Preparing for Traffic Director setup

Setting up Traffic Director has three phases:

  • Performing prerequisite tasks, such as ensuring that required accounts have the correct permissions
  • Preparing the hosts where your microservices run, whether these are VMs or Kubernetes pods
  • Setting up the components that manage traffic routing and load balancing

This guide describes how to perform the prerequisite tasks. Before you read this guide, familiarize yourself with Traffic Director Concepts.

Additional guides describe how to prepare the hosts and set up the traffic routing and load balancing components.

Prerequisites

Regardless of the Traffic Director configuration you choose, complete the following tasks before you start the configuration process:

The following sections provide instructions for each task.

Deciding on an Envoy binary

During the configuration process, you install Envoy binaries on the host.

Traffic Director supports Envoy version 1.9.1 or later. We strongly recommend using the most recent Envoy version to ensure that all known security vulnerabilities are mitigated.

The Envoy binary is currently distributed as a Docker image. If you decide to use the most recent binary, you need Docker tools to unpack the Envoy proxy binary. You also need Docker permissions to pull the image from Docker. If you run the Docker tools as a non-root user, follow Docker's post-installation instructions at https://docs.docker.com/install/linux/linux-postinstall/.

Ensuring that a Linux host is available

If you are installing Traffic Director on Google Cloud VMs, some setup tasks require that you have access to a Linux host. The host can be a local machine or a VM running on your Virtual Private Cloud network.

Granting the required IAM permissions

To configure Traffic Director, you must be able to create instances and modify a network in a project. If you are the project owner or editor in the project where you are enabling Traffic Director, you automatically have the correct permissions.

Otherwise, you must have all of the following Compute Engine IAM roles and permissions:

Task Required Role and Permissions
Set IAM policy for a service account iam.serviceAccounts.setIamPolicy permission with the iam.serviceAccountAdmin role

This permission is also included in the Service Usage Admin role.

compute.globalForwardingRules.get permission with the compute.networkViewer role

Enable Traffic Director serviceusage.services.enable on the project

This permission is included in the Service Usage Admin role.

Create networks, subnets, and load balancer components Network Admin
Add and remove firewall rules Security Admin
Create instances Instance Admin

In addition, if you are configuring Traffic Director with a Google Kubernetes Engine cluster, the GKE node-pool must have the https://www.googleapis.com/auth/cloud-platform scope.

Enabling the Traffic Director API

Console

  1. In the Cloud Console, go to APIs & services for your project.
    go to the API Library page
  2. To find the Traffic Director API, use the search field. If you don't see the Traffic Director API listed, that means you haven't been granted access to enable the Traffic Director API.
  3. Click the Traffic Director API.
  4. In the page that displays information about the API, click Enable.

gcloud

gcloud services enable trafficdirector.googleapis.com

Enabling the service account to access the Traffic Director API

When the sidecar proxy connects to the xDS-server (trafficdirector.googleapis.com), the proxy uses the service account of the Compute Engine VM host or of the GKE node instance. Unless you modify the configuration, Google Cloud uses the Compute Engine default service account. The service account must have the compute.globalForwardingRules.get project-level IAM permission.

To enable this permission, assign the role compute.networkViewer to the service account.

  • If you use the default service account for your VM or GKE cluster nodes, you can use the procedure below to assign the compute.networkViewer role.
  • If you use a non-default service account, replace the ${SERVICE_ACCOUNT_EMAIL} variable with the correct email address.
  • Alternatively, you can create a custom role that has the compute.globalForwardingRules.get permission.

Console

  1. Open the IAM & Admin page in the Cloud Console.

    Open the IAM & Admin page

  2. Select your project.

  3. Identify the service account to which you want to add a role.

    • If the service account isn't already on the members list, it doesn't have any roles assigned to it. Click Add and enter the email address of the service account.
    • If the service account is already on the members list, it has existing roles. Select the service account and click the Roles tab.
  4. Click the Edit button for the service account that you want to edit.

  5. Select the Compute Engine > Compute Network Viewer role.

  6. Click Save to apply the role to the service account.

gcloud

PROJECT=`gcloud config get-value project`
SERVICE_ACCOUNT_EMAIL=`gcloud iam service-accounts list \
  --format='value(email)' \
  --filter='displayName:Compute Engine default service account'`
gcloud projects add-iam-policy-binding ${PROJECT} \
  --member serviceAccount:${SERVICE_ACCOUNT_EMAIL} \
  --role roles/compute.networkViewer

Continuing the setup process

To set up Traffic Director, use one of the following procedures, depending on whether your microservices run on Compute Engine VMs or Kubernetes pods: