Deploy Windows applications on managed Kubernetes

Last reviewed 2024-08-14 UTC

This document describes how you deploy the reference architecture in Manage and scale networking for Windows applications that run on managed Kubernetes.

These instructions are intended for cloud architects, network administrators, and IT professionals who are responsible for the design and management of Windows applications that run on Google Kubernetes Engine (GKE) clusters.

The following diagram shows the reference architecture that you use when you deploy Windows applications that run on managed GKE clusters.

Data flows through an internal Application Load Balancer and an Envoy gateway.

As shown in the preceding diagram, an arrow represents the workflow for managing networking for Windows applications that run on GKE using Cloud Service Mesh and Envoy gateways. The regional GKE cluster includes both Windows and Linux node pools. Cloud Service Mesh creates and manages traffic routes to the Windows Pods.


  • Create and set up a GKE cluster to run Windows applications and Envoy proxies.
  • Deploy and verify the Windows applications.
  • Configure Cloud Service Mesh as the control plane for the Envoy gateways.
  • Use the Kubernetes Gateway API to provision the internal Application Load Balancer and expose the Envoy gateways.
  • Understand the continual deployment operations you created.


Deployment of this architecture uses the following billable components of Google Cloud:

When you finish this deployment, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.

Before you begin

  1. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  2. Make sure that billing is enabled for your Google Cloud project.

  3. Enable the Cloud Shell, and Cloud Service Mesh APIs.

    Enable the APIs

  4. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

If running in a shared Virtual Private Cloud (VPC) environment, you also need to follow the instructions to manually create the proxy-only subnet and firewall rule for the Cloud Load Balancing responsiveness checks.

Create a GKE cluster

Use the following steps to create a GKE cluster. You use the GKE cluster to contain and run the Windows applications and Envoy proxies in this deployment.

  1. In Cloud Shell, run the following Google Cloud CLI command to create a regional GKE cluster with one node in each of the three regions:

    gcloud container clusters create my-cluster
        --enable-ip-alias \
        --num-nodes=1 \
        --release-channel stable \
        --enable-dataplane-v2 \
        --region us-central1 \
        --scopes=cloud-platform \
  2. Add the Windows node pool to the GKE cluster:

    gcloud container node-pools create win-pool \
        --cluster=my-cluster \
        --image-type=windows_ltsc_containerd \
        --no-enable-autoupgrade \
        --region=us-central1 \
        --num-nodes=1 \
        --machine-type=n1-standard-2 \

    This operation might take around 20 minutes to complete.

  3. Store your Google Cloud project ID in an environment variable:

    export PROJECT_ID=$(gcloud config get project)
  4. Connect to the GKE cluster:

    gcloud container clusters get-credentials my-cluster --region us-central1
  5. List all the nodes in the GKE cluster:

    kubectl get nodes

    The output should display three Linux nodes and three Windows nodes.

    After the GKE cluster is ready, you can deploy two Windows-based test applications.

Deploy two test applications

In this section, you deploy two Windows-based test applications. Both test applications print the hostname that the application runs on. You also create a Kubernetes Service to expose the application through standalone network endpoint groups (NEGs).

When you deploy a Windows-based application and a Kubernetes Service on a regional cluster, it creates a NEG for each zone in which the application runs. Later, this deployment guide discusses how you can configure these NEGs as backends for Cloud Service Mesh services.

  1. In Cloud Shell, apply the following YAML file with kubectl to deploy the first test application. This command deploys three instances of the test application, one in each regional zone.

    apiVersion: apps/v1
    kind: Deployment
        app: win-webserver-1
      name: win-webserver-1
      replicas: 3
          app: win-webserver-1
            app: win-webserver-1
          name: win-webserver-1
          - name: windowswebserver
            command: ["/agnhost"]
            args: ["netexec", "--http-port", "80"]
          - maxSkew: 1
            whenUnsatisfiable: DoNotSchedule
                app: win-webserver-1
  2. Apply the matching Kubernetes Service and expose it with a NEG:

    apiVersion: v1
    kind: Service
      name: win-webserver-1
      annotations: '{"exposed_ports": {"80":{"name": "win-webserver-1"}}}'
      type: ClusterIP
        app: win-webserver-1
      - name: http
        protocol: TCP
        port: 80
        targetPort: 80
  3. Verify the deployment:

    kubectl get pods

    The output shows that the application has three running Windows Pods.

    NAME                               READY   STATUS    RESTARTS   AGE
    win-webserver-1-7bb4c57f6d-hnpgd   1/1     Running   0          5m58s
    win-webserver-1-7bb4c57f6d-rgqsb   1/1     Running   0          5m58s
    win-webserver-1-7bb4c57f6d-xp7ww   1/1     Running   0          5m58s
  4. Verify that the Kubernetes Service was created:

    $ kubectl get svc

    The output resembles the following:

    NAME              TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
    kubernetes        ClusterIP            443/TCP   58m
    win-webserver-1   ClusterIP           80/TCP    3m35s
  5. Run the describe command for kubectl to verify that corresponding NEGs were created for the Kubernetes Service in each of the zones in which the application runs:

    $ kubectl describe service win-webserver-1

    The output resembles the following:

    Name:              win-webserver-1
    Namespace:         default
    Annotations: {"exposed_ports": {"80":{"name": "win-webserver-1"}}}
    Selector:          app=win-webserver-1
    Type:              ClusterIP
    IP Family Policy:  SingleStack
    IP Families:       IPv4
    Port:              http  80/TCP
    TargetPort:        80/TCP
    Session Affinity:  None
      Type    Reason  Age    From            Message
      ----    ------  ----   ----            -------
      Normal  Create  4m25s  neg-controller  Created NEG "win-webserver-1" for default/win-webserver-1-win-webserver-1-http/80-80-GCE_VM_IP_PORT-L7 in "us-central1-a".
      Normal  Create  4m18s  neg-controller  Created NEG "win-webserver-1" for default/win-webserver-1-win-webserver-1-http/80-80-GCE_VM_IP_PORT-L7 in "us-central1-b".
      Normal  Create  4m11s  neg-controller  Created NEG "win-webserver-1" for default/win-webserver-1-win-webserver-1-http/80-80-GCE_VM_IP_PORT-L7 in "us-central1-c".
      Normal  Attach  4m9s   neg-controller  Attach 1 network endpoint(s) (NEG "win-webserver-1" in zone "us-central1-a")
      Normal  Attach  4m8s   neg-controller  Attach 1 network endpoint(s) (NEG "win-webserver-1" in zone "us-central1-c")
      Normal  Attach  4m8s   neg-controller  Attach 1 network endpoint(s) (NEG "win-webserver-1" in zone "us-central1-b")

    The output from the preceding command shows you that a NEG was created for each zone.

  6. Optional: Use gcloud CLI to verify that the NEGs were created:

    gcloud compute network-endpoint-groups list

    The output is as follows:

    NAME                                                        LOCATION            ENDPOINT_TYPE     SIZE
    win-webserver-1                                us-central1-a  GCE_VM_IP_PORT  1
    win-webserver-1                                us-central1-b  GCE_VM_IP_PORT  1
    win-webserver-1                                us-central1-c  GCE_VM_IP_PORT  1
  7. To deploy the second test application, apply the following YAML file:

    apiVersion: apps/v1
    kind: Deployment
        app: win-webserver-2
      name: win-webserver-2
      replicas: 3
          app: win-webserver-2
            app: win-webserver-2
          name: win-webserver-2
          - name: windowswebserver
            command: ["/agnhost"]
            args: ["netexec", "--http-port", "80"]
          - maxSkew: 1
            whenUnsatisfiable: DoNotSchedule
                app: win-webserver-2
  8. Create the corresponding Kubernetes Service:

    apiVersion: v1
    kind: Service
      name: win-webserver-2
      annotations: '{"exposed_ports": {"80":{"name": "win-webserver-2"}}}'
      type: ClusterIP
        app: win-webserver-2
      - name: http
        protocol: TCP
        port: 80
        targetPort: 80
  9. Verify the application deployment:

    kubectl get pods

    Check the output and verify that there are three running Pods.

  10. Verify that the Kubernetes Service and three NEGs were created:

    kubectl describe service win-webserver-2

Configure Cloud Service Mesh

In this section, Cloud Service Mesh is configured as the control plane for the Envoy gateways.

You map the Envoy gateways to the relevant Cloud Service Mesh routing configuration by specifying the scope_name parameter. The scope_name parameter lets you configure different routing rules for the different Envoy gateways.

  1. In Cloud Shell, create a firewall rule that allows incoming traffic from the Google services that are checking application responsiveness:

    gcloud compute firewall-rules create allow-health-checks \
      --network=default \
      --direction=INGRESS \
      --action=ALLOW \
      --rules=tcp \
  2. Check the responsiveness of the first application:

    gcloud compute health-checks create http win-app-1-health-check \
      --enable-logging \
      --request-path="/healthz" \
  3. Check the responsiveness of the second application:

    gcloud compute health-checks create http win-app-2-health-check \
      --enable-logging \
      --request-path="/healthz" \
  4. Create a Cloud Service Mesh backend service for the first application:

    gcloud compute backend-services create win-app-1-service \
     --global \
     --load-balancing-scheme=INTERNAL_SELF_MANAGED \
     --port-name=http \
     --health-checks win-app-1-health-check
  5. Create a Cloud Service Mesh backend service for the second application:

    gcloud compute backend-services create win-app-2-service \
     --global \
     --load-balancing-scheme=INTERNAL_SELF_MANAGED \
     --port-name=http \
     --health-checks win-app-2-health-check
  6. Add the NEGs you created previously. These NEGs are associated with the first application you created as a backend to the Cloud Service Mesh backend service. This code sample adds one NEG for each zone in the regional cluster you created.

    gcloud compute backend-services add-backend $BACKEND_SERVICE \
      --global \
      --network-endpoint-group $APP1_NEG_NAME \
      --network-endpoint-group-zone us-central1-b \
      --balancing-mode RATE \
      --max-rate-per-endpoint $MAX_RATE_PER_ENDPOINT
    gcloud compute backend-services add-backend $BACKEND_SERVICE \
      --global \
      --network-endpoint-group $APP1_NEG_NAME \
      --network-endpoint-group-zone us-central1-a \
      --balancing-mode RATE \
      --max-rate-per-endpoint $MAX_RATE_PER_ENDPOINT
    gcloud compute backend-services add-backend $BACKEND_SERVICE \
      --global \
      --network-endpoint-group $APP1_NEG_NAME \
      --network-endpoint-group-zone us-central1-c \
      --balancing-mode RATE \
      --max-rate-per-endpoint $MAX_RATE_PER_ENDPOINT
  7. Add additional NEGs. These NEGs are associated with the second application you created as a backend to the Cloud Service Mesh backend service. This code sample adds one NEG for each zone in the regional cluster you created.

    gcloud compute backend-services add-backend $BACKEND_SERVICE \
      --global \
      --network-endpoint-group $APP2_NEG_NAME \
      --network-endpoint-group-zone us-central1-b \
      --balancing-mode RATE \
      --max-rate-per-endpoint $MAX_RATE_PER_ENDPOINT
    gcloud compute backend-services add-backend $BACKEND_SERVICE \
      --global \
      --network-endpoint-group $APP2_NEG_NAME \
      --network-endpoint-group-zone us-central1-a \
      --balancing-mode RATE \
      --max-rate-per-endpoint $MAX_RATE_PER_ENDPOINT
    gcloud compute backend-services add-backend $BACKEND_SERVICE \
      --global \
      --network-endpoint-group $APP2_NEG_NAME \
      --network-endpoint-group-zone us-central1-c \
      --balancing-mode RATE \
      --max-rate-per-endpoint $MAX_RATE_PER_ENDPOINT

Configure additional Cloud Service Mesh resources

Now that you've configured the Cloud Service Mesh services, you need to configure two additional resources to complete your Cloud Service Mesh setup.

First, these steps show how to configure a Gateway resource. A Gateway resource is a virtual resource that's used to generate Cloud Service Mesh routing rules. Cloud Service Mesh routing rules are used to configure Envoy proxies as gateways.

Next, the steps show how to configure an HTTPRoute resource for each of the backend services. The HTTPRoute resource maps HTTP requests to the relevant backend service.

  1. In Cloud Shell, create a YAML file called gateway.yaml that defines the Gateway resource:

    cat <<EOF> gateway.yaml
    name: gateway80
    scope: gateway-proxy
    - 8080
    type: OPEN_MESH
  2. Create the Gateway resource by invoking the gateway.yaml file:

    gcloud network-services gateways import gateway80 \
      --source=gateway.yaml \

    The Gateway name will be projects/$PROJECT_ID/locations/global/gateways/gateway80.

    You use this Gateway name when you create HTTPRoutes for each backend service.

Create the HTTPRoutes for each backend service:

  1. In Cloud Shell, store your Google Cloud project ID in an environment variable:

    export PROJECT_ID=$(gcloud config get project)
  2. Create the HTTPRoute YAML file for the first application:

    cat <<EOF> win-app-1-route.yaml
    name: win-app-1-http-route
    - win-app-1
    - projects/$PROJECT_ID/locations/global/gateways/gateway80
    - action:
       - serviceName: "projects/$PROJECT_ID/locations/global/backendServices/win-app-1-service"
  3. Create the HTTPRoute resource for the first application:

    gcloud network-services http-routes import win-app-1-http-route \
      --source=win-app-1-route.yaml \
  4. Create the HTTPRoute YAML file for the second application:

    cat <<EOF> win-app-2-route.yaml
    name: win-app-2-http-route
    - win-app-2
    - projects/$PROJECT_ID/locations/global/gateways/gateway80
    - action:
     - serviceName: "projects/$PROJECT_ID/locations/global/backendServices/win-app-2-service"
  5. Create the HTTPRoute resource for the second application:

    gcloud network-services http-routes import win-app-2-http-route \
      --source=win-app-2-route.yaml \

Deploy and expose the Envoy gateways

After you create the two Windows-based test applications and the Cloud Service Mesh, you deploy the Envoy gateways by creating a deployment YAML file. The deployment YAML file accomplishes the following tasks:

  • Bootstraps the Envoy gateways.
  • Configures the Envoy gateways to use Cloud Service Mesh as its control plane.
  • Configures the Envoy gateways to use HTTPRoutes for the gateway named Gateway80.

Deploy two replica Envoy gateways. This approach helps to make the gateways fault tolerant and provides redundancy. To automatically scale the Envoy gateways based on load, you can optionally configure a Horizontal Pod Autoscaler. If you decide to configure a Horizontal Pod Autoscaler, you must follow the instructions in Configuring horizontal Pod autoscaling.

  1. In Cloud Shell, create a YAML file:

    apiVersion: apps/v1
    kind: Deployment
      creationTimestamp: null
        app: td-envoy-gateway
      name: td-envoy-gateway
      replicas: 2
          app: td-envoy-gateway
          creationTimestamp: null
            app: td-envoy-gateway
          - name: envoy
            image: envoyproxy/envoy:v1.21.6
            imagePullPolicy: Always
                cpu: "2"
                memory: 1Gi
                cpu: 100m
                memory: 128Mi
            - name: ENVOY_UID
              value: "1337"
              - mountPath: /etc/envoy
                name: envoy-bootstrap
          - name: td-bootstrap-writer
            imagePullPolicy: Always
              - --project_number='my_project_number'
              - --scope_name='gateway-proxy'
              - --envoy_port=8080
              - --bootstrap_file_output_path=/var/lib/data/envoy.yaml
              - --expose_stats_port=15005
              - mountPath: /var/lib/data
                name: envoy-bootstrap
            - name: envoy-bootstrap
              emptyDir: {}
    • Replace my_project_number with your project number.

      • You can find your project number by running the following command:
      gcloud projects describe $(gcloud config get project)

    Port 15005 is used to expose the Envoy Admin endpoint named /stats. It's also used for the following purposes:

    • As a responsiveness endpoint from the internal Application Load Balancer.
    • As a way to consume Google Cloud Managed Service for Prometheus metrics from Envoy.

    When the two Envoy Gateway Pods are running, create a service of type ClusterIP to expose them. You must also create a YAML file called BackendConfig. BackendConfig defines a non-standard responsiveness check. That check is used to verify the responsiveness of the Envoy gateways.

  2. To create the backend configuration with a non-standard responsiveness check, create a YAML file called envoy-backendconfig:

    kind: BackendConfig
      name: envoy-backendconfig
        checkIntervalSec: 5
        timeoutSec: 5
        healthyThreshold: 2
        unhealthyThreshold: 3
        type: HTTP
        requestPath: /stats
        port: 15005

    The responsiveness check will use the /stats endpoint on port 15005 to continuously check the responsiveness of the Envoy gateways.

  3. Create the Envoy gateways service:

    apiVersion: v1
    kind: Service
      name: td-envoy-gateway
      annotations: '{"default": "envoy-backendconfig"}'
      type: ClusterIP
        app: td-envoy-gateway
      - name: http
        protocol: TCP
        port: 8080
        targetPort: 8080
      - name: stats
        protocol: TCP
        port: 15005
        targetPort: 15005
  4. View the Envoy gateways service you created:

    kubectl get svc td-envoy-gateway

Create the Kubernetes Gateway resource

Creating the Kubernetes Gateway resource provisions the internal Application Load Balancer to expose the Envoy gateways.

Before creating that resource, you must create two sample self-signed certificates and then import them into the GKE cluster as Kubernetes Secrets. The certificates enable the following gateway architecture:

  • Each application is served over HTTPS.
  • Each application uses a dedicated certificate.

When using self-managed certificates, the internal Application Load Balancer can use up to the maximum limit of certificates to expose applications with different fully qualified domain names.

To create the certificates use openssl.

  1. In Cloud Shell, generate a configuration file for the first certificate:

    cat <<EOF >CONFIG_FILE
    default_bits              = 2048
    req_extensions            = extension_requirements
    distinguished_name        = dn_requirements
    prompt                    = no
    basicConstraints          = CA:FALSE
    keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName            = @sans_list
    0.organizationName        = example
    commonName                =
    DNS.1                     =
  2. Generate a private key for the first certificate:

    openssl genrsa -out sample_private_key 2048
  3. Generate a certificate request:

    openssl req -new -key sample_private_key -out CSR_FILE -config CONFIG_FILE
  4. Sign and generate the first certificate:

    openssl x509 -req -signkey sample_private_key -in CSR_FILE -out sample.crt     -extfile CONFIG_FILE -extensions extension_requirements -days 90
  5. Generate a configuration file for the second certificate:

    cat <<EOF >CONFIG_FILE2
    default_bits              = 2048
    req_extensions            = extension_requirements
    distinguished_name        = dn_requirements
    prompt                    = no
    basicConstraints          = CA:FALSE
    keyUsage                  = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName            = @sans_list
    0.organizationName        = example
    commonName                =
    DNS.1                     =
  6. Generate a private key for the second certificate:

    openssl genrsa -out sample_private_key2 2048
  7. Generate a certificate request:

    openssl req -new -key sample_private_key2 -out CSR_FILE2 -config CONFIG_FILE2
  8. Sign and generate the second certificate:

    openssl x509 -req -signkey sample_private_key2 -in CSR_FILE2 -out sample2.crt     -extfile CONFIG_FILE2 -extensions extension_requirements -days 90

Import certificates as Kubernetes Secrets

In this section, you accomplish the following tasks:

  • Import the self-signed certificates into the GKE cluster as Kubernetes Secrets.
  • Create a static IP address for an internal VPC.
  • Create the Kubernetes Gateway API resource.
  • Verify that the certificates work.
  1. In Cloud Shell, import the first certificate as a Kubernetes Secret:

    kubectl create secret tls sample-cert --cert sample.crt --key sample_private_key
  2. Import the second certificate as a Kubernetes Secret:

    kubectl create secret tls sample-cert-2 --cert sample2.crt --key sample_private_key2
  3. To enable internal Application Load Balancer, create a static IP address on the internal VPC:

    gcloud compute addresses create sample-ingress-ip --region us-central1 --subnet default
  4. Create the Kubernetes Gateway API resource YAML file:

    kind: Gateway
      name: internal-https
      gatewayClassName: gke-l7-rilb
        - type: NamedAddress
          value: sample-ingress-ip
      - name: https
        protocol: HTTPS
        port: 443
          mode: Terminate
          - name: sample-cert
          - name: sample-cert-2

    By default, a Kubernetes Gateway has no default routes. The gateway returns a page not found (404) error when requests are sent to it.

  5. Configure a default route YAML file for the Kubernetes Gateway that passes all incoming requests to the Envoy gateways:

      kind: HTTPRoute
        name: envoy-default-backend
        - kind: Gateway
          name: internal-https
        - backendRefs:
          - name: td-envoy-gateway
            port: 8080

    Verify the full flow by sending HTTP requests to both applications. To verify that the Envoy gateways route traffic to the correct application Pods, inspect the HTTP Host header.

  6. Find and store the Kubernetes Gateway IP address in an environment variable:

    export EXTERNAL_IP=$(kubectl get gateway internal-https -o json | jq .status.addresses[0].value -r)
  7. Send a request to the first application:

    curl --insecure -H "Host: win-app-1" https://$EXTERNAL_IP/hostName
  8. Send a request to the second application:

    curl --insecure -H "Host: win-app-2" https://$EXTERNAL_IP/hostName
  9. Verify that the hostname returned from the request matches the Pods running win-app-1 and win-app-2:

    kubectl get pods

    The output should display win-app-1 and win-app-2.

Monitor Envoy gateways

Monitor your Envoy gateways with Google Cloud Managed Service for Prometheus.

Google Cloud Managed Service for Prometheus should be enabled by default on the cluster that you created earlier.

  1. In Cloud Shell, create a PodMonitoring resource by applying the following YAML file:

    kind: PodMonitoring
      name: prom-envoy
          app: td-envoy-gateway
      - port: 15005
        interval: 30s
        path: /stats/prometheus

    After applying the YAML file, the system begins to collect Google Cloud Managed Service for Prometheus metrics in a dashboard.

  2. To create the Google Cloud Managed Service for Prometheus metrics dashboard, follow these instructions:

    1. Sign in to the Google Cloud console.
    2. Open the menu.
    3. Click Operations > Monitoring > Dashboards.
  3. To import the dashboard, follow these instructions:

    1. On the Dashboards screen, click Sample Library.
    2. Enter envoy in the filter box.
    3. Click Istio Envoy Prometheus Overview.
    4. Select the checkbox.
    5. Click Import and then click Confirm to import the dashboard.
  4. To view the dashboard, follow these instructions:

    1. Click Dashboard List.
    2. Select Integrations.
    3. Click Istio Envoy Prometheus Overview to view the dashboard.

You can now see the most important metrics of your Envoy gateways. You can also configure alerts based on your criteria. Before you clean up, send a few more test requests to the applications and see how the dashboard updates with the latest metrics.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this deployment, either delete the project that contains the resources, or keep the project and delete the individual resources.

Delete the project

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next


Author: Eitan Eibschutz | Staff Technical Solutions Consultant

Other contributors: