Stay organized with collections Save and categorize content based on your preferences.

Set up an ingress gateway

This guide demonstrates how to configure Traffic Director with an ingress gateway.

In this configuration, a network load balancer directs traffic from the internet to your service mesh through an ingress gateway. A Gateway resource manages an Envoy proxy that acts as a gateway into the service mesh. A gateway is also known as a middle proxy or ingress. The Envoy proxies deployed to act as an ingress gateway are standalone proxies rather than a sidecar to a workload. In this mode, Envoy listens on a well-defined list of IP addresses and ports and forwards traffic according to routing rules that you configure. A new Gateway API resource is used to configure such Envoy clients.

Ingress gateway with Envoy proxy, network load balancer, and Gateway resource
Ingress gateway with Envoy proxy, network load balancer, and Gateway resource (click to enlarge)

Set up routing to ensure that traffic destined for the Gateway proxies is directed to the VMs hosting the Envoys. The ingress service can be paired with an external HTTP(S) load balancer or internal TCP/UDP load balancer, but such configurations are not included in this demonstration setup. For information about setting up an external HTTP(S) load balancer, see the HTTP(S) Load Balancing documentation. For information on setting up a internal TCP/UDP load balancer, see the Internal TCP/UDP Load Balancing documentation.

This guide does not cover the service-to-service communication and the Mesh resource behind the Gateway.

Before you begin

Make sure that your deployment meets the prerequisites described in the following guides:

Configure firewall rules

In this section, you configure two firewall rules. One rule allows health check probes to access the Virtual Private Cloud network. The other rule allows traffic from any source into the network.

  1. Configure firewall rules to allow health checks.

    gcloud compute firewall-rules create allow-gateway-health-checks \
      --network=NETWORK_NAME \
      --direction=INGRESS \
      --action=ALLOW \
      --rules=tcp \
      --source-ranges=",," \
  2. Configure firewall rules to allow traffic from any source. Edit the commands for your ports and source IP address ranges.

    gcloud compute firewall-rules create allow-gateway-ingress-traffic \
      --network=NETWORK_NAME \
      --direction=INGRESS \
      --action=ALLOW \
      --rules=tcp:80,tcp:443 \
      --source-ranges="" \

Configure Identity and Access Management permissions

In this section, you designate the service account for the gateway proxies and assign them the correct IAM roles.

  1. Create a service account identity for the gateway proxies.

    gcloud iam service-accounts create gateway-proxy
  2. Assign the required IAM roles to the service account identity.

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="" \
    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="" \

Configure the Gateway resource

In this section, you configure the gateway resource.

  1. In a file called gateway80.yaml, create the Gateway specification for HTTP traffic.

    cat <<EOF | tee gateway80.yaml
    name: gateway80
    scope: gateway-proxy
    - 80
    type: OPEN_MESH
  2. Create the Gateway resource from the gateway80.yaml specification:

    gcloud network-services gateways import gateway80 \
        --source=gateway80.yaml \

Create a managed instance group with Envoy proxies

In this section, you create the Envoy proxies that are associate with the ingress gateway.

  1. Create an instance template for a VM running an automatically deployed Envoy service proxy. The Envoys have a scope of gateway-proxy. Do not pass the serving port as a parameter of --service-proxy.

    gcloud beta compute instance-templates create gateway-proxy \
      --machine-type=n1-standard-1 \
      --boot-disk-size=10GB \
      --scopes= \
      --tags=gateway-proxy \
      --network-interface=network=NETWORK_NAME,no-address \
      --service-account="" \
      --service-proxy=enabled,scope=gateway-proxy \
  2. Create a regional managed instance group from the instance template.

    gcloud compute instance-groups managed create gateway-proxies-REGION \
      --region=REGION \
      --size=2 \
      --template=gateway-proxy \
  3. Set a named port to enable TCP health checking for the network load balancer.

    gcloud compute instance-groups managed set-named-ports \
      gateway-proxies-REGION \
      --region=REGION \
  4. Enable autoscaling for the instance group.

    gcloud compute instance-groups managed set-autoscaling \
      gateway-proxies-REGION \
      --region=REGION \
      --cool-down-period=60 \
      --min-num-replicas=3 \
      --max-num-replicas=10 \
      --mode=on \

Set up regional Network Load Balancing

In this section, you create the network load balancer, a backend service, forwarding rule, and health check.

  1. Create the network load balancer.

    gcloud compute addresses create xnlb-REGION \
  2. Get the IP address that is reserved for the network load balancer.

    gcloud compute addresses describe xnlb-REGION \
      --region=REGION --format='value(address)'

    This IP address is used as the variable IP_ADDRESS in later sections of this setup guide.

  3. Create a health check for the gateway proxies.

    gcloud compute health-checks create tcp xnlb-REGION \
      --region=REGION \
  4. Create a backend service for the gateway proxies.

    gcloud compute backend-services create xnlb-REGION \
      --health-checks=xnlb-REGION \
      --health-checks-region=REGION \
      --load-balancing-scheme=EXTERNAL \
      --protocol=TCP \
      --region=REGION \
  5. Add the managed instance group as the backends.

    gcloud compute backend-services add-backend xnlb-REGION \
      --instance-group=gateway-proxies-REGION \
      --instance-group-region=REGION \
  6. Create a forwarding rule pointing to the gateway proxies.

    gcloud compute forwarding-rules create xnlb-REGION \
      --region=REGION \
      --load-balancing-scheme=EXTERNAL \
      --address=IP_ADDRESS \
      --ip-protocol=TCP \
      --ports=80 \
      --backend-service=xnlb-REGION \

Configure the HTTP server

In this section, you create a test service in the service mesh.

  1. Create an instance template with a test service on port 10000 using the netcat utility

    gcloud compute instance-templates create tcp-td-vm-template \
      --scopes= \
      --tags=allow-health-checks \
      --image-family=debian-10 \
      --image-project=debian-cloud \
      --metadata=startup-script="#! /bin/bash
    sudo apt-get update -y
    sudo apt-get install apache2 -y
    sudo service apache2 restart
    echo '<!doctype html><html><body><h1>'\`/bin/hostname\`'</h1></body></html>' | sudo tee /var/www/html/index.html"
  2. Create a managed instance group based on the template.

    gcloud compute instance-groups managed create tcp-td-mig-us-east1 \
      --zone=us-east1-b \
      --size=1 \
  3. Create an HTTP health check.

    gcloud compute health-checks create http helloworld-health-check
  4. Create a firewall rule to allow incoming health check connections to instances in your network.

    gcloud compute firewall-rules create tcp-vm-allow-health-checks \
       --network default \
       --action allow \
       --direction INGRESS \
       --source-ranges=, \
       --target-tags allow-health-checks \
       --rules tcp:80
  5. Create a global backend service with a load balancing scheme of INTERNAL_SELF_MANAGED and attach the health check.

    gcloud compute backend-services create http-helloworld-service \
        --global \
        --load-balancing-scheme=INTERNAL_SELF_MANAGED \
        --protocol=HTTP \
        --health-checks helloworld-health-check
  6. Add the managed instance group to the backend service.

    gcloud compute backend-services add-backend http-helloworld-service \
      --instance-group tcp-td-mig-us-east1 \
      --instance-group-zone us-east1-b \

Set up routing with HTTPRoute

You now have a Traffic Director Gateway resource and a service configured. Next, you connect them by using an HTTPRoute resource that associates a hostname with a backend service. The HTTPRoute also references the Gateway.

  1. In a file called http_route.yaml, create the HTTPRoute specification. The specification references gateway80, which is the Gateway resource that you created earlier, and it points to the backend service http-helloworld-service.

    You can use either PROJECT_ID or PROJECT_NUMBER.

    name: helloworld-http-route
    - helloworld-gce
    - projects/PROJECT_NUMBER/locations/global/gateways/gateway80
    - action:
        - serviceName: "projects/PROJECT_NUMBER/locations/global/backendServices/http-helloworld-service"
  2. Use the specification in http_route.yaml to create the HTTPRoute resource.

    gcloud network-services http-routes import helloworld-http-route \
        --source=http_route.yaml \
  3. Verify that you can access the service from an external client through the network load balancer and the Traffic Director Gateway.

    curl -H "Host: helloworld-gce" IP_ADDRESS