Anthos Service Mesh and Traffic Director are now Cloud Service Mesh. For more information, see the Cloud Service Mesh overview.

Provision managed Cloud Service Mesh on a GKE cluster in the Google Cloud console

Cloud Service Mesh is Google's service mesh offering, based on open source Istio. The Cloud Service Mesh feature in the GKE UI allows users to easily provision managed Cloud Service Mesh on a new GKE cluster or an existing GKE cluster. With managed Cloud Service Mesh Google hosts and manages the control plane and, optionally, the data plane for the mesh and handles its upgrades, scaling, and security in a backward-compatible manner.

Cloud Service Mesh provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between services, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code. Cloud Service Mesh also provides a set of management capabilities to simplify lifecycle management of the mesh.

You configure Istio access control, routing rules, and other features by using a custom Kubernetes API, either via kubectl or the Istio command-line tool istioctl, which provides extra validation.

For more information, see Cloud Service Mesh.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Kubernetes Engine API.

Enable the API

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Kubernetes Engine API.

Enable the API

Provision Cloud Service Mesh

The steps required to provision Cloud Service Mesh depend on whether you are creating a new GKE cluster or provisioning Cloud Service Mesh on an existing GKE cluster.

Create a GKE cluster with Cloud Service Mesh

To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:

Guide me

Go to the Google Kubernetes Engine page in the Google Cloud console.

Go to Google Kubernetes Engine
Click Create.
Click Configure next to your preferred option between GKE Standard and GKE Autopilot.

Standard

In the Cluster basics section, complete the following:

Enter the Name for your cluster.
For the Location type, select Regional, and then select the desired region for your cluster.

Important: We support > 90% of GKE cluster regions, but there are a few that are still not supported. See Regions for a full list of supported regions.
From the navigation pane, under Cluster, click Features.
In the Cloud Service Mesh section, check the box next to Enable Cloud Service Mesh.

After you check the box, a screen detailing the requirements appears. The requirements include:
- Cloud Monitoring is enabled on the cluster.
- Cloud Service Mesh uses Cloud Monitoring to provide automatic telemetry and logs.
- Workload Identity is enabled on the cluster.
- Cloud Service Mesh uses Workload Identity to provide secure access to required Google APIs and resources.
- In order to secure, monitor, and manage the service mesh, the mesh.googleapis.com API is enabled (if it hasn't been already).
- The Cluster is registered to the project's Fleet, and the Cloud Service Mesh Fleet feature is enabled.
- The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.
Click Make changes to automatically enable the requirements.
Click Create.

Autopilot

In the Cluster basics section, complete the following:

Enter the Name for your cluster.
Select the desired Region for your cluster.

Important: We support > 90% of GKE cluster regions, but there are a few that are still not supported. See Regions for a full list of supported regions.
Expand the Advanced Options section dropdown.
In the Cloud Service Mesh section, check the box next to Enable Cloud Service Mesh.

After you check the box, a screen detailing the requirements appears. The requirements include:
- In order to secure, monitor, and manage the service mesh, the mesh.googleapis.com API is enabled (if it hasn't been already).
- The Cluster is registered to the project's Fleet, and the Cloud Service Mesh Fleet feature is enabled.
- The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.
Click Make changes to automatically enable the requirements.
Click Create.

Provision Cloud Service Mesh on an existing GKE cluster

Go to the Google Kubernetes Engine page in the Google Cloud console.

Go to Google Kubernetes Engine
Select the cluster that you would like to provision Cloud Service Mesh on.
In the Features section, click the edit button next to Cloud Service Mesh.

After you click the edit button, a screen detailing the requirements will appear. The requirements include:
- Cloud Monitoring is enabled on the cluster.
  - Cloud Service Mesh uses Cloud Monitoring to provide automatic telemetry and logs.
- Workload Identity is enabled on the cluster.
  - Cloud Service Mesh uses Workload Identity to provide secure access to required Google APIs and resources.
- In order to secure, monitor, and manage the service mesh, the mesh.googleapis.com API is enabled (if it hasn't been already).
- The Cluster is registered to the project's Fleet, and the Cloud Service Mesh Fleet feature is enabled (if it hasn't been already).
- The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.
Click Make changes to automatically enable the requirements.

Next steps

Enabling Cloud Service Mesh on your cluster is only the first step. To fully take advantage of service mesh functionality, complete the following tasks:

(Required) Inject sidecar proxies to enhance network security, reliability and observability.
(Highly recommended) Deploy gateways to manage ingress and egress traffic.
(Highly recommended) Configuring transport security to secure your mesh.
(Optional) Enable Managed Data Plane to automatically upgrade the proxies.

Troubleshooting

To address problems when provisioning Cloud Service Mesh, see Resolving issues enabling Cloud Service Mesh through Google Cloud console.

What's next

To find out more about Managed Cloud Service Mesh, see Provisioning managed Cloud Service Mesh
For a quick introduction to the gcloud CLI used in this tutorial, see gcloud commands
To find out how to explore Cloud Service Mesh in the Google Cloud console, see Exploring Cloud Service Mesh in the Google Cloud console
To explore Cloud Service Mesh optional features, such as Cloud Trace, distroless proxy images, and end user authentication, see Enable optional features on managed Cloud Service Mesh
To learn more about Security in Cloud Service Mesh, see Cloud Service Mesh Security Overview and Cloud Service Mesh Security Best Practices
To find out more about Telemetry in Cloud Service Mesh, see Observability Overview