Preparing for Traffic Director setup

Setting up Traffic Director has these phases:

  1. Granting permissions and enabling the Traffic Director API
  2. Deploying your applications with Envoy proxies.
  3. Creating services and routing rules that determine how traffic travels through your service mesh.

This document describes how to perform the first phase. The second and third phases are covered by platform-specific guides for the following:

Before you read this guide, familiarize yourself with the Traffic Director conceptual overview.

Prerequisites

Whether you plan to use Traffic Director to configure Envoy proxies running alongside applications on virtual machines, containers, or a mix of both, you need to first complete the following tasks:

  1. Enable billing.
  2. Decide how you want to install Envoy.
  3. Grant the required permissions.
  4. Enable the Traffic Director API for your project.
  5. Ensure that the service account used by the Envoy proxies has sufficient permissions to access the Traffic Director API.

The following sections provide instructions for each task.

Enable billing

Make sure that billing is enabled for your Google Cloud project. For more information, see Enable, disable, or change billing for a project.

Decide how to install Envoy

Traffic Director makes it easy to install Envoy proxies and manage this infrastructure layer.

  • On Compute Engine, you can automatically add Envoy to applications running on your VMs. You use a VM template that installs Envoy, connects it to Traffic Director and configures your VM's networking.

  • On GKE, you can automatically add Envoy sidecar proxies to your services' pods. You install an Envoy sidecar injector to your cluster, which adds Envoy sidecar proxies, connects them to Traffic Director and configures your container's networking.

Finally, you can also use Envoy deployment solutions from third-party providers with Traffic Director. One example of such an offering is GetEnvoy, which provides a package manager-based approach to installing and updating your Envoy proxies.

About Envoy versioning

Envoy must be version 1.9.1 or later to work with Traffic Director. Additionally, we recommend always using the most recent Envoy version to ensure that known security vulnerability are mitigated.

If you decide to deploy Envoy using one of our automated methods, we handle this task for you as follows:

  • When you use automated Envoy deployment with Compute Engine VMs, the Envoy version installed is one that we have validated to work with Traffic Director. When a new VM is created using the instance template, the VM receives the latest version that we have validated. If you have a long-running VM, you can use a rolling update to replace your existing VMs and pick up the latest version.
  • When you use the Envoy sidecar injector with GKE, the injector is configured to use a recent version of Envoy that we have validated to work with Traffic Director. When a sidecar is injected alongside your workload Pod, it receives this version of Envoy. If you want to pick up a more recent version of Envoy, update the Envoy sidecar injector.

For information about specific Envoy versions, see Version history. For information about security vulnerabilities, see Security Advisories.

Grant the required IAM permissions

You must have sufficient permissions to create VM instances and modify a network to configure Traffic Director. If you have the role of project owner or editor in the project where you are enabling Traffic Director, you automatically have the correct permissions.

Otherwise, you must have all of the following Compute Engine IAM roles. If you have these roles, you also have their associated permissions, as described in the Compute Engine IAM documentation.

Task Required role
Set Identity and Access Management (IAM) policy for a service account Service Account Admin
Obtain the global forwarding rule resource Compute Network Viewer
Enable Traffic Director Service Usage Admin
Create networks, subnets, and load balancer components Network Admin
Add and remove firewall rules Security Admin
Create instances Compute Instance Admin

In addition, the GKE node-pool or Compute Engine VMs must have the https://www.googleapis.com/auth/cloud-platform scope.

Enable the Traffic Director API

Console

  1. In the Cloud Console, go to APIs & services for your project.
    Go to the API Library page
  2. To find the Traffic Director API, use the search field. If you don't see the Traffic Director API listed, that means you don't have the necessary permissions to enable the Traffic Director API.
  3. Click the Traffic Director API.
  4. In the page that displays information about the API, click Enable.

gcloud

gcloud services enable trafficdirector.googleapis.com

Enable the service account to access the Traffic Director API

When you set up your data plane and connect it to Traffic Director, your xDS clients (for example, Envoy proxies) connect to the trafficdirector.googleapis.com xDS server. These xDS clients present a service account identity to the xDS server to ensure that communications between the data plane and control plane are properly authorized.

In the case of a Compute Engine VM, the xDS client uses the service account assigned to the VM. In the case of GKE, if Workload Identity is not enabled, then the xDS client uses the service account assigned to the underlying GKE node. If Workload Identity is enabled, the xDS client uses the Google service account that is bound to the Kubernetes service account that is assigned to the pod.

The service account used by your xDS clients must have the compute.globalForwardingRules.get project-level IAM permission. You can also grant this permission by assigning the compute.networkViewer role to the service account.

Console

  1. Go to the IAM & Admin page in the Cloud Console.

    Go to the IAM & Admin page

  2. Select your project.

  3. Identify the service account to which you want to add a role.

    • If the service account isn't already on the members list, it doesn't have any roles assigned to it. Click Add and enter the email address of the service account.
    • If the service account is already on the members list, it has existing roles. Select the service account and click the Roles tab.
  4. Click the Edit button for the service account that you want to edit.

  5. Select the Compute Engine > Compute Network Viewer role.

  6. Click Save to apply the role to the service account.

gcloud

Replace the ${SERVICE_ACCOUNT_EMAIL} variable with the correct value.

PROJECT=`gcloud config get-value project`
gcloud projects add-iam-policy-binding ${PROJECT} \
   --member serviceAccount:${SERVICE_ACCOUNT_EMAIL} \
   --role roles/compute.networkViewer

Continue the setup process

Now that you've completed the pre-requisite steps, you can start to set up your service mesh. The following guides provide platform-specific instructions for Compute Engine and GKE:

Note that, while these guides each focus on deploying Envoy sidecar proxies on a single Compute platform (either Compute Engine or GKE), Traffic Director is flexible and supports deployments that span both Compute Engine and GKE.