Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Load balancer eksternal (ELB) mengekspos layanan di luar project dari alamat IP kumpulan yang ditetapkan ke project dari kumpulan IP eksternal instance yang lebih besar.
Alamat IP Virtual (VIP) ELB tidak berkonflik antar-organisasi dan bersifat unik di semua organisasi. Oleh karena itu, Anda hanya boleh menggunakan layanan ELB untuk layanan yang harus diakses oleh klien di luar project.
Workload yang berjalan di dalam project dapat mengakses layanan ELB selama Anda
mengizinkan workload keluar dari project. Pola traffic ini secara efektif
memerlukan traffic keluar dari project sebelum kembali ke layanan
internal.
Sebelum memulai
Untuk mengonfigurasi layanan ELB, Anda harus memiliki hal berikut:
Memiliki project yang Anda konfigurasi load balancernya. Untuk mengetahui informasi selengkapnya, lihat Membuat project.
Kebijakan masuk ProjectNetworkPolicy (PNP) yang disesuaikan untuk mengizinkan traffic ke layanan ELB ini. Untuk mengetahui informasi selengkapnya, lihat Mengonfigurasi PNP untuk mengizinkan traffic ke ELB.
Peran akses dan identitas yang diperlukan:
Admin NetworkPolicy Project: memiliki akses untuk mengelola kebijakan jaringan project di namespace project. Minta Admin IAM Organisasi Anda untuk memberi Anda peran Admin NetworkPolicy Project (project-networkpolicy-admin).
Admin Load Balancer: Minta Admin IAM Organisasi Anda untuk memberi Anda peran Admin Load Balancer (load-balancer-admin).
Mengonfigurasi PNP untuk mengizinkan traffic ke ELB
Agar layanan ELB berfungsi, Anda harus mengonfigurasi dan menerapkan kebijakan ingress ProjectNetworkPolicykustom Anda sendiri untuk mengizinkan traffic ke layanan ELB ini. Tentukan alamat CIDR eksternal untuk mengizinkan traffic ke ELB ini:
MANAGEMENT_API_SERVER: jalur kubeconfig
server Management API. Jika Anda belum membuat file kubeconfig untuk server API di zona target, lihat Login untuk mengetahui detailnya.
PROJECT: nama project GDC Anda.
CIDR: CIDR eksternal yang diperlukan ELB untuk diakses. Kebijakan ini diperlukan karena load balancer eksternal menggunakan
Direct Server Return (DSR), yang mempertahankan alamat IP eksternal sumber
dan melewati load balancer di jalur kembali.
PORT: port backend pada pod di belakang load balancer. Nilai ini ditemukan di kolom .spec.ports[].targetPort
dari manifes untuk resource Service.
Anda dapat menargetkan workload pod atau VM menggunakan KRM API dan gdcloud CLI. Anda hanya dapat menargetkan workload di cluster tempat objek Service dibuat saat menggunakan Layanan Kubernetes secara langsung di cluster Kubernetes.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[],[],null,["# Configure external load balancers\n\nExternal load balancers (ELB) expose services outside the project from a\npool's IP addresses assigned to the project from the larger\ninstance-external IP pool.\n\nELB Virtual IP (VIP) addresses don't conflict between organizations and are\nunique across all organizations. For this reason, you must use ELB services only\nfor services that clients outside the project necessarily have to access.\n\nWorkloads running inside the project can access ELB services as long as you\nenable the workloads to exit the project. This traffic pattern effectively\nrequires outbound traffic from the project before returning to the internal\nservice.\n\nBefore you begin\n----------------\n\nTo configure ELB services, you must have the following:\n\n- Own the project you are configuring the load balancer for. For more information, see [Create a project](/distributed-cloud/hosted/docs/latest/appliance/platform/pa-user/create-a-project).\n- A customized `ProjectNetworkPolicy` (PNP) ingress policy to allow traffic to this ELB service. For more information, see [Configure PNP to allow traffic to ELB](#configure-pnp-elb).\n- The necessary identity and access roles:\n\n - Project NetworkPolicy Admin: has access to manage project network policies in the project namespace Ask your Organization IAM Admin to grant you the Project NetworkPolicy Admin (`project-networkpolicy-admin`) role.\n - Load Balancer Admin: Ask your Organization IAM Admin to grant you the Load Balancer Admin (`load-balancer-admin`) role.\n\nConfigure PNP to allow traffic to ELB\n-------------------------------------\n\nFor ELB services to function, you must configure and apply your own customized `ProjectNetworkPolicy` ingress policy to allow traffic to this ELB service. Specify the external CIDR address to allow traffic to this ELB: \n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e apply -f - \u003c\u003cEOF\n apiVersion: networking.gdc.goog/v1\n kind: ProjectNetworkPolicy\n metadata:\n namespace: \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n name: allow-inbound-traffic-from-external\n spec:\n policyType: Ingress\n subject:\n subjectType: UserWorkload\n ingress:\n - from:\n - ipBlock:\n cidr: \u003cvar translate=\"no\"\u003eCIDR\u003c/var\u003e\n ports:\n - protocol: TCP\n port: \u003cvar translate=\"no\"\u003ePORT\u003c/var\u003e\n EOF\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the kubeconfig path of the Management API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see [Sign\n in](/distributed-cloud/hosted/docs/latest/appliance/platform/pa-user/iam/sign-in#cli) for details.\n- \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e: the name of your GDC project.\n- \u003cvar translate=\"no\"\u003eCIDR\u003c/var\u003e: the external CIDR that the ELB needs to be accessed from. This policy is required as the external load balancer uses Direct Server Return (DSR), which preserves the source external IP address and bypasses the load balancer on the return path.\n- \u003cvar translate=\"no\"\u003ePORT\u003c/var\u003e: the backend port on the pods behind the load balancer. This value is found in the `.spec.ports[].targetPort`field of the manifest for the `Service` resource.\n\n| **Note:** This configuration provides all of the resources inside of projects access to the specified CIDR range.\n\nCreate an external load balancer\n--------------------------------\n\nCreate ELBs using three different methods in\nGDC:\n\n- Use the [gdcloud CLI](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-overview) to create ELBs.\n- Use the [Networking Kubernetes Resource Model (KRM)\n API](/distributed-cloud/hosted/docs/latest/appliance/apis/service/networking/networking-api-overview) to create ELBs.\n\nYou can target pod or VM workloads using the KRM API and gdcloud CLI. You can only target workloads in the cluster where the `Service` object is created when you use the Kubernetes Service directly in Kubernetes cluster."]]
