Deploying internal services using Cloud Run for Anthos on Google Cloud

This tutorial demonstrates how to expose services deployed to Cloud Run for Anthos on your internal network. This type of configuration allows other resources in your network to communicate with the service using a private, internal (RFC 1918) IP address. Exposing services on an internal network is useful for enterprises that provide internal apps to their staff, and for services that are used by clients that run outside the Cloud Run for Anthos cluster.

Cloud Run for Anthos provides a developer-focused experience for deploying and serving apps and functions running on GKE. By default, Cloud Run for Anthos exposes services outside the cluster by using Istio's ingress gateway. This gateway is a Kubernetes service of type LoadBalancer, which means by default it's exposed on a public IP address using Network Load Balancing.

This tutorial shows you how to expose your Cloud Run for Anthos services on an internal IP address in your VPC network by changing Istio's ingress gateway to use Internal TCP/UDP Load Balancing instead of Network Load Balancing.

Objectives

Create a GKE cluster with Cloud Run enabled.
Update the Istio ingress gateway to use Internal TCP/UDP Load Balancing.
Test the app by deploying a sample service to Cloud Run for Anthos.

Costs

This tutorial uses the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

When you finish this tutorial, you can avoid continued billing by deleting the resources you created. For more information, see Cleaning up.

Before you begin

Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to the project selector page
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
In the Cloud Console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Cloud Console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Cloud SDK already installed, including the gcloud command-line tool, and with values already set for your current project. It can take a few seconds for the session to initialize.

In Cloud Shell, enable the Cloud Run API, GKE API, and Cloud APIs:

gcloud services enable \
    cloudapis.googleapis.com \
    container.googleapis.com \
    run.googleapis.com

Setting up the environment

In Cloud Shell, define environment variables and the gcloud tool defaults for the Compute Engine zone and GKE cluster name that you want to use for this tutorial:
```
ZONE=us-central1-f
CLUSTER=cloudrun-gke-ilb-tutorial

gcloud config set compute/zone $ZONE
gcloud config set run/cluster $CLUSTER
gcloud config set run/cluster_location $ZONE
```
The examples in this tutorial use us-central1-f as the zone and cloudrun-gke-ilb-tutorialas the cluster name. You can use different values. For more information, see Geography and regions.

Creating a GKE cluster with Cloud Run enabled

In Cloud Shell, create a GKE cluster with the Cloud Run add-on:

gcloud beta container clusters create $CLUSTER \
    --addons HorizontalPodAutoscaling,HttpLoadBalancing,CloudRun \
    --enable-ip-alias \
    --enable-stackdriver-kubernetes \
    --machine-type n1-standard-2

Configuring Internal TCP/UDP Load Balancing

In Cloud Shell, patch the Istio ingress gateway to use Internal TCP/UDP Load Balancing:
```
kubectl -n gke-system patch svc istio-ingress -p \
    '{"metadata":{"annotations":{"cloud.google.com/load-balancer-type":"Internal"}}}'
```
It might take a few minutes for the change to take effect. Run the following command to poll your GKE cluster for change. Look for the value of EXTERNAL-IP to change to a private IP address:
```
kubectl -n gke-system get svc istio-ingress --watch
```
Press Ctrl+C to stop the polling when you see a private IP address in the EXTERNAL-IP field.

Deploy a sample service

In Cloud Shell, deploy a service called sample to Cloud Run for Anthos in the default namespace:

gcloud run deploy sample \
    --image gcr.io/knative-samples/simple-api \
    --namespace default \
    --platform gke

Verify internal connectivity

In Cloud Shell, create a Compute Engine virtual machine (VM) in the same zone as the GKE cluster:
```
VM=cloudrun-gke-ilb-tutorial-vm

gcloud compute instances create $VM
```

Store the private IP address of the Istio ingress gateway in an environment variable called EXTERNAL_IP and a file called external-ip.txt:

export EXTERNAL_IP=$(kubectl -n gke-system get svc istio-ingress \
    -o jsonpath='{.status.loadBalancer.ingress[0].ip}' | tee external-ip.txt)

Copy the file containing the IP address to the VM:
```
gcloud compute scp external-ip.txt $VM:~
```
Connect to the VM using SSH:
```
gcloud compute ssh $VM
```

While in the SSH session, test the sample service:

curl -s -w'\n' -H Host:sample.default.example.com $(cat external-ip.txt)

The output is as follows:

OK

Leave the SSH session:
```
exit
```

Troubleshooting

If you run into problems with this tutorial, review the following documents:

Cleaning up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Delete the project

In the Cloud Console, go to the Manage resources page.
Go to Manage resources
In the project list, select the project that you want to delete, and then click Delete.
In the dialog, type the project ID, and then click Shut down to delete the project.

Delete the individual resources

If you want to keep the Google Cloud project you used in this tutorial, delete the individual resources:

Delete the GKE cluster:

gcloud container clusters delete $CLUSTER --quiet --async

Delete the Compute Engine instance:

gcloud compute instances delete $VM --quiet

What's next

Learn how to authenticate end users of Cloud Run for Anthos with Istio and Cloud Identity Platform.
Learn how to authorize access to Cloud Run for Anthos using Istio.
Understand how to access Internal TCP/UDP Load Balancing IP addresses from connected networks.
Read Cloud Run for Anthos how-to guides.
Explore Knative, the open source project that underpins Cloud Run.
Try out other Google Cloud features for yourself. Have a look at our tutorials.