From edge to mesh: Exposing service mesh applications through GKE Ingress

This tutorial shows how to combine Anthos Service Mesh with Cloud Load Balancing to expose applications in a service mesh to internet clients.

Anthos Service Mesh is a managed service mesh, based on Istio, that provides a security-enhanced, observable, and standardized communication layer for applications. Whether you use Anthos Service Mesh, Traffic Director, or Istio, a service mesh provides a holistic communications platform for clients that are communicating in the mesh. However, a challenge remains in how to connect clients that are outside the mesh to applications hosted in the mesh.

You can expose an application to clients in many ways, depending on where the client is. This tutorial shows you how to expose an application to clients by combining Cloud Load Balancing with Anthos Service Mesh in order to integrate load balancers with a service mesh. This tutorial is intended for advanced practitioners who run Anthos Service Mesh but it works for Istio on Google Kubernetes Engine too.

Mesh ingress gateway

Istio 0.8 introduced the mesh ingress gateway that provides a dedicated set of proxies whose ports are exposed to traffic coming from outside the service mesh. These mesh ingress proxies let you control L4 exposure behavior separately from application routing behavior. The proxies also let you apply routing and policy to mesh-external traffic before it arrives at an application sidecar. Mesh ingress defines the treatment of traffic when it reaches a node in the mesh, but external components must define how traffic first arrives at the mesh.

To manage this external traffic, you need a load balancer that is external to the mesh. This tutorial uses Google Cloud Load Balancing provisioned through GKE Ingress resources to automate deployment. The canonical example of this setup is an external load balancing service that (in the case of Google Cloud) deploys a public TCP/UDP load balancer. That load balancer points at the NodePorts of a GKE cluster. These NodePorts expose the Istio ingress gateway Pods, which route traffic to downstream mesh sidecar proxies. The following diagram illustrates this topology. Load balancing for internal private traffic looks similar to this architecture, except that you deploy an internal TCP/UDP load balancer instead.

An external load balancer routes external clients to the mesh through ingress gateway proxies.

Using L4 transparent load balancing with a mesh ingress gateway offers the following advantages:

  • This setup simplifies deploying the load balancer.
  • The load balancer provides a stable virtual IP (VIP), health checking, and reliable traffic distribution when cluster changes, node outages, or process outages occur.
  • All routing rules, TLS termination, and traffic policy is handled in a single location at the mesh ingress gateway.

GKE Ingress and Services

You can provide access to applications for clients that are outside the cluster in many ways. The following table lists the Kubernetes primitives available for deploying load balancers on Google Cloud. The type of load balancer you use to expose applications to clients depends largely on whether the clients are external or internal, what kind of protocol support is required, and whether the service mesh spans multiple GKE clusters or is contained in a single cluster.

Any of the load balancer types in the following table can expose mesh-hosted applications, depending on the use case.

GKE resource Cloud-based load balancer Characteristics
Ingress for External HTTP(S) Load Balancing External HTTP(S) load balancer

L7 proxies in Google edge points of presence (PoPs)

Public VIP

Globally scoped

Single cluster

Ingress for Internal HTTP(S) Load Balancing Internal HTTP(S) load balancer

L7 proxies inside virtual private cloud (VPC) network

Private VIP

Regionally scoped

Single cluster

External LoadBalancer Service External TCP/UDP load balancer

L4 pass-through at Google edge PoPs

Public VIP

Regionally scoped

Single cluster

Internal LoadBalancer Service Internal TCP/UDP load balancer

L4 pass-through in VPC routing network

Private VIP

Regionally scoped

Single cluster

Multi Cluster Ingress (multi-cluster, external ingress) External HTTP(S) load balancer

L7 proxies in Google edge PoPs

Public VIP

Globally scoped


Although the default load balancer for Anthos Service Mesh is the external TCP/UDP load balancer, this tutorial focuses on the external HTTP(S) load balancer that you deploy by using External HTTP(S) Load Balancing. The external HTTP(S) load balancer provides integration with edge services like Identity-Aware Proxy (IAP), Google Cloud Armor, and Cloud CDN, as well as a globally distributed network of edge proxies. The next section describes the architecture and advantages of using two layers of HTTP load balancing.

Cloud ingress and mesh ingress

Deploying external L7 load balancing outside of the mesh along with a mesh ingress layer offers significant advantages, especially for internet traffic. Even though Anthos Service Mesh and Istio ingress gateways provide advanced routing and traffic management in the mesh, some functions are better served at the edge of the network. Taking advantage of internet-edge networking through Google Cloud's External HTTP(S) Load Balancing might provide significant performance, reliability, or security-related benefits over mesh-based ingress. These benefits include the following:

This external layer of L7 load balancing is referred to as cloud ingress because it is built on cloud-managed load balancers rather than the self-hosted proxies that are used by mesh ingress. The combination of cloud ingress and mesh ingress utilizes complementary capabilities of the Google Cloud infrastructure and the mesh. The following diagram illustrates how you can combine cloud ingress and mesh ingress to serve as two load balancing layers for internet traffic.

Cloud ingress acts as the gateway for external traffic to the mesh through the VPC network.

In this topology, the cloud ingress layer sources traffic from outside of the service mesh and directs that traffic to the mesh ingress layer. The mesh ingress layer then directs traffic to the mesh-hosted application backends.

Cloud and mesh ingress topology

This section describes the complementary roles that each ingress layer fulfills when you use them together. These roles are not concrete rules, but rather guidelines that use the advantages of each layer. Variations of this pattern are likely, depending on your use case.

  • Cloud ingress. When paired with mesh ingress, the cloud ingress layer is best used for edge security and global load balancing. Because the cloud ingress layer is integrated with DDoS protection, cloud firewalls, authentication, and encryption products at the edge, this layer excels at running these services outside of the mesh. The routing logic is typically straightforward at this layer, but the logic can be more complex for multi-cluster and multi-region environments. Because of the critical function of internet-facing load balancers, the cloud ingress layer is likely managed by an infrastructure team that has exclusive control over how applications are exposed and secured on the internet. This control also makes this layer less flexible and dynamic than a developer-driven infrastructure, a consideration that may impact who and how you provide administrative access to this layer.
  • Mesh ingress. When paired with cloud ingress, the mesh ingress layer provides flexible routing that is close to the application. Because of this flexibility, the mesh ingress is better than cloud ingress for complex routing logic and application-level visibility. The separation between ingress layers also makes it easier for application owners to directly control this layer without impacting other teams. When you expose service mesh applications through an L4 load balancer instead of an L7 load balancer, you should terminate client TLS at the mesh ingress layer inside the mesh to help secure applications.

Health checking

One complexity of using two layers of L7 load balancing is health checking. You must configure each load balancer to check the health of the next layer to ensure that it can receive traffic. The topology in the following diagram shows how cloud ingress checks the health of the mesh ingress proxies, and the mesh, in return, checks the health of the application backends.

Cloud ingress checks the health of the mesh ingress, and the mesh ingress checks the health of the application backends.

This topology has the following considerations:

  • Cloud ingress. In this tutorial, you configure the Google Cloud load balancer through ingress to check the health of the mesh ingress proxies on their exposed health check ports. If a mesh proxy is down, or if the cluster, mesh, or region is unavailable, the Google Cloud load balancer detects this condition and doesn't send traffic to the mesh proxy.
  • Mesh ingress. In the mesh application, you perform health checks on the backends directly so that you can execute load balancing and traffic management locally.


The preceding topology involves several elements of security. One of the most critical elements is in how you configure encryption and deploy certificates. Ingress for External HTTP(S) Load Balancing has deep integration with Google-managed certificates. This integration automatically provisions public certificates, attaches them to a load balancer, and renews and rotates certificates all through the declarative GKE Ingress interface. Internet clients authenticate against the public certificates and connect to the external load balancer as the first hop in the Virtual Private Cloud (VPC).

The next hop, which is between the Google Front End (GFE) and the mesh ingress proxy, is encrypted by default. Network-level encryption between the GFEs and their backends is applied automatically. However, if your security requirements dictate that the platform owner retain ownership of the encryption keys, then you can enable HTTP/2 with TLS encryption between the cluster ingress (the GFE) and the mesh ingress (the envoy proxy instance). When you enable HTTP/2 with TLS encryption for this path, you can use a self-signed or public certificate to encrypt traffic because the GFE doesn't authenticate against it. This additional layer of encryption is demonstrated in this guide. To help prevent the mishandling of certificates, do not use the public certificate for the public load balancer elsewhere. Instead, we recommend that you use separate certificates in the service mesh.

If the service mesh mandates TLS, then all traffic is encrypted between sidecar proxies and to the mesh ingress. The following diagram illustrates HTTPS encryption from the client to the Google Cloud load balancer, from the load balancer to the mesh ingress proxy, and from the ingress proxy to the sidecar proxy.

Security is implemented using managed certificates outside of the mesh and internal certificates inside the mesh.


  • Deploy a Google Kubernetes Engine (GKE) cluster on Google Cloud.
  • Deploy an Istio-based Anthos Service Mesh on your GKE cluster.
  • Deploy the Online Boutique application on the GKE cluster that you expose to clients on the internet.
  • Configure GKE Ingress to terminate public HTTPS traffic and direct that traffic to service mesh-hosted applications.


This tutorial uses the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

When you finish this tutorial, you can avoid continued billing by deleting the resources you created. For more information, see Cleaning up.

Before you begin

  1. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  2. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  3. In the Cloud Console, activate Cloud Shell.

    Activate Cloud Shell

    You run all of the terminal commands for this tutorial from Cloud Shell.

  4. Set your default Google Cloud project:

    export PROJECT=$(gcloud info --format='value(config.project)')
    export PROJECT_NUMBER=$(gcloud projects describe ${PROJECT} --format="value(projectNumber)")
    gcloud config set project ${PROJECT}
  5. Clone the code repository to get the files for this tutorial, and create a working directory:

    mkdir -p ${HOME}/edge-to-mesh
    cd ${HOME}/edge-to-mesh
    export WORKDIR=`pwd`

    After you finish the tutorial, you can delete the working directory.

Creating GKE clusters

The features that are described in this tutorial require a GKE cluster version 1.16 or later.

  1. In Cloud Shell, create a new kubeconfig file. This step ensures that you don't create a conflict with your existing (default) kubeconfig file.

    touch edge2mesh_kubeconfig
    export KUBECONFIG=${WORKDIR}/edge2mesh_kubeconfig
  2. Define environment variables for the GKE cluster:

    export CLUSTER_NAME=edge-to-mesh
    export CLUSTER_LOCATION=us-west1-a
  3. Create a GKE cluster.

    gcloud container clusters create ${CLUSTER_NAME} \
        --machine-type=e2-standard-4 \
        --num-nodes=4 \
        --zone ${CLUSTER_LOCATION} \
        --enable-ip-alias \
        --workload-pool=${PROJECT} \
        --release-channel rapid
  4. Ensure that the cluster is running:

    gcloud container clusters list

    The output is similar to the following:

    edge-to-mesh  us-west1-a  v1.19.9-gke.1400  e2-standard-4  v1.19.9-gke.1400  4          RUNNING
  5. Connect to the cluster:

    gcloud container clusters get-credentials ${CLUSTER_NAME} --zone ${CLUSTER_LOCATION} --project ${PROJECT}

Installing a service mesh

  1. In Cloud Shell, download the Anthos Service Mesh installation file.

    Create a custom overlay file to configure the IstioOperator with the NEG annotation:

    cat <<EOF > ingress-backendconfig-operator.yaml
    kind: IstioOperator
          - name: istio-ingressgateway
            enabled: true
                type: ClusterIP
       '{"default": "ingress-backendconfig"}'
       '{"ingress": true}'
       '{"https":"HTTP2"}' # HTTP/2 with TLS encryption

    This custom overlay patches the istio-ingressgateway Service with custom annotations that GKE Ingress uses.

    This Service has the following annotations that set parameters for the Ingress load balancer when it's deployed:

    • refers to the name of a custom resource called BackendConfig. The Ingress controller uses BackendConfig to set parameters on the Google Cloud BackendService resource. You use this resource in the next step to define custom parameters of the Google Cloud health check.
    • '{"ingress": true}' enables the Ingress backends (the mesh ingress proxies in this case) for container-native load balancing. For more efficient and stable load balancing, these backends use network endpoint groups (NEGs) instead of instance groups.
    • '{"https":"HTTP2"}' directs the GFE to connect to the service mesh's ingress gateway using HTTP2 with TLS as described in Ingress for External HTTP(S) Load Balancing and External HTTP(S) Load Balancing overview, for an additional layer of encryption.

    Follow the steps in Installing Anthos Service Mesh on GKE to use a Google-provided script to install Anthos Service Mesh. When you run the script, include the following option:

    --custom_overlay ingress-backendconfig-operator.yaml

    For example:

    ./install_asm \
        --project_id ${PROJECT} \
        --cluster_name ${CLUSTER_NAME} \
        --cluster_location ${CLUSTER_LOCATION} \
        --mode install \
        --enable_all \
        --custom_overlay ingress-backendconfig-operator.yaml
  2. Ensure that all deployments are up and running:

    kubectl wait --for=condition=available --timeout=600s deployment --all -n istio-system

    The output is similar to the following:

    deployment.apps/istio-ingressgateway condition met
    deployment.apps/istiod-asm-195-2 condition met

Generating and installing the self-signed ingress gateway certificate

In the following steps, you generate and install a certificate (as a Kubernetes secret resource) that enables the GFE to establish a TLS connection to the service mesh's ingress gateway. For more details about the requirements of the ingress gateway certificate, see the secure backend protocol considerations guide.

  1. Create the private key and certificate using openssl:

    openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
     -subj "/CN=frontend.endpoints.${PROJECT} Inc" \
     -keyout frontend.endpoints.${PROJECT} \
     -out frontend.endpoints.${PROJECT}
  2. Create the secret in the istio-system namespace:

    kubectl -n istio-system create secret tls edge2mesh-credential \
     --key=frontend.endpoints.${PROJECT} \

Installing the Online Boutique sample app

  1. In Cloud Shell, add a namespace label to the default namespace:

    kubectl label namespace default istio-injection- --overwrite

    Labeling the namespace namespace instructs Istio to automatically inject Envoy sidecar proxies when an application is deployed. Make sure the label you apply matches the version of ASM you have installed, as described in the ASM installation guide. The output is similar to the following:

    namespace/default labeled
  2. Download the Kubernetes and Istio YAML files for the Online Boutique sample app:

    curl -LO \
    curl -LO \
  3. Deploy the Online Boutique app:

    kubectl apply -f kubernetes-manifests.yaml

    The output is similar to the following:

    deployment.apps/frontend created
    service/frontend created
    service/frontend-external created
  4. Ensure that all deployments are up and running:

    kubectl get pods

    The output is similar to the following:

    NAME                                     READY   STATUS    RESTARTS   AGE
    adservice-d854d8786-fjb7q                2/2     Running   0          3m
    cartservice-85b5d5b4ff-8qn7g             2/2     Running   0          2m59s
    checkoutservice-5f9bf659b8-sxhsq         2/2     Running   0          3m1s
  5. The Istio manifests require some additional modification to enable TLS at the ingress gateway, using Kustomize:

    mkdir istio-kustomization
    mv istio-manifests.yaml ./istio-kustomization
    cat <<EOF > istio-kustomization/https-gateway.yaml
    kind: Gateway
        name: frontend-gateway
        istio: ingressgateway # use Istio default gateway implementation
      - port:
          number: 443
          name: https
          protocol: HTTPS
        - "*"
          mode: SIMPLE
          credentialName: edge2mesh-credential
    cat <<EOF > istio-kustomization/kustomization.yaml
    - istio-manifests.yaml
    - https-gateway.yaml
  6. Deploy the Istio manifests:

    kubectl apply -k istio-kustomization/

    The output is similar to the following: created created created created created

Deploying GKE Ingress

In the following steps, you deploy the external HTTP(S) load balancer through GKE's Ingress controller. The Ingress resource automates the provisioning of the load balancer, its TLS certificates, and backend health checking. Additionally, you use Cloud Endpoints to automatically provision a public DNS name for the application.

Apply backend Service settings

  1. In Cloud Shell, look at the istio-ingressgateway Service to see how it is deployed before you apply any customizations:

    kubectl get svc -n istio-system istio-ingressgateway

    The output displays the Service annotations from the default installation.

    NAME                   TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                                        AGE
    istio-ingressgateway   ClusterIP   <none>        15021/TCP,80/TCP,443/TCP,31400/TCP,15443/TCP   5m57s

    Earlier in this tutorial, you used the Anthos Service Mesh or Istio installation profiles to deploy the istio-ingressgateway as a ClusterIP Service. This customized profile doesn't deploy a TCP/UDP load balancer as a part of the service mesh deployment because this tutorial exposes apps through HTTP(S)-based Ingress resources. At this point in the tutorial, the application cannot be accessed from outside the cluster because nothing is exposing it.

  2. Save the following BackendConfig manifest as ingress-backendconfig.yaml:

    cat <<EOF > ingress-backendconfig.yaml
    kind: BackendConfig
      name: ingress-backendconfig
      namespace: istio-system
        requestPath: /healthz/ready
        port: 15021
        type: HTTP
        name: edge-fw-policy

    BackendConfig is a Custom Resource Definition (CRD) that defines backend parameters for Ingress load balancing. For a complete list of the backend and frontend parameters that you can configure through GKE Ingress, see Ingress features.

    In this tutorial, the BackendConfig manifest specifies custom health checks for the mesh ingress proxies. Anthos Service Mesh and Istio expose their sidecar proxy health checks on port 15021 at the /healthz/ready path. Custom health check parameters are required because the serving port (443) of mesh ingress proxies is different from their health check port (15021). GKE Ingress uses the following health check parameters in BackendConfig to configure the Google Cloud load balancer health checks. A security policy that helps protect load balancing traffic from different kinds of network attacks is also referenced.

    • healthCheck.port defines the port that receives a health check by the Google Cloud load balancer on each Pod's IP address.
    • healthCheck.requestPath defines the HTTP path that receives a health check on the specified port.
    • type defines the protocol of the health check (in this case, HTTP).
    • refers to the name of a Cloud Armor security policy.
  3. Deploy ingress-backendconfig.yaml in your cluster to create the BackendConfig resource:

    kubectl apply -f ingress-backendconfig.yaml

    The output is similar to the following: created

    The BackendConfig parameters and the istio-ingressgateway Service annotations are not applied to a Google Cloud load balancer until the Ingress resource is deployed. The Ingress deployment ties all of these resources together.

Define security policies

Google Cloud Armor provides DDoS defense and customizable security policies that you can attach to a load balancer through Ingress resources. In the following steps, you create a security policy that uses preconfigured rules to block cross-site scripting (XSS) attacks. This rule helps block traffic that matches known attack signatures but allows all other traffic. Your environment might use different rules depending on what your workload is.

  1. In Cloud Shell, create a security policy that is called edge-fw-policy:

    gcloud compute security-policies create edge-fw-policy \
        --description "Block XSS attacks"
  2. Create a security policy rule that uses the preconfigured XSS filters:

    gcloud compute security-policies rules create 1000 \
        --security-policy edge-fw-policy \
        --expression "evaluatePreconfiguredExpr('xss-stable')" \
        --action "deny-403" \
        --description "XSS attack filtering"

The edge-fw-policy was referenced by ingress-backendconfig in the previous section. When the Ingress resource is deployed, it binds this security policy with the load balancer to help protect any backends of the istio-ingressgateway Service.

Configure IP addressing and DNS

  1. In Cloud Shell, create a global static IP for the Google Cloud load balancer:

    gcloud compute addresses create ingress-ip --global

    This static IP is used by the Ingress resource and allows the IP to remain the same, even if the external load balancer changes.

  2. Get the static IP address:

    export GCLB_IP=$(gcloud compute addresses describe ingress-ip --global --format=json | jq -r '.address')
    echo ${GCLB_IP}

    To create a stable, human-friendly mapping to your Ingress IP, you must have a public DNS record. You can use any DNS provider and automation that you want. This tutorial uses Endpoints instead of creating a managed DNS zone. Endpoints provides a free Google-managed DNS record for a public IP.

  3. Save the following YAML specification to a file named dns-spec.yaml:

    cat <<EOF > dns-spec.yaml
    swagger: "2.0"
      description: "Cloud Endpoints DNS"
      title: "Cloud Endpoints DNS"
      version: "1.0.0"
    paths: {}
    host: "frontend.endpoints.${PROJECT}"
    - name: "frontend.endpoints.${PROJECT}"
      target: "${GCLB_IP}"

    The YAML specification defines the public DNS record in the form of frontend.endpoints.${PROJECT}, where ${PROJECT} is your unique project number.

  4. Deploy the dns-spec.yaml file in your Cloud project:

    gcloud endpoints services deploy dns-spec.yaml

    The output is similar to the following:

    Operation finished successfully. The following command can describe the Operation details:
     gcloud endpoints operations describe operations/
    Service Configuration [2020-04-28r0] uploaded for service []

    Now that the IP and DNS are configured, you can generate a public certificate to secure the Ingress frontend. GKE Ingress supports Google-managed certificates as Kubernetes resources, which lets you provision them through declarative means.

Provision a TLS certificate

  1. In Cloud Shell, save the following YAML manifest as managed-cert.yaml:

    cat <<EOF > managed-cert.yaml
    kind: ManagedCertificate
      name: gke-ingress-cert
      namespace: istio-system
        - "frontend.endpoints.${PROJECT}"

    This YAML file specifies that the DNS name created through Endpoints is used to provision a public certificate. Because Google fully manages the lifecycle of these public certificates, they are automatically generated and rotated on a regular basis without direct user intervention.

  2. Deploy the managed-cert.yaml file in your GKE cluster:

    kubectl apply -f managed-cert.yaml

    The output is similar to the following: created
  3. Inspect the ManagedCertificate resource to check the progress of certificate generation:

    kubectl describe managedcertificate gke-ingress-cert -n istio-system

    The output is similar to the following:

    Name:         gke-ingress-cert
    Namespace:    istio-system
    Labels:       <none>
    API Version:
    Kind:         ManagedCertificate
      Creation Timestamp:  2020-08-05T20:44:49Z
      Generation:          2
      Resource Version:    1389781
      Self Link:           /apis/
      UID:                 d74ec346-ced9-47a8-988a-6e6e9ddc4019
      Certificate Name:    mcrt-306c779e-8439-408a-9634-163664ca6ced
      Certificate Status:  Provisioning
      Domain Status:
        Status:  Provisioning
      Type    Reason  Age   From                            Message
      ----    ------  ----  ----                            -------
      Normal  Create  44s   managed-certificate-controller  Create SslCertificate mcrt-306c779e-8439-408a-9634-163664ca6ced

    When the certificate is ready, the Certificate Status is Active.

Deploy the Ingress resource

  1. In Cloud Shell, save the following Ingress manifest as ingress.yaml:

    cat <<EOF > ingress.yaml
    kind: Ingress
      name: gke-ingress
      namespace: istio-system
      annotations: "false" "ingress-ip" "gke-ingress-cert" "gce"
          name: istio-ingressgateway
            number: 443
      - http:
          - path: /*
            pathType: ImplementationSpecific
                name: istio-ingressgateway
                  number: 443

    This manifest defines an Ingress resource that ties all of the previous resources together. The manifest specifies the following fields:

    • "false" disables HTTP traffic on port 80 of the Google Cloud load balancer. This effectively prevents any clients connecting with unencrypted traffic because port 443 only listens for HTTPS, and port 80 is disabled.
    • "${GCLB_IP}" links the previously created IP address with the load balancer. This link allows the IP address to be created separately from the load balancer so that it can be reused separately from the load balancer lifecycle.
    • "gke-ingress-cert" links this load balancer with the previously created Google-managed SSL Certificate resource.
    • host: frontend.endpoints.${project} specifies the HTTP host header that this load balancer IP is listening for. It uses the DNS name that you use to advertise your application.
  2. Deploy ingress.yaml in your cluster:

    kubectl apply -f ingress.yaml
  3. Inspect the Ingress resource to check the progress of the load balancer deployment:

    kubectl describe ingress gke-ingress -n istio-system

    The output is similar to the following:

    Annotations:       k8s2-fs-fq3ng2uk-istio-system-gke-ingress-qm3qqdor                    mcrt-306c779e-8439-408a-9634-163664ca6ced            gke-ingress-cert  ingress-ip    mcrt-306c779e-8439-408a-9634-163664ca6ced               {"k8s-be-31610--07bdde06b914144a":"HEALTHY","k8s1-07bdde06-istio-system-istio-ingressgateway-443-228c1881":"HEALTHY"}        k8s2-fr-fq3ng2uk-istio-system-gke-ingress-qm3qqdor     k8s2-ts-fq3ng2uk-istio-system-gke-ingress-qm3qqdor           k8s2-tp-fq3ng2uk-istio-system-gke-ingress-qm3qqdor                k8s2-um-fq3ng2uk-istio-system-gke-ingress-qm3qqdor

    The Ingress resource is ready when the annotations indicate that the backends are HEALTHY. The annotations also show the names of different Google Cloud resources that are provisioned, including backend services, SSL certificates, and HTTPS target proxies.

    After your certificate is provisioned and the Ingress is ready, your application is accessible.

  4. Access the following link:

    echo "https://frontend.endpoints.${PROJECT}"

    Your Online Boutique frontend is displayed.

    Products shown on Online Boutique home page.

  5. To display the details of your certificate, click View site information in your browser's address bar, and then click Certificate (Valid).

    The certificate viewer displays details for the managed certificate, including the expiration date and who issued the certificate.

You now have a global HTTPS load balancer serving as a frontend to your service mesh-hosted application.

Clean up

After you've finished the tutorial, you can clean up the resources you created on Google Cloud so you won't be billed for them in the future. You can either delete the project entirely or delete cluster resources and then delete the cluster.

Delete the project

  1. In the Cloud Console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

Delete the individual resources

If you want to keep the Cloud project you used in this tutorial, delete the individual resources:

  1. Delete the Ingress resource:

    kubectl delete -f ingress.yaml
  2. Delete the managed certificate:

    kubectl delete -f managed-cert.yaml
  3. Delete the Endpoints DNS entry:

    gcloud endpoints services delete "frontend.endpoints.${PROJECT}"

    The output is similar to the following:

    Are you sure? This will set the service configuration to be deleted, along
    with all of the associated consumer information. Note: This does not
    immediately delete the service configuration or data and can be undone using
    the undelete command for 30 days. Only after 30 days will the service be
    purged from the system.
  4. When you are prompted to continue, enter Y.

    The output is similar to the following:

    Waiting for async operation operations/ to complete...
    Operation finished successfully. The following command can describe the Operation details:
     gcloud endpoints operations describe operations/
  5. Delete the static IP address:

    gcloud compute addresses delete ingress-ip --global

    The output is similar to the following:

    The following global addresses will be deleted:
     - [ingress-ip]
  6. When you are prompted to continue, enter Y.

    The output is similar to the following:

  7. Delete the GKE cluster:

    gcloud container clusters delete $CLUSTER_NAME --zone $CLUSTER_LOCATION

What's next