Configure external traffic with Network Service Tiers

Autopilot Standard

This page shows you how to control how external traffic reaches your Services on Google Kubernetes Engine (GKE) clusters by using Network Service Tiers. Network Service Tiers lets you optimize your network traffic for either performance (Premium Tier) or cost savings (Standard Tier).

Premium Tier delivers traffic on Google's premium backbone network for superior speed and reliability. In contrast, Standard Tier uses regular Internet service provider (ISP) networks that offers a more cost-effective solution.

This page is for Cloud architects and Networking specialists who design and architect their organization's network. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE user roles and tasks.

How Network Service Tiers work in GKE

This section shows you how to manage Network Service Tiers in GKE.

Set a network tier at the project level: you can set the default network tier for your Google Cloud project to use either Standard Tier or Premium Tier. All new clusters are created with the network-default setting, which inherits the project-level tier setting. This setting persists through cluster upgrades. Node pools created within the cluster inherit the network tier from the project-level configuration.
Set a network tier when creating new clusters: you can configure the network tier when you create a new cluster regardless of the tier setting on your Google Cloud project. New node pools use the cluster-level network tier, and this configuration persists even after you upgrade the node pools.
Set a network tier when updating clusters: you can configure the network tier when you update an existing cluster. New node pools and new LoadBalancer Services inherit the updated tier configuration, while existing node pools and Services continue to use the original network tier configuration. The updated tier configuration persists after you upgrade your cluster.
Set a network tier when updating LoadBalancer Services: LoadBalancer Services inherit the network tier of the cluster. However, you can override this setting and update the network tier in the Service manifest.

Network Service Tiers and load balancing

By default, External passthrough Network Load Balancers use Premium Tier. You can update this configuration so that the LoadBalancer Service uses Standard Tier instead.

If you use Application Load Balancers with Gateway, you can't configure the Network Service Tiers. Network Service Tiers on Gateway are controlled by the GatewayClass resource. For more information, see Gateway IP address.

GKE Ingress for external Application Load Balancers does not support Standard Tier for traffic routing.

Before you begin

Before you start, make sure that you have performed the following tasks:

Enable the Google Kubernetes Engine API.

Enable Google Kubernetes Engine API

If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running gcloud components update.
Note: For existing gcloud CLI installations, make sure to set the compute/region property. If you use primarily zonal clusters, set the compute/zone instead. By setting a default location, you can avoid errors in the gcloud CLI like the following: One of [--zone, --region] must be supplied: Please specify location. You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.

Restrictions

The following restrictions apply:

You can configure network tier settings only at the project level or cluster level. You can't configure the network tier of node pools directly.
Standard Tier is not supported for global external dual-stack IPv4 or IPv6 addresses. For more information about the types of IP addresses, see IP addresses.

Create a cluster with Network Service Tiers

To create a cluster and specify the network tier, run the following command:

 gcloud container clusters create CLUSTER_NAME \
     --network-tier=NETWORK_TIER \
     ...

Replace the following values:

CLUSTER_NAME: the name of your cluster.
NETWORK_TIER: the network tier setting. Use network-default for the same tier setting as that on your Google Cloud project, Standard for Standard Tier or Premium for Premium Tier.

Migrate an existing cluster to a different tier

Updating the network tier of a cluster does not affect the network tier of existing resources. Existing resources continue to use the IP address associated with the old network tier. To avoid service disruptions, follow these steps when you migrate your cluster to a new network tier:

Update the cluster: to update an existing cluster with a network tier, run the following command:
```
gcloud container clusters update CLUSTER_NAME \
    --network-tier=NETWORK_TIER \
    ...
```
Replace the following values:
- CLUSTER_NAME: the name of your cluster.
- NETWORK_TIER: the network tier setting. Use network-default for the same tier setting as that on your Google Cloud project, Standard for Standard Tier or Premium for Premium Tier.
Create new node pools and Services: in order for external clients use the new IP addresses associated with the new network tier, you must create new node pools and new LoadBalancer Services. New node pools and new LoadBalancer Services inherit the updated tier configuration, while existing node pools and Services continue to use the original network tier configuration.
Update DNS records: change your DNS records to point to the new IP addresses of the new LoadBalancer Services.
Wait for DNS to propagate: wait for the DNS Time to Live (TTL) to expire to ensure clients are directed to the new services and to avoid serving stale records.

Update an external load balancer with Network Service Tiers

For External passthrough Network Load Balancers, GKE defaults to using the network tier that's configured on the cluster for the external forwarding rule and IP address. If the cluster's network tier is set to network-default, the load balancer uses Premium Tier. You can override this setting by configuring the cloud.google.com/network-tier annotation in the Service manifest. For example:

    ```yaml
    apiVersion: v1
    kind: Service
    metadata:
      name: store-v1-lb-svc
      annotations:
        cloud.google.com/l4-rbs: "enabled"
        cloud.google.com/network-tier: Standard
    spec:
      type: LoadBalancer
      selector:
        app: store
      ports:
      - name: tcp-port
        protocol: TCP
        port: 8080
        targetPort: 8080
    ```

For more information about the parameters used for LoadBalancer Services, see Service parameters.

Static IP address: when you create a Service with a static IP address, the network tier of the static IP address must match the network tier of the LoadBalancer Service. If there is a mismatch, you see the following error message when you run the kubectl describe service command:

Error syncing load balancer: failed to ensure load balancer: requested ip "standard-service" is neither static nor assigned to the LB

What's next

Read the overview of Network Service Tiers.
Learn how to create a backend service-based external load balancer.