Set up an ingress gateway
This guide demonstrates how to configure Cloud Service Mesh to configure proxies as ingress gateways. You set up an Envoy proxy as the gateway and a hello-world in-mesh service.
In this configuration, an external passthrough Network Load Balancer directs traffic from the internet to
your service mesh through an ingress gateway. A Gateway resource manages an
Envoy proxy that acts as a gateway into the service mesh. A gateway is
also known as a middle proxy or ingress. The Envoy proxies deployed to act as
ingress gateways are standalone proxies rather than sidecars to workloads. In
this mode, Envoy listens on a defined list of ports, and forwards traffic
according to routing rules that you configure in Cloud Service Mesh. A
Gateway API resource is used to configure such Envoy proxies.
Gateway resource (click to enlarge)Set up routing to ensure that traffic destined for the Gateway proxies is
directed to the VMs hosting the Envoys. The ingress service can be paired with
an external Application Load Balancer or an internal passthrough Network Load Balancer, but such configurations are not
included in this demonstration setup. For information about setting up an
external Application Load Balancer, see the External Application Load Balancer documentation.
For information about setting up an internal passthrough Network Load Balancer, see the
Internal passthrough Network Load Balancer documentation.
This guide does not cover the service-to-service communication and the
Mesh resource behind the Gateway.
Before you begin
Make sure that you complete the tasks described in Prepare to set up with Envoy and proxyless workloads.
Configure firewall rules
In this section, you configure two firewall rules. One rule allows health check probes to access instances in the Virtual Private Cloud network. The other rule allows traffic from any source into the network.
Configure firewall rules to allow health checks.
gcloud compute firewall-rules create allow-health-checks \ --network=NETWORK_NAME \ --direction=INGRESS \ --action=ALLOW \ --rules=tcp \ --source-ranges="35.191.0.0/16,130.211.0.0/22,209.85.152.0/22,209.85.204.0/22"
Configure firewall rules to allow traffic from any source on the internet to reach the gateway proxies. You can optionally edit the command for your source IP address range.
gcloud compute firewall-rules create allow-gateway-ingress-traffic \ --network=NETWORK_NAME \ --direction=INGRESS \ --action=ALLOW \ --rules=tcp:80 \ --source-ranges="0.0.0.0/0" \ --target-tags=gateway-proxy
Configure Identity and Access Management permissions
In this section, you designate the service account for the gateway proxies and assign them the correct IAM roles.
Create a service account identity for the gateway proxies.
gcloud iam service-accounts create gateway-proxy
Assign the required IAM roles to the service account identity.
gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:gateway-proxy@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/trafficdirector.client"
gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:gateway-proxy@PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/logging.logWriter"
Configure the Gateway resource
In this section, you configure the gateway resource.
In a file called
gateway80.yaml, create theGatewayspecification for HTTP traffic.cat <<EOF | tee gateway80.yaml name: gateway80 scope: gateway-proxy ports: - 80 type: OPEN_MESH EOF
Create the
Gatewayresource from thegateway80.yamlspecification:gcloud network-services gateways import gateway80 \ --source=gateway80.yaml \ --location=global
Create a managed instance group with Envoy proxies
In this section, you create the Envoy proxies that are associated with the ingress gateway configuration.
Create an instance template for a VM running an automatically deployed Envoy service proxy. The Envoys have a
scopeofgateway-proxy. Don't pass the serving port as a parameter of--service-proxy.gcloud beta compute instance-templates create gateway-proxy \ --machine-type=n1-standard-1 \ --boot-disk-size=10GB \ --scopes=https://www.googleapis.com/auth/cloud-platform \ --tags=gateway-proxy \ --network=NETWORK_NAME \ --service-account="gateway-proxy@PROJECT_ID.iam.gserviceaccount.com" \ --service-proxy=enabled,scope=gateway-proxy
Create a regional managed instance group from the instance template.
gcloud compute instance-groups managed create gateway-proxies-REGION \ --region=REGION \ --size=3 \ --template=gateway-proxy \ --target-distribution-shape=EVEN
Set a named port to enable TCP health checking for the external passthrough Network Load Balancer.
gcloud compute instance-groups managed set-named-ports gateway-proxies-REGION \ --region=REGION \ --named-ports=serving-port:80
Set up the regional external passthrough Network Load Balancer
In this section, you create the external passthrough Network Load Balancer, a backend service forwarding rule, and required health check, to forward traffic from the internet to the gateway proxies.
Create an external IP address for the external passthrough Network Load Balancer.
gcloud compute addresses create xnlb-REGION \ --region=REGION
Get the IP address that was created for the external passthrough Network Load Balancer.
gcloud compute addresses describe xnlb-REGION \ --region=REGION --format='value(address)'
This IP address is used as the variable
IP_ADDRESSin later sections of this setup guide.Create a health check for the gateway proxies.
gcloud compute health-checks create tcp xnlb-REGION \ --region=REGION \ --port-name=serving-port
Create a backend service for the gateway proxies.
gcloud compute backend-services create xnlb-REGION \ --health-checks=xnlb-REGION \ --health-checks-region=REGION \ --load-balancing-scheme=EXTERNAL \ --protocol=TCP \ --region=REGION \ --port-name=serving-port
Add the managed instance group as the backend to the backend service.
gcloud compute backend-services add-backend xnlb-REGION \ --instance-group=gateway-proxies-REGION \ --instance-group-region=REGION \ --region=REGION
Create a forwarding rule pointing to the gateway proxies.
gcloud compute forwarding-rules create xnlb-REGION \ --region=REGION \ --load-balancing-scheme=EXTERNAL \ --address=IP_ADDRESS \ --ip-protocol=TCP \ --ports=80 \ --backend-service=xnlb-REGION \ --backend-service-region=REGION
Configure the HTTP server
In this section, you create a hello-world HTTP test service running in the service mesh that gateway proxies are routing into.
Create an instance template running an Apache web server, serving the instance's hostname as it responds to HTTP requests.
gcloud compute instance-templates create helloworld-template \ --scopes=https://www.googleapis.com/auth/cloud-platform \ --tags=private-instance \ --image-family=debian-11 \ --image-project=debian-cloud \ --network=NETWORK_NAME \ --metadata=startup-script="#! /bin/bash sudo apt-get update -y sudo apt-get install apache2 -y echo \"Hello from \`/bin/hostname\`\" | sudo tee /var/www/html/index.html sudo service apache2 restart"
Create a managed instance group based on the template.
gcloud compute instance-groups managed create helloworld-mig-REGION \ --zone=ZONE \ --size=1 \ --template=helloworld-template
Create an HTTP health check.
gcloud compute health-checks create http helloworld-health-check
Create a firewall rule to allow incoming connections from gateway proxies and health checks to instances in your network.
gcloud compute firewall-rules create allow-rfc1918-traffic \ --network=NETWORK_NAME \ --action=allow \ --direction=INGRESS \ --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \ --target-tags=private-instance \ --rules=tcp:80
Create a global backend service with a load balancing scheme of
INTERNAL_SELF_MANAGEDand attach the health check.gcloud compute backend-services create http-helloworld-service \ --load-balancing-scheme=INTERNAL_SELF_MANAGED \ --protocol=HTTP \ --health-checks=helloworld-health-check \ --global
Add the managed instance group to the backend service.
gcloud compute backend-services add-backend http-helloworld-service \ --instance-group helloworld-mig-REGION \ --instance-group-zone=ZONE \ --global
Set up routing with HTTPRoute
You now have a Cloud Service Mesh Gateway resource and a service configured. Next,
you connect them by using an HTTPRoute resource that associates a hostname
with a backend service. The HTTPRoute also references the Gateway.
In a file called
http_route.yaml, create theHTTPRoutespecification. The specification referencesgateway80, which is theGatewayresource that you created earlier, and it points to the backend servicehttp-helloworld-service.You can use either
PROJECT_IDorPROJECT_NUMBER.cat <<EOF | tee http_route.yaml name: helloworld-http-route hostnames: - helloworld-gce gateways: - projects/PROJECT_NUMBER/locations/global/gateways/gateway80 rules: - action: destinations: - serviceName: "projects/PROJECT_NUMBER/locations/global/backendServices/http-helloworld-service" EOFUse the specification in
http_route.yamlto create theHTTPRouteresource.gcloud network-services http-routes import helloworld-http-route \ --source=http_route.yaml \ --location=global
Verify that you can access the service from an external client through the external passthrough Network Load Balancer and the Cloud Service Mesh
Gateway.curl -H "Host: helloworld-gce" IP_ADDRESS
What's next
- For information about listing route resources associated with a
MeshorGatewayresource, see ListRouteresources. This feature is in Preview.