You are viewing v1.21 Service Mesh documentation.

Available versions

Cloud Service Mesh
1.22 archive
1.21 archive
1.20 archive
1.19 archive
1.18 archive

Set up Envoy proxies with HTTP services

This guide demonstrates how to configure Cloud Service Mesh with an Envoy proxy-based service mesh, HTTP services, and Mesh and HTTPRoute resources.

Envoy proxies with HTTPRoute and Mesh resources — Envoy proxies with `HTTPRoute` and `Mesh` resources (click to enlarge)

Before you begin

Make sure that you complete the tasks described in Prepare to set up with Envoy and proxyless workloads.

Configure the `Mesh` resource

Envoy proxies running as sidecars receive their service routing configuration from Cloud Service Mesh. The Mesh name is the key that the sidecar proxy uses to request the configuration associated with the Mesh resource. Cloud Service Mesh provides the routing configuration to the proxy. The sidecar proxy then directs traffic to the correct backend service, relying on request parameters such as the hostname, headers, and others that are configured in the Route resources.

Create the Mesh resource specification and save it in a file called mesh.yaml.
```
name: sidecar-mesh
interceptionPort: 15001
```

The interception port defaults to 15001 if you don't specify it in the mesh.yaml file.

Create the Mesh resource using the mesh.yaml specification.

gcloud network-services meshes import sidecar-mesh \
  --source=mesh.yaml \
  --location=global

After the Mesh resource is created, Cloud Service Mesh is ready to serve the configuration, but because there are no services defined yet, the configuration is empty. The next step is to define your services and attachment.

Configure the HTTP server

For demonstration purposes, you create a backend service with autoscaled VMs using managed instance groups as the backends. The VMs serve a hello world text phrase, using the HTTP protocol on port 80.

Create the instance template with a helloworld HTTP service on port 80.

gcloud compute instance-templates create td-httpd-vm-template \
  --scopes=https://www.googleapis.com/auth/cloud-platform \
  --tags=http-td-server \
  --image-family=debian-11 \
  --image-project=debian-cloud \
  --metadata=startup-script="#! /bin/bash
sudo apt-get update -y
sudo apt-get install apache2 -y
sudo service apache2 restart
echo '<!doctype <html><body><h1>'\`$(/bin/hostname)\`'</h1></body></html>' | sudo tee /var/www/html/index.html"

Create a managed instance group based on the template.

gcloud compute instance-groups managed create http-td-mig-us-east1 \
  --zone=ZONE \
  --size=2 \
  --template=td-httpd-vm-template

Create a health check.

gcloud compute health-checks create http http-helloworld-health-check

Create a firewall rule to allow incoming health check connections to instances in your network.

gcloud compute firewall-rules create http-vm-allow-health-checks \
  --network=default \
  --action=ALLOW \
  --direction=INGRESS \
  --source-ranges=35.191.0.0/16,130.211.0.0/22 \
  --target-tags=http-td-server \
  --rules=tcp:80

Create a global backend service with a load balancing scheme of INTERNAL_SELF_MANAGED and add the health check.

gcloud compute backend-services create http-helloworld-service \
  --global \
  --load-balancing-scheme=INTERNAL_SELF_MANAGED \
  --protocol=HTTP \
  --health-checks http-helloworld-health-check

Add the managed instance group to the backend service. The following example uses the managed instance group you created previously. The VMs in the managed instance group run the sample HTTP service that you created.
```
gcloud compute backend-services add-backend http-helloworld-service \
  --instance-group=http-td-mig-us-east1 \
  --instance-group-zone=ZONE \
  --global
```

Set up routing with an `HTTPRoute` resource

The Mesh resource and services are configured. Connect them with an HTTPRoute resource that associates a hostname with a backend service.

Create the HTTPRoute specification and save it to a file called http_route.yaml.

You can use either PROJECT_ID or PROJECT_NUMBER.

name: helloworld-http-route
hostnames:
- helloworld-gce
meshes:
- projects/PROJECT_NUMBER/locations/global/meshes/sidecar-mesh
rules:
- action:
   destinations:
   - serviceName: "projects/PROJECT_NUMBER/locations/global/backendServices/http-helloworld-service"

Create the HTTPRoute resource using the specification in the http_route.yaml file.

gcloud network-services http-routes import helloworld-http-route \
  --source=http_route.yaml \
  --location=global

Cloud Service Mesh is now configured to load balance traffic for the services specified in the HTTPRoute resource across the VMs in the managed instance group.

Create an HTTP client with an Envoy sidecar

You can verify the deployment by creating a client VM with an Envoy sidecar proxy that requests the Cloud Service Mesh configuration that was created earlier. The mesh parameter in the gcloud command refers to the Mesh resource that you already created.

Create an instance template.

gcloud beta compute instance-templates create td-vm-client-template \
  --image-family=debian-11 \
  --image-project=debian-cloud \
  --service-proxy=enabled,mesh=sidecar-mesh

Create a VM with an Envoy proxy that is connected to Cloud Service Mesh.

gcloud compute instances create td-vm-client \
  --zone=ZONE \
  --source-instance-template td-vm-client-template

gcloud compute ssh td-vm-client --zone=ZONE

Run the curl command to verify HTTP connectivity to the test services.
```
curl -H "Host: helloworld-gce" http://10.0.0.1/
```

The command should return a response from one of the VMs in the managed instance group, with its hostname printed to the console.

What's next

For information about listing route resources associated with a Mesh or Gateway resource, see List Route resources. This feature is in Preview.