and select the checkboxes for the projects you want to add as the service projects.
Click Select. The Attached Service Project(s) table displays the selected service projects.
Click Close.
Attach service projects 1, 2, and 3 to your App Hub host project.
gcloud apphub service-projects add
SERVICE_PROJECT_1_ID \ --project=HOST_PROJECT_ID gcloud apphub service-projects add
SERVICE_PROJECT_2_ID \ --project=HOST_PROJECT_ID gcloud apphub service-projects add
SERVICE_PROJECT_3_ID \ --project=HOST_PROJECT_ID Confirm that you have attached the App Hub service projects to the App Hub host project:
gcloud apphub service-projects list --project=
HOST_PROJECT_ID
After you attach the service project to the App Hub host project, you can view all the Google Cloud resources from the attached service project as discovered App Hub services and workloads. For more information on how to view these discovered services and workloads, see View existing applications, services, and workloads.
Create an application
Create an application to be the container of your services and workloads. When you create an application, you can assign immutable properties such as a scope type or location from which you'd like to register resources and variable attributes such as criticality and environment. You can use the variable attributes to filter the applications. For more information, see Properties and attributes.
In this tutorial, you create a Global application to help you to manage global and regional resources in a single application. If you want to group your resources from a specific region, you can create a Regional application and register these resources. For more information on how to create a regional application, see Set up App Hub.
- Make sure that you're in the App Hub host project.
In the Google Cloud console, go to the App Hub Applications page.
Click Create application.
On the Create application page, in the Choose application region and name pane, select Global.
In the Application name field, enter
tutorial-application
. This name is a unique identifier and is immutable after you create the application.Enter a Display name,
Tutorial
and click Continue. This is a user-friendly name that you can update. For more information, see Update an existing application.In the Add attributes pane, from the Criticality list, select High. Criticality indicates how critical an application, service, or workload is to your business operations.
In the Environment field, to indicate the stage of the software lifecycle, select Production.
Click Continue.
In the Add owners pane, add the following details for Developer Owners, Operator Owners, and Business Owners. Note that you must enter the owner's email address if you add a display name.
- Enter an owner's display name.
- Enter the owner's email address. This value must have
the format
username@yourdomain
, for example,222larabrown@gmail.com
.
Repeat these steps for each developer, operator, and business owner.
Click Create.
The new application gets created and is listed on the Applications page. Note that only the forwarding rule, URL map, backend service, and managed instance group (MIG) become available as discovered resources on the App Hub application. For more information, see concepts and data model.
Select the App Hub host project that you created:
gcloud config set project
HOST_PROJECT_ID Create a new application called
tutorial-application
in the region,global
and give it a display name,Tutorial
. This application name,tutorial-application
is a unique identifier and is immutable after you create the application. The display name,Tutorial
is a user-friendly name that you can update. For more information, see Update an existing application.gcloud apphub applications create tutorial-application \ --display-name='Tutorial' \ --scope-type=GLOBAL \ --project=
HOST_PROJECT_ID \ --location=globalList the applications in your App Hub host project:
gcloud apphub applications list \ --project=
HOST_PROJECT_ID \ --location=globalYou see output similar to the following:
ID DISPLAY_NAME CREATE_TIME tutorial-application Tutorial 2023-10-31T18:33:48
Update your application with the
criticality-type
,environment-type
, and owner attributes:gcloud apphub applications update tutorial-application \ --criticality-type='HIGH' \ --environment-type='PRODUCTION' \ --developer-owners=display-name=
DISPLAY-NAME-DEVELOPER ,email=EMAIL-DEVELOPER \ --operator-owners=display-name=DISPLAY-NAME-OPERATOR ,email=EMAIL-OPERATOR \ --business-owners=display-name=DISPLAY-NAME-BUSINESS ,email=EMAIL-BUSINESS \ --project=HOST_PROJECT_ID \ --location=globalReplace the following:
DISPLAY-NAME-DEVELOPER
,DISPLAY-NAME-OPERATOR
, andDISPLAY-NAME-BUSINESS
: display names of the developer, operator, and business owners, respectively.EMAIL-NAME-DEVELOPER
,EMAIL-NAME-OPERATOR
, andEMAIL-NAME-BUSINESS
: email addresses of the developer, operator, and business owners, respectively. These values must have the formatusername@yourdomain
, for example,222larabrown@gmail.com
.
Notes:
criticality-type
: indicates how critical an application, service, or workload is to your business operations.environment-type
: indicates the stages of the software lifecycle.
Get details for the application that you created:
gcloud apphub applications describe tutorial-application \ --project=
HOST_PROJECT_ID \ --location=globalThe command returns information in YAML format, similar to the following:
attributes: businessOwners: – displayName: [DISPLAY-NAME-BUSINESS] email: [EMAIL-BUSINESS] criticality: type: HIGH developerOwners: – displayName: [DISPLAY-NAME-DEVELOPER] email: [EMAIL-DEVELOPER] environment: type: PRODUCTION operatorOwners: – displayName: [DISPLAY-NAME-OPERATOR] email: [EMAIL-OPERATOR] createTime: '2023-10-31T18:33:48.199394108Z' displayName: Tutorial name: projects/
HOST_PROJECT_ID /locations/global/applications/tutorial-application scope: type: REGIONAL state: ACTIVE uid: 9d991a9d-5d8a-4c0d-b5fd-85e39fb58c73 updateTime: '2023-10-31T18:33:48.343303819Z'
Register services and workloads
Registering services and workloads adds them to an application that lets you monitor the added resources.
In the Google Cloud console, go to the App Hub Applications page.
Click the name of your application, Tutorial. The Services and workloads tab is displayed with a list of registered services and workloads that are in your App Hub service projects.
Register a service:
- On the Services and workloads tab, click Register service/workload.
- On the Register service or workload page, in the Select resource pane, click Browse to select the service or workload as a Resource.
- In the Select resource pane, choose the Name of the service, tutorial-backend-service-sp2, and click Select.
- In the Select resource pane, enter the Name of the resource,
tutorial-service-backend-sp2
. - Enter a Display name,
Backend service (SP2)
and click Continue. - In the Add attributes pane, in the Criticality list, to indicate the importance of the application, select High.
- In the Environment field, to indicate the stage of the software lifecycle, select Production.
- Click Continue.
- In the Add owners pane, add the following details as required for
Developer Owners, Operator Owners, and Business Owners.
Note that you must enter the owner's email address if you add a
display name.
- Enter an owner's display name.
- Enter the owner's email address. This value must have
the format
username@yourdomain
, for example,222larabrown@gmail.com
.
- Repeat these steps for each developer, operator, and business owner.
- Click Register.
On the Services and workloads tab, in the Registered services and workloads section, you can see the new service added.
- Repeat the previous steps to register the other services as tutorial-service-backend-sp3, tutorial-service-forwarding-rule and tutorial-service-url-map, respectively.
- Register a workload by repeating the earlier steps to register a service
with the following exceptions:
- In the Register service or workload pane, in the Choose service or workload section, select the Name of the workload, tutorial-sp2-mig-a, and click Continue.
- In the Select resource pane, enter the Name of the resource,
tutorial-workload-sp2-mig-a
. - Enter a Display name,
Instance group - A (SP2)
and click Continue.
- Repeat the previous steps to register the other workloads as tutorial-workload-sp2-mig-a, tutorial-workload-sp2-mig-b, tutorial-workload-sp3-mig-a, and tutorial-workload-sp3-mig-b, respectively.
Add an individual with App Hub Editor permissions:
gcloud projects add-iam-policy-binding
HOST_PROJECT_ID \ --member='user:APP_HUB_EDITOR ' \ --role='roles/apphub.editor'Replace
APP_HUB_EDITOR
with the user who has the App Hub Editor role in the App Hub host project. This value has the formatusername@yourdomain
, for example,222larabrown@gmail.com
.List all discovered services in the App Hub host project. This command returns services that are available to be registered to an application.
gcloud apphub discovered-services list \ --project=
HOST_PROJECT_ID \ --location=us-west1You see output similar to the following:
ID SERVICE_REFERENCE SERVICE_PROPERTIES
{'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_2_NUMBER]/regions/us-west1/backendServices/tutorial-backend-service-sp2'} {'gcpProject': 'projects/BACKEND_SERVICE_SP2_ID SERVICE_PROJECT_2_ID ', 'location': 'us-west1'}
{'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_3_NUMBER]/regions/us-west1/backendServices/tutorial-backend-service-sp3'} {'gcpProject': 'projects/BACKEND_SERVICE_SP3_ID SERVICE_PROJECT_3_ID ', 'location': 'us-west1'}
{'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_1_NUMBER]/regions/us-west1/forwardingRules/l7-ilb-forwarding-rule'} {'gcpProject': 'projects/FORWARDING_RULE_SERVICE_ID SERVICE_PROJECT_1_ID ', 'location': 'us-west1'}
{'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_1_NUMBER]/regions/us-west1/urlMaps/tutorial-url-maps'} {'gcpProject': 'projects/URL_MAP_SERVICE_ID SERVICE_PROJECT_1_ID ', 'location': 'us-west1'}Copy the service
ID
s, for example,BACKEND_SERVICE_SP2_ID
from the output to use in the next step.Register services from the previous step to your application. Copy the service IDs from the output field in the previous step.
gcloud apphub applications services create tutorial-service-backend-sp2 \ --discovered-service='projects/
HOST_PROJECT_ID /locations/us-west1/discoveredServices/BACKEND_SERVICE_SP2_ID ' \ --display-name='Backend service (SP2)' \ --criticality-type='HIGH' \ --environment-type='PRODUCTION' \ --application=tutorial-application \ --project=HOST_PROJECT_ID \ --location=globalgcloud apphub applications services create tutorial-service-backend-sp3 \ --discovered-service='projects/
HOST_PROJECT_ID /locations/us-west1/discoveredServices/BACKEND_SERVICE_SP3_ID ' \ --display-name='Backend service (SP3)' \ --criticality-type='HIGH' \ --environment-type='PRODUCTION' \ --application=tutorial-application \ --project=HOST_PROJECT_ID \ --location=globalgcloud apphub applications services create tutorial-service-forwarding-rule \ --discovered-service='projects/
HOST_PROJECT_ID /locations/us-west1/discoveredServices/FORWARDING_RULE_SERVICE_ID ' \ --display-name='Forwarding rule' \ --criticality-type='HIGH' \ --environment-type='PRODUCTION' \ --application=tutorial-application \ --project=HOST_PROJECT_ID \ --location=globalgcloud apphub applications services create tutorial-service-url-map \ --discovered-service='projects/
HOST_PROJECT_ID /locations/us-west1/discoveredServices/URL_MAP_SERVICE_ID ' \ --display-name='URL map' \ --criticality-type='HIGH' \ --environment-type='PRODUCTION' \ --application=tutorial-application \ --project=HOST_PROJECT_ID \ --location=globalReplace the following:
BACKEND_SERVICE_SP2_ID
: the serviceID
of the backend service from Service Project 2 that you want to register.BACKEND_SERVICE_SP3_ID
: the serviceID
of the backend service from Service Project 3 that you want to register.FORWARDING_RULE_SERVICE_ID
: the serviceID
of the forwarding rule from Service Project 1 that you want to register.URL_MAP_SERVICE_ID
: the serviceID
of the URL map from Service Project 1 that you want to register.
List all registered services in the application:
gcloud apphub applications services list \ --application=tutorial-application \ --project=
HOST_PROJECT_ID \ --location=globalYou see output similar to the following:
Registered, but detached services are denoted by an empty value in theID DISPLAY_NAME SERVICE_REFERENCE CREATE_TIME tutorial-service-backend-sp2 Backend service {'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_2_NUMBER]/regions/us-west1/backendServices/tutorial-backend-service-sp2'} 2024-02-13T00:31:45 tutorial-service-backend-sp3 Backend service {'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_3_NUMBER]/regions/us-west1/backendServices/tutorial-backend-service-sp3'} 2024-02-13T00:31:45 tutorial-service-forwarding-rule Forwarding rule {'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_1_NUMBER]/regions/us-west1/forwardingRules/l7-ilb-forwarding-rule'} 2024-02-13T00:31:45 tutorial-service-url-map URL map {'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_1_NUMBER]/regions/us-west1/urlMaps/tutorial-url-maps'} 2024-02-13T00:31:45
SERVICE_REFERENCE
field. For more information on the registration statuses, see the properties and attributes of App Hub.List all discovered workloads in the App Hub host project. This command returns workloads that are available to be registered to an application.
gcloud apphub discovered-workloads list \ --project=
HOST_PROJECT_ID \ --location=globalYou see output similar to the following:
Copy the workload ID from the output to use in the next step.ID WORKLOAD_REFERENCE WORKLOAD_PROPERTIES
{'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_3_NUMBER]/zones/us-west1-a/instanceGroups/tutorial-sp3-mig-a'} {'gcpProject': 'projects/INSTANCE_GROUP_SP3_A_ID SERVICE_PROJECT_3_ID ', 'location': 'us-west1'}
{'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_3_NUMBER]/zones/us-west1-a/instanceGroups/tutorial-sp3-mig-b'} {'gcpProject': 'projects/INSTANCE_GROUP_SP3_B_ID SERVICE_PROJECT_3_ID ', 'location': 'us-west1'}
{'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_2_NUMBER]/zones/us-west1-a/instanceGroups/tutorial-sp2-mig-a'} {'gcpProject': 'projects/INSTANCE_GROUP_SP2_A_ID SERVICE_PROJECT_2_ID ', 'location': 'us-west1'}
{'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_2_NUMBER]/zones/us-west1-a/instanceGroups/tutorial-sp2-mig-b'} {'gcpProject': 'projects/INSTANCE_GROUP_SP2_B_ID SERVICE_PROJECT_2_ID ', 'location': 'us-west1'}Register the workloads from the previous step to your application. Copy the workload ID from the output field in the previous step.
gcloud apphub applications workloads create tutorial-workload-sp3-mig-a \ --discovered-workload='projects/
HOST_PROJECT_ID /locations/us-west1/discoveredWorkloads/INSTANCE_GROUP_SP3_A_ID ' \ --display-name='Workload instance group (SP3-A)' \ --application=tutorial-application \ --project=HOST_PROJECT_ID \ --location=globalgcloud apphub applications workloads create tutorial-workload-sp3-mig-b \ --discovered-workload='projects/
HOST_PROJECT_ID /locations/us-west1/discoveredWorkloads/INSTANCE_GROUP_SP3_B_ID ' \ --display-name='Workload instance group (SP3-B)' \ --application=tutorial-application \ --project=HOST_PROJECT_ID \ --location=globalgcloud apphub applications workloads create tutorial-workload-sp2-mig-a \ --discovered-workload='projects/
HOST_PROJECT_ID /locations/us-west1/discoveredWorkloads/INSTANCE_GROUP_SP2_A_ID ' \ --display-name='Workload instance group (SP2-A)' \ --application=tutorial-application \ --project=HOST_PROJECT_ID \ --location=globalgcloud apphub applications workloads create tutorial-workload-sp2-mig-b \ --discovered-workload='projects/
HOST_PROJECT_ID /locations/us-west1/discoveredWorkloads/INSTANCE_GROUP_SP2_B_ID ' \ --display-name='Workload instance group (SP2-B)' \ --application=tutorial-application \ --project=HOST_PROJECT_ID \ --location=globalReplace the following:
INSTANCE_GROUP_SP3_A_ID
,INSTANCE_GROUP_SP3_B_ID
: the workloadID
s of the managed instance groups from Service Project 3 that you want to register.INSTANCE_GROUP_SP2_A_ID
,INSTANCE_GROUP_SP2_B_ID
: the workloadID
s of the managed instance groups from Service Project 2 that you want to register.
List all registered workloads in the application:
gcloud apphub applications workloads list \ --application=tutorial-application \ --project=
HOST_PROJECT_ID \ --location=globalYou see output similar to the following:
Registered, but detached workloads are denoted by an empty value in theID DISPLAY_NAME SERVICE_REFERENCE CREATE_TIME tutorial-workload-sp3-mig-a Workload instance group (SP3-A) {'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_3_NUMBER]/zones/us-west1-a/instanceGroups/tutorial-sp3-mig-a'} 2024-02-13T00:31:45 tutorial-workload-sp3-mig-b Workload instance group (SP3-B) {'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_3_NUMBER]/zones/us-west1-a/instanceGroups/tutorial-sp3-mig-b'} 2024-02-13T00:31:45 tutorial-workload-sp2-mig-a Workload instance group (SP2-A) {'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_2_NUMBER]/zones/us-west1-a/instanceGroups/tutorial-sp2-mig-a'} 2024-02-13T00:31:45 tutorial-workload-sp2-mig-b Workload instance group (SP2-B) {'uri': '//compute.googleapis.com/projects/[SERVICE_PROJECT_2_NUMBER]/zones/us-west1-a/instanceGroups/tutorial-sp2-mig-b'} 2024-02-13T00:31:45
WORKLOAD_REFERENCE
field. For more information on the registration statuses, see the properties and attributes of App Hub.
View all services and workloads
You can view details of the services and workloads from the service projects that are attached to the App Hub host project.
In the Google Cloud console, go to the App Hub Services and Workloads page.
In the Region list, select global. The Workload instance group workload is displayed with details such as App Hub Type, Criticality, and Registered to.
To filter the services or workloads based on its state:
- In the Filter field, select filters such as Registration status.
- Click Registered. A list of services and workloads registered to the application appears.
View application metrics
You can view the system metrics for the applications created in your App Hub host project. These metrics, correspond to the golden signals - traffic, errors, latency, and saturation that help monitor the performance and health of the application.
In the Google Cloud console, go to the App Hub Applications page.
Click the name of the application,
Tutorial
.The Services and workloads tab is displayed with the metadata of services and workloads registered to your application.
To view the system metrics of registered services and workloads, click Metrics.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.
Delete the App Hub resources
In the Google Cloud console, go to the App Hub Applications page.
Click the name of an application, Tutorial.
On the Services and workloads tab, from the Registered services and workloads section, click the name of a service.
On the Services and Workloads page, click Unregister.
An alert notifies that the service is unregistered.
On the Services and workloads tab, from the Registered services and workloads section, click the name of a workload.
On the Details tab, click Unregister.
An alert notifies that the workload is unregistered.
Go to the App Hub Applications page.
Click the name of an application.
On the tutorial-application page, click Delete.
In the Google Cloud console, go to the App Hub Settings page.
On the Settings page, select the checkbox for the service project that you want to remove from the App Hub host project.
Click Detach projects.
List the registered services in the application:
gcloud apphub applications services list \ --application=tutorial-application --project=
HOST_PROJECT_ID \ --location=globalUnregister the services from the application:
gcloud apphub applications services delete
SERVICE_NAME \ --application=tutorial-application --project=HOST_PROJECT_ID \ --location=globalReplace
SERVICE_NAME
with the name of your service. The services are now discovered services that can be registered to the application.List the registered workloads in the application:
gcloud apphub applications workloads list \ --application=tutorial-application --project=
HOST_PROJECT_ID \ --location=globalUnregister the workload from the application:
gcloud apphub applications workloads delete
WORKLOAD_NAME \ --application=tutorial-application --project=HOST_PROJECT_ID \ --location=globalReplace
WORKLOAD_NAME
with the name of your workload. The workload is now a discovered workload that can be registered to the application.Delete the application:
gcloud apphub applications delete tutorial-application \ --project=
HOST_PROJECT_ID \ --location=globalRemove the service projects from the App Hub host project:
gcloud apphub service-projects remove
SERVICE_PROJECT_ID \ --project=HOST_PROJECT_ID Replace
SERVICE_PROJECT_ID
with the project IDs of service projects 1, 2, and 3.
Delete the deployment
When you no longer need the solution, to avoid continued billing for the resources that you created in this solution, delete all the resources.
For more information, see clean up the load balancer setup.Delete the project
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Delete a Google Cloud project:
gcloud projects deletePROJECT_ID
Replace PROJECT_ID
with the host or service
project IDs.