Single network east-west routing

1. Single network east-west routing

Let's begin by demonstrating a multi-cluster mesh setup with a single subnet in a single VPC network. Step 1 is to create and register your GKE clusters to a fleet. Next, install managed Cloud Service Mesh on both clusters. By setting the tag "management automatic" in the configuration YAML, it will provision Cloud Service Mesh with a managed control plane. This will handle inter-cluster communication. Clusters can access each other's API server for endpoint discovery. Optionally, you can use an ingress gateway to access services from outside the mesh. Ingress routing into the cluster is called north-south routing. Ingress gateways can be added to each cluster if desired. Multi-cluster gateways and multi-cluster services can be used to balance requests from Google's load balancer to one of the gateways. Next, label namespaces for automatic sidecar injection and deploy your application across clusters. Services in one cluster will automatically be able to communicate with services deployed on the other cluster. This configuration has several variants. You may have clusters located in multiple regions with different subnets. In this scenario, you must explicitly set up firewall rules to allow cross-subnet traffic. The firewall rules must include all CIDR ranges in the cluster, including nodes, services, and pods. Another variant is to use a shared VPC. Network configuration is centralized in the host project. A shared VPC lets service teams in other projects use the network for their own infrastructure. A centralized networking or security team must create firewall rules on the host project that enable communication between all CIDR ranges in both clusters. Ensure that clusters are not registered to the same fleet in the host project. You can also use private clusters which limit Kubernetes API server accessibility to services on the same VPC network. We are going to use managed Cloud Service Mesh in this example. If you wish to use an in-cluster Cloud Service Mesh, you must configure with private IPs, as public IPs are not accessible. However, this brings some challenges because clusters are no longer able to communicate with each other. To make that communication possible, we need to perform three actions. First, configure endpoint discovery. We must get the private Kubernetes API server IP from each cluster and create a secret pointing to that IP in the other cluster. That way, clusters are able to read the pod endpoints registered in the remote cluster. Second, the Cloud Service Mesh control plane in each cluster needs to call the GKE control plane of the remote clusters. To allow traffic, you need to add the pod address range in the calling cluster to the authorized networks of the remote clusters. Third, enable control plane global access to allow Cloud Service Mesh control plane in each cluster to call the GKE control plane of the remote clusters.

2. Let's practice!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.

Manage Scalable Workloads in GKE

AdvancedSkill Level

0.0+

0 reviews

In this introduction, you'll explore the course goals and preview each section.

Exercise 1: Course introduction