Setting up Traffic Director includes several phases. This document describes the first phase: instructions for preparing to configure Traffic Director with proxyless gRPC applications. The other phases are covered by the platform-specific guides listed in Continue the setup process later in this document.
Before you read this guide, familiarize yourself with the following documents, which provide an overview of using Traffic Director with proxyless gRPC applications:
Prerequisites
Prepare your environment by completing the following tasks:
- Enable billing.
- Grant the required permissions.
- Enable the Traffic Director API for your project.
- Ensure that the service account has sufficient permissions to access the Traffic Director API.
The following sections provide instructions for each task.
Enable billing
Make sure that billing is enabled for your Google Cloud project. For more information, see Enable, disable, or change billing for a project.
Grant the required IAM permissions
You must have sufficient Identity and Access Management (IAM) permissions to create VM
instances and modify a network to configure Traffic Director. If you have the
role of project
Owner or Editor (roles/owner or
roles/editor) in the project where you
are enabling Traffic Director, you automatically have the correct permissions.
Otherwise, you must have all of the IAM roles shown in the following table. If you have these roles, you also have their associated permissions, as described in the Compute Engine IAM documentation.
| Task | Required role |
|---|---|
| Set IAM policy for a service account. | Service Account Admin
( roles/iam.serviceAccountAdmin) |
| Obtain the global forwarding rule resource. | Compute Network Viewer
( roles/compute.networkViewer) |
| Enable Traffic Director. | Service Usage Admin
( roles/serviceusage.serviceUsageAdmin) |
| Create networks, subnets, and load balancer components. | Compute Network Admin
( roles/compute.networkAdmin) |
| Add and remove firewall rules. | Compute Security Admin
( roles/compute.securityAdmin) |
| Create instances. | Compute Instance Admin
( roles/compute.instanceAdmin) |
| Create and modify a GKE cluster, if using Pods. | Cluster Admin
( roles/container.clusterAdmin) |
| Allows access to service accounts. | Service Account User
( roles/iam.serviceAccountUser |
In addition, the Compute Engine VMs must have the
https://www.googleapis.com/auth/cloud-platform
scope. For more information, see
Troubleshooting deployments that use proxyless gRPC.
Enable the Traffic Director API
Console
In the Google Cloud Console, go to the API Library page for your project.
In the Search for APIs & Services field, enter
Traffic Director.In the search results list, click Traffic Director API. If you don't see the Traffic Director API listed, that means that you don't have the necessary permissions to enable the Traffic Director API.
On the Traffic Director API page, click Enable.
gcloud
Run the following command:
gcloud services enable trafficdirector.googleapis.com
Enable the service account to access the Traffic Director API
When you set up your data plane and connect it to Traffic Director, your
xDS clients connect to the trafficdirector.googleapis.com xDS server. These
xDS clients present a service account identity to the xDS server to ensure that
communications between the data plane and the control plane are properly
authorized.
For a Compute Engine VM, the xDS client uses the service account assigned to the VM.
You need the following permissions, depending on the version of the xDS protocol that your gRPC application is using. The xDS protocol version is specified in the bootstrap file. We recommend that you configure your application by using xDS v3, or migrate to xDS v3 if you have an existing deployment that uses xDS v2.
When you use xDS v3, the service account used by your gRPC applications must have the
trafficdirector.networks.reportMetricsandtrafficdirector.networks.getConfigspermissions. You can use the IAM Traffic Director Client role (roles/trafficdirector.client), which wraps both permissions.When you use xDS v2, the service account used by your gRPC applications must have the project-level IAM
compute.globalForwardingRules.getpermission. You can also grant this permission by assigning the Compute Network Viewer role (roles/compute.networkViewer) to the service account.
Console
In the Cloud Console, go to the IAM & Admin page.
Select your project.
Identify the service account to which you want to add a role:
- If the service account isn't already on the Members list, it doesn't have any roles assigned to it. Click Add and enter the email address of the service account.
- If the service account is already on the Members list, it has existing roles. Select the service account, and then click the Roles tab.
Expand the role. For the service account that you want to edit, click Edit.
Select the Other > Traffic Director Client role.
To apply the role to the service account, click Save.
gcloud
Run the following command:
gcloud projects add-iam-policy-binding PROJECT \
--member serviceAccount:SERVICE_ACCOUNT_EMAIL \
--role=roles/trafficdirector.client
Replace the following:
PROJECT: entergcloud config get-value projectSERVICE_ACCOUNT_EMAIL: the email associated with the service account
Next, follow this overall procedure for setting up proxyless gRPC applications in a service mesh:
- Update your gRPC clients to the latest version of gRPC, with the most recent patch.
- Update your clients' gRPC name resolver scheme when you create a channel and specify a Traffic Director bootstrap file.
- Configure Traffic Director and Cloud Load Balancing resources.
This document provides information for completing the first two steps. The configuration process that you use for step 3 depends on whether your deployment uses Compute Engine VMs or GKE network endpoint groups (NEGs).
Supported gRPC versions and languages
gRPC is an open source project and its release support is described on the gRPC FAQ. We recommend that you use the most recent version of gRPC to ensure that known security vulnerabilities are mitigated. This also ensures that your applications have access to the latest features supported by Traffic Director. The service mesh features supported in various implementations and versions of gRPC are listed on GitHub. For a list of gRPC languages and features supported with Traffic Director and proxyless gRPC services, see Traffic Director features.
Traffic Director maintains compatibility with current and supported versions of gRPC and endeavors to be compatible with gRPC versions less than one year old, subject to the Google Cloud Platform Terms of Service.
Update your gRPC clients
Update the gRPC library in your application to the version that supports the features that you require. For details, see the previous section.
Add the xDS name-resolver as a dependency to your gRPC applications. Requirements per language for Java and Go are shown in the following sections. Other languages do not have any additional requirements.
Java requirements
In Java, if you're using Gradle, add the grpc-xds dependency to your
build.gradle file. Replace LATEST_GRPC_VERSION with the
latest version of
gRPC.
dependencies {
runtimeOnly 'io.grpc:grpc-xds:LATEST_GRPC_VERSION'
}
If you're using Maven, add the following to the <dependencies> section
of pom.xml. Replace LATEST_GRPC_VERSION with the
latest version of gRPC.
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-xds</artifactId>
<version>LATEST_GRPC_VERSION</version>
<scope>runtime</scope>
</dependency>
Go requirements
If you're using Go, import the xds Go package.
Set gRPC name resolver to use xds
Set or change your gRPC applications to use the xds name resolution scheme in
the target URI, rather than DNS or any other resolver scheme. You do this by
using the prefix xds:/// in the target name when you create a gRPC channel.
Load balancing for gRPC clients is on a per-channel basis.
Include the service name used in the target URI in the
Traffic Director configuration. For example, in Java, you create the
channel by using this structure, in which the service name is helloworld:
ManagedChannelBuilder.forTarget("xds:///helloworld[:PORT_NUMBER]")
Create and configure a bootstrap file
The xds resolver scheme tells the gRPC application to connect to
Traffic Director to obtain configuration information for the target
service. Therefore, do the following:
- Create a bootstrap file, as shown in the following sample. This file tells gRPC to connect to an xDS server (Traffic Director) to get the configuration for specific services.
- Define an environment variable named
GRPC_XDS_BOOTSTRAP, with the bootstrap filename as the value of the environment variable.
The setup instructions have examples that show how to generate the bootstrap file. For your convenience, you can use the latest version of Traffic Director gRPC bootstrap generator.
A bootstrap file containing the information needed to connect to Traffic Director must be included alongside the application. A sample bootstrap file looks like this:
{
"xds_servers": [
{
"server_uri": "trafficdirector.googleapis.com:443",
"channel_creds": [
{
"type": "google_default"
}
],
"server_features": ["xds_v3"]
}
],
"node": {
"id": "projects/123456789012/networks/default/nodes/b7f9c818-fb46-43ca-8662-d3bdbcf7ec18",
"metadata": {
"TRAFFICDIRECTOR_NETWORK_NAME": "default"
},
"locality": {
"zone": "us-central1-a"
}
}
}
The following table explains the fields in the bootstrap file.
| Field | Value and description |
|---|---|
xds_servers |
A list of xDS servers. gRPC uses only the first one in the list. |
server_uri |
Specify at least one. gRPC tries to connect to only the first xDS
server in the list of xds_servers. The default value is
trafficdirector.googleapis.com:443. |
channel_creds |
Credentials to use with the xDS server. |
type |
Use the value google_default. For more information about
how credentials are obtained, see
Getting started with authentication. |
server_features |
A list of features supported by the server, such as xDS v3 support. The default value is empty. |
node |
Information about the client connecting to the xDS server. |
id |
The projects/PROJECT_NUMBER/networks/NETWORK_NAME/nodes/ID Provide a unique string as the value of |
metadata |
Information specific to the xDS server. |
TRAFFICDIRECTOR_NETWORK_NAME |
If the field is empty or not specified, then the value is set to
default. |
locality |
The Google Cloud zone in which the gRPC client is running. |
Continue the setup process
After you complete the prerequisites described in this document, continue with the instructions in one of these documents:
- Traffic Director setup for Compute Engine VMs and proxyless gRPC services
- Traffic Director setup for GKE and proxyless gRPC services