Setting up Traffic Director includes the following phases:
- Granting permissions and enabling the Traffic Director API.
- Deploying your applications with Envoy proxies.
- Creating services and routing rules that determine how traffic travels through your service mesh.
This document describes the first phase. The second and third phases are covered by the platform-specific guides listed in Continue the setup process later in this document.
Before you read this guide, familiarize yourself with the Traffic Director overview.
Whether you plan to use Traffic Director to configure Envoy proxies running alongside applications on virtual machine (VM) instances, containers, or a mix of both, you need to first complete the following tasks:
- Enable billing.
- Decide how you want to install Envoy.
- Grant the required permissions.
- Enable the Traffic Director API for your project.
- Ensure that the service account used by the Envoy proxies has sufficient permissions to access the Traffic Director API.
The following sections provide instructions for each task.
Make sure that billing is enabled for your Google Cloud project. For more information, see Enable, disable, or change billing for a project.
Decide how to install Envoy
Traffic Director makes it easy to install Envoy proxies and manage this infrastructure layer:
On Compute Engine, you can automatically add Envoy to applications running on your VMs. You use a VM template that installs Envoy, connects it to Traffic Director, and configures your VM's networking.
On Google Kubernetes Engine (GKE), you can automatically add Envoy sidecar proxies to your services' Pods. You install an Envoy sidecar injector to your cluster, which adds Envoy sidecar proxies, connects them to Traffic Director, and configures your container's networking.
Finally, you can also use Envoy deployment solutions from third-party providers with Traffic Director. One example of such an offering is GetEnvoy, which provides a package manager-based approach to installing and updating your Envoy proxies.
About Envoy versioning
Envoy must be version 1.9.1 or later to work with Traffic Director. We recommend always using the most recent Envoy version to ensure that known security vulnerabilities are mitigated.
If you decide to deploy Envoy by using one of our automated methods, we handle this task for you as follows:
When you use automated Envoy deployment with Compute Engine VMs, the Envoy version installed is one that we have validated to work with Traffic Director. When a new VM is created by using the instance template, the VM receives the latest version that we have validated. If you have a long-running VM, you can use a rolling update to replace your existing VMs and pick up the latest version.
When you use the Envoy sidecar injector with GKE, the injector is configured to use a recent version of Envoy that we have validated to work with Traffic Director. When a sidecar is injected alongside your workload Pod, it receives this version of Envoy. If you want to pick up a more recent version of Envoy, update the Envoy sidecar injector.
Grant the required IAM permissions
You must have sufficient Identity and Access Management (IAM) permissions to create VM
instances and modify a network to configure Traffic Director. If you have the
role of project
Owner or Editor (
roles/editor) in the project where you
are enabling Traffic Director, you automatically have the correct permissions.
Otherwise, you must have all of the Compute Engine IAM roles shown in the following table. If you have these roles, you also have their associated permissions, as described in the Compute Engine IAM documentation.
|Set IAM policy for a service account.||Service Account Admin
|Obtain the global forwarding rule resource.||Compute Network Viewer
|Enable Traffic Director.||Service Usage Admin
|Create networks, subnets, and load balancer components.||Compute Network Admin
|Add and remove firewall rules.||Compute Security Admin
|Create instances.||Compute Instance Admin
Enable the Traffic Director API
In the Google Cloud Console, go to the API Library page for your project.
In the Search for APIs & Services field, enter
In the search results list, click Traffic Director API. If you don't see the Traffic Director API listed, that means that you don't have the necessary permissions to enable the Traffic Director API.
On the Traffic Director API page, click Enable.
Run the following command:
gcloud services enable trafficdirector.googleapis.com
Enable the service account to access the Traffic Director API
When you set up your data plane and connect it to Traffic Director, your
xDS clients (for example, Envoy proxies) connect to the
trafficdirector.googleapis.com xDS server. These xDS clients present a service
account identity to the xDS server to ensure that communications between the
data plane and the control plane are properly authorized:
- For a Compute Engine VM, the xDS client uses the service account assigned to the VM.
- For GKE, if
Workload Identityis not enabled, the xDS client uses the service account assigned to the underlying GKE node.
Workload Identityis enabled, the xDS client uses the Google service account that is bound to the Kubernetes service account that is assigned to the Pod.
You need the following permissions, depending on the version of the xDS client that you use to configure Envoy. We recommend that you configure your new Envoy deployments by using xDS v3, or migrate to xDS v3 if you have an existing deployment that uses xDS v2.
When you use xDS v3, the service account used by your clients must have the
trafficdirector.networks.getConfigspermissions. You can use the IAM Traffic Director Client role (
roles/trafficdirector.client), which wraps both permissions.
When you use xDS v2, the service account used by your clients must have the project-level IAM
compute.globalForwardingRules.getpermission. You can also grant this permission by assigning the Compute Network Viewer role (
roles/compute.networkViewer) to the service account.
In the Cloud Console, go to the IAM & Admin page.
Select your project.
Identify the service account to which you want to add a role:
- If the service account isn't already on the Members list, it doesn't have any roles assigned to it. Click Add and enter the email address of the service account.
- If the service account is already on the Members list, it has existing roles. Select the service account, and then click the Roles tab.
Expand the role. For the service account that you want to edit, clickEdit.
Select the Other > Traffic Director Client role.
To apply the role to the service account, click Save.
Run the following command:
gcloud projects add-iam-policy-binding PROJECT \ --member serviceAccount=SERVICE_ACCOUNT_EMAIL \ --role=roles/trafficdirector.client
Replace the following:
gcloud config get-value project
SERVICE_ACCOUNT_EMAIL: the email associated with the service account
Continue the setup process
Now that you completed the prerequisite steps, you can start to set up your service mesh. The following guides provide platform-specific instructions for Compute Engine and GKE:
- Traffic Director setup for Compute Engine VMs with automatic Envoy deployment
- Traffic Director setup for GKE Pods with automatic Envoy injection
- Traffic Director setup for Compute Engine VMs with manual Envoy deployment
- Traffic Director setup for GKE Pods with manual Envoy injection
- Routing TCP traffic with Traffic Director
- Advanced Traffic Director configuration options
- Configure Envoy bootstrap attributes for Traffic Director
While these guides each focus on deploying Envoy sidecar proxies on a single platform (either Compute Engine or GKE), Traffic Director is flexible and supports deployments that span both Compute Engine and GKE.