Stay organized with collections
Save and categorize content based on your preferences.
Configure external IP addresses for Google Distributed Cloud (software only) for VMware with F5 BIG-IP load balancers
The default Cloud Service Mesh installation on Google Distributed Cloud (software only) for VMware assumes that
external IP addresses are automatically allocated for LoadBalancer services.
This is not true for Google Distributed Cloud (software only) for VMware with F5 BIG-IP load balancers.
Because of this, you need to allocate one or more external IP addresses,
depending on your service mesh configuration:
One external IP address for the Cloud Service Mesh ingress Gateway resource, for
example the gateway that your customers use to access your workloads from
across the internet.
Another external IP address for your clusters to communicate with each other
if they exist on different networks within your service mesh. This is referred
to as the east-west gateway.
For example, the service port named http2 has port 80 and
nodePort 31380. Suppose the node addresses for your user cluster are
192.168.0.10, 192.168.0.11, and 192.168.0.12, and your load balancer's
VIP is 203.0.113.1.
Configure your load balancer so that traffic sent to 203.0.113.1:80 is
forwarded to 192.168.0.10:31380,
192.168.0.11:31380, or 192.168.0.12:31380. You can select the service ports
that you want to expose on this given VIP.
Confirm that the ingress gateway was assigned an external IP address. There
might be a slight delay that requires you to repeat this command until you
see the expected result:
kubectl --context="${CTX_CLUSTER1}" get svc istio-ingressgateway -n istio-system
The expected output is:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.80.6.124 34.75.71.237 ... 51s
For example, the service port named http2 has port 80 and
nodePort 31380. Suppose the node addresses for your user cluster are
192.168.0.10, 192.168.0.11, and 192.168.0.12, and your load balancer's
VIP is 203.0.113.1.
Configure your load balancer so that traffic sent to 203.0.113.1:80 is
forwarded to 192.168.0.10:31380,
192.168.0.11:31380, or 192.168.0.12:31380. You can select the service ports
that you want to expose on this given VIP.
Confirm that the east-west gateway was assigned an external IP address. There
might be a slight delay that requires you to run repeat this command until you
see the expected result:
kubectl --context="${CTX_CLUSTER1}" get svc istio-eastwestgateway -n istio-system
The expected output is:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-eastwestgateway LoadBalancer 10.80.6.124 34.75.71.237 ... 51s
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Configure external IP addresses for Google Distributed Cloud (software only) for VMware with F5 BIG-IP load balancers\n=====================================================================================================================\n\n| **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/docs/overview).\n| **Note:** This feature is not supported on managed Cloud Service Mesh\n\nThe default Cloud Service Mesh installation on Google Distributed Cloud (software only) for VMware assumes that\nexternal IP addresses are automatically allocated for `LoadBalancer` services.\nThis is not true for Google Distributed Cloud (software only) for VMware with F5 BIG-IP load balancers.\nBecause of this, you need to allocate one or more external IP addresses,\ndepending on your service mesh configuration:\n\n- One external IP address for the Cloud Service Mesh ingress Gateway resource, for example the gateway that your customers use to access your workloads from across the internet.\n- Another external IP address for your clusters to communicate with each other if they exist on different networks within your service mesh. This is referred to as the east-west gateway.\n\nConfiguring the ingress gateway IP address\n------------------------------------------\n\nTo configure an external IP address for the ingress gateway, follow the\ninstructions in one of these sections, depending on your\n[Google Distributed Cloud (software only) for VMware load balancing mode](/anthos/clusters/docs/on-prem/1.9/how-to/setup-load-balance):\n\n### Integrated mode\n\n- Patch the `istio-ingressgateway` Service's configuration with the external IP address for the ingress gateway: \n\n ```\n kubectl patch svc istio-ingressgateway -n istio-system --type='json' -p '[{\"op\": \"add\", \"path\": \"/spec/loadBalancerIP\", \"value\": \"INGRESS_GATEWAY_IP\"}]'\n ```\n\n### Manual mode\n\n- View the `istio-ingressgateway` service's configuration in your shell: \n\n ```\n kubectl get svc -n istio-system istio-ingressgateway -o yaml\n ```\n Each of the ports for Cloud Service Mesh's gateways are displayed. The command output is like the following: \n\n ```\n ...\n ports:\n - name: status-port\n nodePort: 30391\n port: 15020\n protocol: TCP\n targetPort: 15020\n - name: http2\n nodePort: 31380\n port: 80\n protocol: TCP\n targetPort: 80\n - name: https\n nodePort: 31390\n port: 443\n protocol: TCP\n targetPort: 443\n - name: tcp\n nodePort: 31400\n port: 31400\n protocol: TCP\n targetPort: 31400\n - name: https-kiali\n nodePort: 31073\n port: 15029\n protocol: TCP\n targetPort: 15029\n - name: https-prometheus\n nodePort: 30253\n port: 15030\n protocol: TCP\n targetPort: 15030\n - name: https-grafana\n nodePort: 30050\n port: 15031\n protocol: TCP\n targetPort: 15031\n - name: https-tracing\n nodePort: 31204\n port: 15032\n protocol: TCP\n targetPort: 15032\n - name: tls\n nodePort: 30158\n port: 15443\n protocol: TCP\n targetPort: 15443\n ...\n ```\n- Expose these ports through your load balancer. \n\n For example, the service port named `http2` has `port` 80 and `nodePort` 31380. Suppose the node addresses for your user cluster are `192.168.0.10`, `192.168.0.11`, and `192.168.0.12`, and your load balancer's VIP is `203.0.113.1`. \n\n Configure your load balancer so that traffic sent to `203.0.113.1:80` is forwarded to `192.168.0.10:31380`, `192.168.0.11:31380`, or `192.168.0.12:31380`. You can select the service ports that you want to expose on this given VIP.\n\nConfirm that the ingress gateway was assigned an external IP address. There\nmight be a slight delay that requires you to repeat this command until you\nsee the expected result:\n\n\u003cbr /\u003e\n\n```\nkubectl --context=\"${CTX_CLUSTER1}\" get svc istio-ingressgateway -n istio-system\n```\n\n\u003cbr /\u003e\n\nThe expected output is:\n\n\u003cbr /\u003e\n\n```\nNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\nistio-ingressgateway LoadBalancer 10.80.6.124 34.75.71.237 ... 51s\n```\n\n\u003cbr /\u003e\n\nConfiguring the east-west gateway IP address\n--------------------------------------------\n\nTo configure an external IP address for the east-west gateway, follow the\ninstructions in one of these sections, depending on your\n[Google Distributed Cloud (software only) for VMware load balancing mode](/anthos/clusters/docs/on-prem/1.9/how-to/setup-load-balance):\n\n### Integrated mode\n\n- Patch the `istio-eastwestgateway` Service's configuration with the external IP address for the east-west gateway: \n\n ```\n kubectl patch svc istio-eastwestgateway -n istio-system --type='json' -p '[{\"op\": \"add\", \"path\": \"/spec/loadBalancerIP\", \"value\": \"EAST_WEST_GATEWAY_IP\"}]'\n ```\n\n### Manual mode\n\n- View the `istio-eastwestgateway` service's configuration in your shell: \n\n ```\n kubectl get svc -n istio-system istio-eastwestgateway -o yaml\n ```\n Each of the ports for Cloud Service Mesh's gateways are displayed. The command output is like the following: \n\n ```\n ports:\n - name: status-port\n nodePort: 31781\n port: 15021\n protocol: TCP\n targetPort: 15021\n - name: tls\n nodePort: 30498\n port: 15443\n protocol: TCP\n targetPort: 15443\n - name: tls-istiod\n nodePort: 30879\n port: 15012\n protocol: TCP\n targetPort: 15012\n - name: tls-webhook\n nodePort: 30336\n port: 15017\n protocol: TCP\n targetPort: 15017\n ...\n ```\n- Expose these ports through your load balancer. \n\n For example, the service port named `http2` has `port` 80 and `nodePort` 31380. Suppose the node addresses for your user cluster are `192.168.0.10`, `192.168.0.11`, and `192.168.0.12`, and your load balancer's VIP is `203.0.113.1`. \n\n Configure your load balancer so that traffic sent to `203.0.113.1:80` is forwarded to `192.168.0.10:31380`, `192.168.0.11:31380`, or `192.168.0.12:31380`. You can select the service ports that you want to expose on this given VIP.\n\nConfirm that the east-west gateway was assigned an external IP address. There\nmight be a slight delay that requires you to run repeat this command until you\nsee the expected result:\n\n\u003cbr /\u003e\n\n```\nkubectl --context=\"${CTX_CLUSTER1}\" get svc istio-eastwestgateway -n istio-system\n```\n\n\u003cbr /\u003e\n\nThe expected output is:\n\n\u003cbr /\u003e\n\n```\nNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\nistio-eastwestgateway LoadBalancer 10.80.6.124 34.75.71.237 ... 51s\n```\n\n\u003cbr /\u003e\n\nWhat's next?\n------------\n\n- [Deploy the Online Boutique sample sample application](/service-mesh/docs/onlineboutique-install-kpt)"]]
