클러스터의 Kubernetes 컨트롤 플레인 주소와 게이트웨이 주소는 메시의 모든 클러스터에서 연결할 수 있어야 합니다. GKE 클러스터가 있는 Google Cloud 프로젝트에서 외부 부하 분산 유형을 만들 수 있도록 허용되어야 합니다.
승인된 네트워크 및 VPC 방화벽 규칙을 사용해서 액세스를 제한하는 것이 좋습니다.
GKE 비공개 클러스터를 포함한 비공개 클러스터는 지원되지 않습니다. VMware용 Google Distributed Cloud(소프트웨어 전용) 및 베어메탈용 Google Distributed Cloud(소프트웨어 전용)를 포함한 온프레미스 클러스터를 사용하는 경우 GKE 클러스터의 포드에서 Kubernetes 컨트롤 플레인 주소 및 게이트웨이 주소에 연결할 수 있어야 합니다. CloudVPN을 사용하여 GKE 클러스터의 서브넷을 온프레미스 클러스터 네트워크에 연결하는 것이 좋습니다.
Istio CA를 사용하는 경우 모든 클러스터에 동일한 커스텀 루트 인증서를 사용합니다.
시작하기 전에
메시에 설정하려는 모든 클러스터에 대해 kubeconfig 파일 액세스 권한이 필요합니다. GKE 클러스터의 경우 클러스터의 새 kubeconfig 파일을 만들려면 터미널의 값으로 파일 전체 경로가 있는 KUBECONFIG 환경을 내보내고 kubeconfig 항목을 생성할 수 있습니다.
환경 변수 및 자리표시자 설정
east-west 게이트웨이를 설치할 때는 다음 환경 변수가 필요합니다.
프로젝트 번호의 환경 변수를 만듭니다. 다음 명령어에서 FLEET_PROJECT_ID를 Fleet 호스트 프로젝트의 프로젝트 ID로 바꿉니다.
클러스터가 별도의 네트워크에 있으므로 두 클러스터의 east-west 게이트웨이에 모든 서비스(\*.local)를 노출해야 합니다. 이 게이트웨이는 인터넷에서는 공개 상태지만, 마치 동일한 네트워크에 있는 것처럼 신뢰할 수 있는 mTLS 인증서와 워크로드 ID를 사용하는 서비스만 이러한 서비스에 액세스할 수 있습니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[],[],null,["# Set up a hybrid mesh\n====================\n\n|\n| **Preview\n| --- Hybrid and mesh**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n| **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/v1.24/docs/overview).\n\nThis page explains how to set up a hybrid mesh for the\nfollowing platforms:\n\n- Hybrid: GKE on Google Cloud and Google Distributed Cloud (software only) for VMware\n- Hybrid: GKE on Google Cloud and Google Distributed Cloud (software only) for bare metal\n\nBy following these instructions you set up two clusters, but you can extend this\nprocess to incorporate any number of clusters into your mesh.\n\nPrerequisites\n-------------\n\n- All clusters must be registered to the same [fleet host project](/anthos/multicluster-management/fleets#fleet-host-project).\n- All GKE clusters must be in a [shared VPC](/vpc/docs/shared-vpc) configuration on the same network.\n- The cluster's Kubernetes control plane address and the gateway address need to be reachable from every cluster in the mesh. The Google Cloud project in which GKE clusters are located should be allowed to create [external load balancing types](/load-balancing/docs/org-policy-constraints). We recommend that you use [authorized networks](/kubernetes-engine/docs/how-to/authorized-networks) and [VPC firewall rules](/vpc/docs/using-firewalls) to restrict the access.\n- Private clusters, including GKE private clusters, are not supported. If you use On-Premises clusters including Google Distributed Cloud (software only) for VMware and Google Distributed Cloud (software only) for bare metal, the Kubernetes control plane address and the gateway address need to be reachable from pods in GKE clusters. We recommend that you use [CloudVPN](/network-connectivity/docs/vpn/concepts/overview) to connect the GKE cluster's subnet with the On-Premises cluster's network.\n- If you use Istio CA, use the same custom root certificate for all clusters.\n\nBefore you begin\n----------------\n\nYou need access to the kubeconfig files for all the clusters that you are\nsetting up in the mesh. For the GKE cluster, in order to create a\nnew kubeconfig file for the cluster, you can export `KUBECONFIG` env with the\ncomplete path of file as value in your terminal and generate the kubeconfig\nentry.\n| **Warning:** Only use kubeconfig files from trusted sources. Using a specially-crafted kubeconfig file could result in malicious code execution or file exposure. If you must use an untrusted kubeconfig file, inspect it carefully first, much as you would a shell script.\n\n### Set up environment variables and placeholders\n\nYou need the following environment variables when you install the\neast-west gateway.\n\n1. Create an environment variable for the project number. In the following\n command, replace \u003cvar translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e with the project ID of the\n [fleet host project](/anthos/multicluster-management/fleets#fleet-host-project).\n\n export PROJECT_NUMBER=$(gcloud projects describe \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003eFLEET_PROJECT_ID\u003c/span\u003e\u003c/var\u003e --format=\"value(projectNumber)\")\n\n2. Create an environment variable for the mesh identifier.\n\n export MESH_ID=\"proj-${PROJECT_NUMBER}\"\n\n3. Create environment variables for the network names.\n\n - GKE clusters default to the cluster network name:\n\n export NETWORK_1=\"PROJECT_ID-CLUSTER_NETWORK\"\n - Other clusters use `default`:\n\n export NETWORK_2=\"default\"\n\n Note that If you installed Cloud Service Mesh on other clusters\n with different values for `--network_id`, then you should pass the same\n values to value to NETWORK_2.\n\nInstall the east-west gateway\n-----------------------------\n\n1. Install a gateway in CLUSTER_1 (your GKE cluster) that is\n dedicated to [east-west](https://en.wikipedia.org/wiki/East-west_traffic)\n traffic to CLUSTER_2 (your on-premise cluster):\n\n asm/istio/expansion/gen-eastwest-gateway.sh \\\n --mesh ${MESH_ID} \\\n --network ${NETWORK_1} \\\n --revision asm-1246-9 | \\\n ./istioctl --kubeconfig=\u003cvar translate=\"no\"\u003ePATH_TO_KUBECONFIG_1\u003c/var\u003e install -y -f -\n\n Note that this gateway is public on the Internet by default. Production\n systems might require additional access restrictions, for example firewall\n rules, to prevent external attacks.\n2. Install a gateway in CLUSTER_2 that is dedicated to east-west traffic for\n CLUSTER_1.\n\n asm/istio/expansion/gen-eastwest-gateway.sh \\\n --mesh ${MESH_ID} \\\n --network ${NETWORK_2} \\\n --revision asm-1246-9 | \\\n ./istioctl --kubeconfig=\u003cvar translate=\"no\"\u003ePATH_TO_KUBECONFIG_2\u003c/var\u003e install -y -f -\n\nExpose services\n---------------\n\nSince the clusters are on separate networks, you need to expose all services\n(`\\*.local`) on the east-west gateway in both clusters. While this gateway is\npublic on the internet, services behind it can only be accessed by services with\na trusted mTLS certificate and workload ID, just as if they were on the same\nnetwork.\n\nExpose services via the east-west gateway for every cluster \n\n kubectl --kubeconfig=\u003cvar translate=\"no\"\u003ePATH_TO_KUBECONFIG_1\u003c/var\u003e apply -n istio-system -f \\\n asm/istio/expansion/expose-services.yaml\n kubectl --kubeconfig=\u003cvar translate=\"no\"\u003ePATH_TO_KUBECONFIG_2\u003c/var\u003e apply -n istio-system -f \\\n asm/istio/expansion/expose-services.yaml\n\nEnable endpoint discovery\n-------------------------\n\n| **Note:** For more information on endpoint discovery, refer to [Endpoint discovery with multiple control planes](https://istio.io/v1.24/docs/ops/deployment/deployment-models/#endpoint-discovery-with-multiple-control-planes).\n\nRun the `asmcli create-mesh` command to enable endpoint discovery. This\nexample only shows two clusters, but you can run the command to enable\nendpoint discovery on additional clusters, subject to the\n[GKE Hub service limit](/anthos/fleet-management/docs/quotas). \n\n ./asmcli create-mesh \\\n \u003cvar label=\"fleetid\" translate=\"no\"\u003eFLEET_PROJECT_ID\u003c/var\u003e \\\n \u003cvar label=\"kubeconfig1\" translate=\"no\"\u003ePATH_TO_KUBECONFIG_1\u003c/var\u003e \\\n \u003cvar label=\"kubeconfig2\" translate=\"no\"\u003ePATH_TO_KUBECONFIG_2\u003c/var\u003e\n\nVerify multi-cluster connectivity\n---------------------------------\n\nSee [Injecting sidecar proxies](/service-mesh/v1.24/docs/onboarding/kubernetes-workloads#inject_sidecar_proxies)."]]