Configure external load balancers

External load balancers (ELB) expose services outside the organization from a pool's IP addresses assigned to the organization from the larger instance-external IP pool.

ELB Virtual IP (VIP) addresses don't conflict between organizations and are unique across all organizations. For this reason, you must use ELB services only for services that clients outside the organization necessarily have to access.

Workloads running inside the organization can access ELB services as long as you enable the workloads to exit the organization. This traffic pattern effectively requires outbound traffic from the organization before returning to the internal service.

Before you begin

To configure ELB services, you must have the following in place:

  • A customized ProjectNetworkPolicy (PNP) ingress policy to allow traffic to this ELB service. For more information, see Configure PNP to allow traffic to ELB.
  • The necessary identity and access role:

    • Project NetworkPolicy Admin: has access to manage project network policies in the project namespace. Ask your Project IAM Admin to grant you the Project NetworkPolicy Admin (project-networkpolicy-admin) role.

Configure PNP to allow traffic to ELB

For ELB services to function, you must configure and apply your own customized ProjectNetworkPolicy ingress policy to allow traffic to this ELB service. Specify the external CIDR address to allow traffic to this ELB:

kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG apply -f - <<EOF
apiVersion: networking.gdc.goog/v1
kind: ProjectNetworkPolicy
metadata:
  namespace: PROJECT
  name: allow-inbound-traffic-from-external
spec:
  policyType: Ingress
  subject:
    subjectType: UserWorkload
  ingress:
  - from:
    - ipBlock:
        cidr: CIDR
    ports:
    - protocol: TCP
      port: PORT
EOF

Replace the following:

  • ORG_ADMIN_CLUSTER_KUBECONFIG: the kubeconfig path of the org admin cluster.
  • PROJECT: the name of your GDC project.
  • CIDR: the external CIDR that the ELB needs to be accessed from. This policy is required as the external load balancer uses Direct Server Return (DSR), which preserves the source external IP address and bypasses the load balancer on the return path. For more information, see Create an ingress firewall rule for cross-organization traffic.
  • PORT: the backend port on the pods behind the load balancer. This value is found in the .spec.ports[].targetPortfield of the manifest for the Service resource.

Create an external load balancer

Create external load balancers in GDC by creating a Kubernetes Service of type LoadBalancer in a user cluster.

To create an ELB service, do the following:

  1. Create a YAML file for the Service definition of type LoadBalancer.

    The following Service object is an example of an ELB service:

    apiVersion: v1
    kind: Service
    metadata:
      name: ELB_SERVICE_NAME
      namespace: PROJECT
    spec:
      ports:
      - port: 1235
        protocol: TCP
        targetPort: 1235
      selector:
        k8s-app: my-app
      type: LoadBalancer
    

    Replace the following:

    • ELB_SERVICE_NAME: the name of the ELB service.
    • PROJECT: the namespace of your project that contains the backend workloads.

    The port field configures the frontend port you expose on the VIP address. The targetPort field configures the backend port to which you want to forward the traffic on the backend workloads. The load balancer supports Network Address Translation (NAT). The frontend and backend ports can be different.

  2. On the selector field of the Service definition, specify pods or virtual machines as the backend workloads.

    The selector defines which workloads to take as backend workloads for this service, based on matching the labels you specify with labels on the workloads. The Service can only select backend workloads in the same project and same cluster where you define the Service.

    For more information about service selection, see https://kubernetes.io/docs/concepts/services-networking/service/

  3. Save the Service definition file in the same project as the backend workloads.

  4. Apply the Service definition file to the cluster:

    kubectl apply -f ELB_FILE
    

    Replace ELB_FILE with the name of the Service definition file for the ELB service.

When you create an ELB, the service gets two IP addresses. One is an internal IP address accessible only from within the same cluster. The other is the external IP address, accessible from inside and outside the organization. You can obtain the IP addresses of the ELB service by viewing the service status:

kubectl -n PROJECT get svc ELB_SERVICE_NAME

Replace the following:

  • PROJECT: the namespace of your project that contains the backend workloads.
  • ELB_SERVICE_NAME: the name of the ELB service.

You must obtain an output similar to the following example:

NAME                    TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S)          AGE
elb-service             LoadBalancer   10.0.0.1      20.12.1.11      1235:31931/TCP   22h

The EXTERNAL-IP is the IP address of the service that is accessible from outside the organization.

If you don't obtain an output, ensure that you created the ELB service successfully.