Networking

Provision cross-region internal Application LB with automatic failover, health checks and geo-routing

October 26, 2023

Naveen Mandadhi

Strategic Cloud Engineer

Adam Cole

Strategic Cloud Engineer

Google Cloud offers a variety of load balancing solutions which simplify the management of networking infrastructure and support different types of backend services. Now available, the cross-region internal Application Load Balancer expands this coverage by providing integrations to load balance, geo-route, and automatically failover to backends in multiple regions. In this walkthrough we’ll focus on workloads in Google Kubernetes Engine (GKE). This enables the following capabilities:

Global load balancing: Support for backends in multiple regions
Improved performance, reliability and high availability: Distributing traffic across multiple regions, and automatic failover to services in other regions
Geo routing: Cloud DNS policy manager to route traffic to nearest healthy backends
Managed certificates support: Google-managed/Self-managed certificates

https://storage.googleapis.com/gweb-cloudblog-publish/images/1-cross_region_internal_ALB.max-1400x1400.jpg

Initial project setup and enable required APIs

VPC network setup

Components: VPC network with 2 subnets in us-central1 and us-east1, for two GKE clusters

Create GKE clusters

gcloud iam service-accounts create gke-ap-sa
export GSA_EMAIL=gke-ap-sa@${PROJECT_ID}.iam.gserviceaccount.com

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member serviceAccount:${GSA_EMAIL} \
  --role roles/container.admin

gcloud container clusters create-auto "mc1" --region "us-central1" --enable-private-nodes --enable-private-endpoint --master-ipv4-cidr "6.0.128.0/28" --enable-master-authorized-networks --enable-master-global-access --enable-master-global-access
--master-authorized-networks 192.168.0.0/16 --network "projects/${PROJECT_ID}/global/networks/mc-net" --subnetwork "projects/${PROJECT_ID}/regions/us-central1/subnetworks/snet1" --cluster-secondary-range-name "snet1-range1" --services-secondary-range-name "snet1-range2" --service-account gke-ap-sa@${PROJECT_ID}.iam.gserviceaccount.com --scopes=cloud-platform --async

gcloud container clusters create-auto "mc2" --region "us-east1" --enable-private-nodes --enable-private-endpoint --master-ipv4-cidr "6.0.128.16/28" --enable-master-authorized-networks --enable-master-global-access --master-authorized-networks 192.168.0.0/16 --network "projects/${PROJECT_ID}/global/networks/mc-net" --subnetwork "projects/${PROJECT_ID}/regions/us-east1/subnetworks/snet2" --cluster-secondary-range-name "snet2-range1" --services-secondary-range-name "snet2-range2" --service-account gke-ap-sa@${PROJECT_ID}.iam.gserviceaccount.com --scopes=cloud-platform --async

Create a Bastion host, install tools and get cluster credentials

Deploy sample GKE backends:

Configuring the Load Balancer

Create Proxy-only subnets

Create firewall rules to allow TCP application traffic and health checks to the backends

Create the resources to set up the Load Balancer, components shown in the architecture diagram above

gcloud compute health-checks create http gil7-basic-check \
   --use-serving-port \
   --global

gcloud compute backend-services create whereami \
  --load-balancing-scheme=INTERNAL_MANAGED \
  --protocol=HTTP \
  --enable-logging \
  --logging-sample-rate=1.0 \
  --health-checks=gil7-basic-check \
  --global-health-checks \
  --global

for zone in $(gcloud container clusters describe mc1 --region us-central1 --format json | jq -r .locations[]); do gcloud compute backend-services add-backend whereami   --global   --balancing-mode=RATE   --max-rate-per-endpoint=1000 --network-endpoint-group=whereami   --network-endpoint-group-zone=${zone}; done

for zone in $(gcloud container clusters describe mc2 --region us-east1 --format json | jq -r .locations[]); do gcloud compute backend-services add-backend whereami   --global   --balancing-mode=RATE   --max-rate-per-endpoint=1000 --network-endpoint-group=whereami   --network-endpoint-group-zone=${zone}; done

gcloud compute url-maps create gil7-lb \
  --default-service=whereami \
  --global

gcloud compute target-http-proxies create gil7-http-proxy \
  --url-map=gil7-lb \
  --global

gcloud compute addresses create ip-central --region=us-central1 --subnet=snet1 --purpose=GCE_ENDPOINT

gcloud compute addresses create ip-east --region=us-east1 --subnet=snet2 --purpose=GCE_ENDPOINT

export IP_CENTRAL=$(gcloud compute addresses describe ip-central --region us-central1 --format json | jq -r .address)

export IP_EAST=$(gcloud compute addresses describe ip-east --region us-east1 --format json | jq -r .address)

gcloud compute forwarding-rules create gil7-fw-rule-central   --load-balancing-scheme=INTERNAL_MANAGED   --network=mc-net   --subnet=snet1   --subnet-region=us-central1   --address=${IP_CENTRAL}  --ports=80   --target-http-proxy=gil7-http-proxy   --global

gcloud compute forwarding-rules create gil7-fw-rule-east   --load-balancing-scheme=INTERNAL_MANAGED   --network=mc-net   --subnet=snet2   --subnet-region=us-east1   --address=${IP_EAST}  --ports=80   --target-http-proxy=gil7-http-proxy   --global

Create DNS zone with geo-routing

Test the Load Balancer and geo-routing

Querying the load balancer from a VM in each region shows that Cloud DNS routes the requests to the closest backends.

Test automatic failover

To test, scale down the deployment in one region. Running the same command as above, we can see that the requests failover to us-central1 now, since there are no healthy endpoints in us-east1 anymore.