Provision managed Anthos Service Mesh on a GKE cluster in the Google Cloud console
Anthos Service Mesh is Google's service mesh offering, based on open source Istio. The Anthos Service Mesh feature in the GKE UI allows users to easily provision managed Anthos Service Mesh on a new GKE cluster or an existing GKE cluster. With managed Anthos Service Mesh Google hosts and manages the control plane and, optionally, the data plane for the mesh and handles its upgrades, scaling, and security in a backward-compatible manner.
Anthos Service Mesh provides a uniform way to connect, manage, and secure microservices. It supports managing traffic flows between services, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code. Anthos Service Mesh also provides a set of management capabilities to simplify lifecycle management of the mesh.
You configure Istio access control, routing rules, and other features by using a custom Kubernetes API, either via kubectl or the Istio command-line tool istioctl, which provides extra validation.
For more information, see Anthos Service Mesh.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Kubernetes Engine API.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Kubernetes Engine API.
Provision Anthos Service Mesh
The steps required to provision Anthos Service Mesh depend on whether you are creating a new GKE cluster or provisioning Anthos Service Mesh on an existing GKE cluster.
Create a GKE cluster with Anthos Service Mesh
To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:
Go to the Google Kubernetes Engine page in the Google Cloud console.
Click add_box Create.
Click Configure next to your preferred option between GKE Standard and GKE Autopilot.
Standard
In the Cluster basics section, complete the following:
- Enter the Name for your cluster.
For the Location type, select Regional, and then select the desired region for your cluster.
From the navigation pane, under Cluster, click Features.
In the Anthos Service Mesh section, check the box next to Enable Anthos Service Mesh.
After you check the box, a screen detailing the requirements appears. The requirements include:
- Cloud Monitoring is enabled on the cluster.
- Anthos Service Mesh uses Cloud Monitoring to provide automatic telemetry and logs.
- Workload Identity is enabled on the cluster.
- Anthos Service Mesh uses Workload Identity to provide secure access to required Google APIs and resources.
In order to secure, monitor, and manage the service mesh, the
mesh.googleapis.com
API is enabled (if it hasn't been already).The Cluster is registered to the project's Fleet, and the Anthos Service Mesh Fleet feature is enabled.
The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.
Click Make changes to automatically enable the requirements.
Click Create.
Autopilot
In the Cluster basics section, complete the following:
- Enter the Name for your cluster.
Select the desired Region for your cluster.
Expand the Advanced Options section dropdown.
In the Anthos Service Mesh section, check the box next to Enable Anthos Service Mesh.
After you check the box, a screen detailing the requirements appears. The requirements include:
In order to secure, monitor, and manage the service mesh, the
mesh.googleapis.com
API is enabled (if it hasn't been already).The Cluster is registered to the project's Fleet, and the Anthos Service Mesh Fleet feature is enabled.
The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.
Click Make changes to automatically enable the requirements.
Click Create.
Provision Anthos Service Mesh on an existing GKE cluster
Go to the Google Kubernetes Engine page in the Google Cloud console.
Select the cluster that you would like to provision Anthos Service Mesh on.
In the Features section, click the edit button next to Anthos Service Mesh.
After you click the edit button, a screen detailing the requirements will appear. The requirements include:
Cloud Monitoring is enabled on the cluster.
- Anthos Service Mesh uses Cloud Monitoring to provide automatic telemetry and logs.
Workload Identity is enabled on the cluster.
- Anthos Service Mesh uses Workload Identity to provide secure access to required Google APIs and resources.
In order to secure, monitor, and manage the service mesh, the
mesh.googleapis.com
API is enabled (if it hasn't been already).The Cluster is registered to the project's Fleet, and the Anthos Service Mesh Fleet feature is enabled (if it hasn't been already).
The managed control plane is provisioned and set up to use a revision that matches the GKE channel configured on the cluster.
Click Make changes to automatically enable the requirements.
Next steps
Enabling Anthos Service Mesh on your cluster is only the first step. To fully take advantage of service mesh functionality, complete the following tasks:
(Required) Inject sidecar proxies to enhance network security, reliability and observability.
(Highly recommended) Deploy gateways to manage ingress and egress traffic.
(Highly recommended) Configuring transport security to secure your mesh.
(Optional) Enable Managed Data Plane to automatically upgrade the proxies.
Troubleshooting
To address problems when provisioning Anthos Service Mesh, see Resolving issues enabling Anthos Service Mesh through Google Cloud console.
What's next
- To find out more about Managed Anthos Service Mesh, see Provisioning managed Anthos Service Mesh
- For a quick introduction to the gcloud CLI used in this tutorial, see
gcloud
commands - To find out how to explore Anthos Service Mesh in the Google Cloud console, see Exploring Anthos Service Mesh in the Google Cloud console
- To explore Anthos Service Mesh optional features, such as Cloud Trace, distroless proxy images, and end user authentication, see Enable optional features on managed Anthos Service Mesh
- To learn more about Security in Anthos Service Mesh, see Anthos Service Mesh Security Overview and Anthos Service Mesh Security Best Practices
- To find out more about Telemetry in Anthos Service Mesh, see Observability Overview