Configure external IP addresses for Google Distributed Cloud

The default Cloud Service Mesh installation on Google Distributed Cloud assumes that external IP addresses are automatically allocated for LoadBalancer services. This is not true in Google Distributed Cloud. Because of this, you need to allocate one or more external IP addresses, depending on your service mesh configuration:

  • One external IP address for the Cloud Service Mesh ingress Gateway resource, for example the gateway that your customers use to access your workloads from across the internet.
  • Another external IP address for your clusters to communicate with each other if they exist on different networks within your service mesh. This is referred to as the east-west gateway.

Configuring the ingress gateway IP address

To configure an external IP address for the ingress gateway, follow one of the sections below, depending on your Google Distributed Cloud load balancing mode:

    Integrated mode

  1. Patch the istio-ingressgateway Service's configuration with the external IP address for the ingress gateway:
    kubectl patch svc istio-ingressgateway -n istio-system --type='json' -p '[{"op": "add", "path": "/spec/loadBalancerIP", "value": "INGRESS_GATEWAY_IP"}]'
  2. Manual mode

  3. View the istio-ingressgateway service's configuration in your shell:
    kubectl get svc -n istio-system istio-ingressgateway -o yaml
    Each of the ports for Cloud Service Mesh's gateways are displayed. The command output is like the following:
      ...
      ports:
      - name: status-port
        nodePort: 30391
        port: 15020
        protocol: TCP
        targetPort: 15020
      - name: http2
        nodePort: 31380
        port: 80
        protocol: TCP
        targetPort: 80
      - name: https
        nodePort: 31390
        port: 443
        protocol: TCP
        targetPort: 443
      - name: tcp
        nodePort: 31400
        port: 31400
        protocol: TCP
        targetPort: 31400
      - name: https-kiali
        nodePort: 31073
        port: 15029
        protocol: TCP
        targetPort: 15029
      - name: https-prometheus
        nodePort: 30253
        port: 15030
        protocol: TCP
        targetPort: 15030
      - name: https-grafana
        nodePort: 30050
        port: 15031
        protocol: TCP
        targetPort: 15031
      - name: https-tracing
        nodePort: 31204
        port: 15032
        protocol: TCP
        targetPort: 15032
      - name: tls
        nodePort: 30158
        port: 15443
        protocol: TCP
        targetPort: 15443
      ...
  4. Expose these ports through your load balancer.

    For example, the service port named http2 has port 80 and nodePort 31380. Suppose the node addresses for your user cluster are 192.168.0.10, 192.168.0.11, and 192.168.0.12, and your load balancer's VIP is 203.0.113.1.

    Configure your load balancer so that traffic sent to 203.0.113.1:80 is forwarded to 192.168.0.10:31380, 192.168.0.11:31380, or 192.168.0.12:31380. You can select the service ports that you want to expose on this given VIP.

Confirm that the ingress gateway was assigned an external IP address. There might be a slight delay that requires you to repeat this command until you see the desired result:

kubectl --context="${CTX_CLUSTER1}" get svc istio-ingressgateway -n istio-system

The expected output is:

NAME                    TYPE           CLUSTER-IP    EXTERNAL-IP    PORT(S)   AGE
istio-ingressgateway   LoadBalancer   10.80.6.124   34.75.71.237   ...       51s

Configuring the east-west gateway IP address

To configure an external IP address for the east-west gateway, follow one of the sections below, depending on your Google Distributed Cloud load balancing mode:

    Integrated mode

  1. Patch the istio-eastwestgateway Service's configuration with the external IP address for the east-west gateway:
    kubectl patch svc istio-eastwestgateway -n istio-system --type='json' -p '[{"op": "add", "path": "/spec/loadBalancerIP", "value": "EAST_WEST_GATEWAY_IP"}]'
  2. Manual mode

  3. View the istio-eastwestgateway service's configuration in your shell:
    kubectl get svc -n istio-system istio-eastwestgateway -o yaml
    Each of the ports for Cloud Service Mesh's gateways are displayed. The command output is like the following:
      ports:
      - name: status-port
        nodePort: 31781
        port: 15021
        protocol: TCP
        targetPort: 15021
      - name: tls
        nodePort: 30498
        port: 15443
        protocol: TCP
        targetPort: 15443
      - name: tls-istiod
        nodePort: 30879
        port: 15012
        protocol: TCP
        targetPort: 15012
      - name: tls-webhook
        nodePort: 30336
        port: 15017
        protocol: TCP
        targetPort: 15017
      ...
  4. Expose these ports through your load balancer.

    For example, the service port named http2 has port 80 and nodePort 31380. Suppose the node addresses for your user cluster are 192.168.0.10, 192.168.0.11, and 192.168.0.12, and your load balancer's VIP is 203.0.113.1.

    Configure your load balancer so that traffic sent to 203.0.113.1:80 is forwarded to 192.168.0.10:31380, 192.168.0.11:31380, or 192.168.0.12:31380. You can select the service ports that you want to expose on this given VIP.

Confirm that the east-west gateway was assigned an external IP address. There might be a slight delay that requires you to run repeat this command until you see the desired result:

kubectl --context="${CTX_CLUSTER1}" get svc istio-eastwestgateway -n istio-system

The expected output is:

NAME                    TYPE           CLUSTER-IP    EXTERNAL-IP    PORT(S)   AGE
istio-eastwestgateway   LoadBalancer   10.80.6.124   34.75.71.237   ...       51s

What's next?