External load balancers (ELB) expose services outside the project from a pool's IP addresses assigned to the project from the larger instance-external IP pool.
ELB Virtual IP (VIP) addresses don't conflict between organizations and are unique across all organizations. For this reason, you must use ELB services only for services that clients outside the project necessarily have to access.
Workloads running inside the project can access ELB services as long as you enable the workloads to exit the project. This traffic pattern effectively requires outbound traffic from the project before returning to the internal service.
Before you begin
To configure ELB services, you must have the following:
- Own the project you are configuring the load balancer for. For more information, see Create a project.
- A customized
ProjectNetworkPolicy(PNP) ingress policy to allow traffic to this ELB service. For more information, see Configure PNP to allow traffic to ELB. The necessary identity and access roles:
- Project NetworkPolicy Admin: has access to manage project network policies
in the project namespace Ask your Organization IAM Admin to grant you the
Project NetworkPolicy Admin (
project-networkpolicy-admin) role. - Load Balancer Admin: Ask your Organization IAM Admin to grant you the Load Balancer Admin (
load-balancer-admin) role.
- Project NetworkPolicy Admin: has access to manage project network policies
in the project namespace Ask your Organization IAM Admin to grant you the
Project NetworkPolicy Admin (
Configure PNP to allow traffic to ELB
For ELB services to function, you must configure and apply your own customized ProjectNetworkPolicy ingress policy to allow traffic to this ELB service. Specify the external CIDR address to allow traffic to this ELB:
kubectl --kubeconfig MANAGEMENT_API_SERVER apply -f - <<EOF
apiVersion: networking.gdc.goog/v1
kind: ProjectNetworkPolicy
metadata:
namespace: PROJECT
name: allow-inbound-traffic-from-external
spec:
policyType: Ingress
subject:
subjectType: UserWorkload
ingress:
- from:
- ipBlock:
cidr: CIDR
ports:
- protocol: TCP
port: PORT
EOF
Replace the following:
MANAGEMENT_API_SERVER: the kubeconfig path of the Management API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see Sign in for details.PROJECT: the name of your GDC project.CIDR: the external CIDR that the ELB needs to be accessed from. This policy is required as the external load balancer uses Direct Server Return (DSR), which preserves the source external IP address and bypasses the load balancer on the return path.PORT: the backend port on the pods behind the load balancer. This value is found in the.spec.ports[].targetPortfield of the manifest for theServiceresource.
Create an external load balancer
Create ELBs using three different methods in GDC:
- Use the gdcloud CLI to create ELBs.
- Use the Networking Kubernetes Resource Model (KRM) API to create ELBs.
You can target pod or VM workloads using the KRM API and gdcloud CLI. You can only target workloads in the cluster where the Service object is created when you use the Kubernetes Service directly in Kubernetes cluster.