Stay organized with collections
Save and categorize content based on your preferences.
Configure external IP addresses for Google Distributed Cloud
The default Cloud Service Mesh installation on Google Distributed Cloud assumes that
external IP addresses are automatically allocated for LoadBalancer services.
This is not true in Google Distributed Cloud. Because of this, you need to
allocate one or more external IP addresses, depending on your service mesh
configuration:
One external IP address for the Cloud Service Mesh ingress Gateway resource, for
example the gateway that your customers use to access your workloads from
across the internet.
Another external IP address for your clusters to communicate with each other
if they exist on different networks within your service mesh. This is referred
to as the east-west gateway.
For example, the service port named http2 has port 80 and
nodePort 31380. Suppose the node addresses for your user cluster are
192.168.0.10, 192.168.0.11, and 192.168.0.12, and your load balancer's
VIP is 203.0.113.1.
Configure your load balancer so that traffic sent to 203.0.113.1:80 is
forwarded to 192.168.0.10:31380,
192.168.0.11:31380, or 192.168.0.12:31380. You can select the service ports
that you want to expose on this given VIP.
Confirm that the ingress gateway was assigned an external IP address. There
might be a slight delay that requires you to repeat this command until you
see the desired result:
kubectl --context="${CTX_CLUSTER1}" get svc istio-ingressgateway -n istio-system
The expected output is:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.80.6.124 34.75.71.237 ... 51s
For example, the service port named http2 has port 80 and
nodePort 31380. Suppose the node addresses for your user cluster are
192.168.0.10, 192.168.0.11, and 192.168.0.12, and your load balancer's
VIP is 203.0.113.1.
Configure your load balancer so that traffic sent to 203.0.113.1:80 is
forwarded to 192.168.0.10:31380,
192.168.0.11:31380, or 192.168.0.12:31380. You can select the service ports
that you want to expose on this given VIP.
Confirm that the east-west gateway was assigned an external IP address. There
might be a slight delay that requires you to run repeat this command until you
see the desired result:
kubectl --context="${CTX_CLUSTER1}" get svc istio-eastwestgateway -n istio-system
The expected output is:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-eastwestgateway LoadBalancer 10.80.6.124 34.75.71.237 ... 51s
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Configure external IP addresses for Google Distributed Cloud\n============================================================\n\n\n| **Note:** This feature is not supported on [managed Cloud Service Mesh](/service-mesh/v1.19/docs/managed/provision-managed-anthos-service-mesh).\n\n\u003cbr /\u003e\n\nThe default Cloud Service Mesh installation on Google Distributed Cloud assumes that\nexternal IP addresses are automatically allocated for `LoadBalancer` services.\nThis is not true in Google Distributed Cloud. Because of this, you need to\nallocate one or more external IP addresses, depending on your service mesh\nconfiguration:\n\n- One external IP address for the Cloud Service Mesh ingress Gateway resource, for example the gateway that your customers use to access your workloads from across the internet.\n- Another external IP address for your clusters to communicate with each other if they exist on different networks within your service mesh. This is referred to as the east-west gateway.\n\nConfiguring the ingress gateway IP address\n------------------------------------------\n\nTo configure an external IP address for the ingress gateway, follow one of the\nsections below, depending on your\n[Google Distributed Cloud load balancing mode](/anthos/clusters/docs/on-prem/1.9/how-to/setup-load-balance):\n\n### Integrated mode\n\n- Patch the `istio-ingressgateway` Service's configuration with the external IP address for the ingress gateway: \n\n ```\n kubectl patch svc istio-ingressgateway -n istio-system --type='json' -p '[{\"op\": \"add\", \"path\": \"/spec/loadBalancerIP\", \"value\": \"INGRESS_GATEWAY_IP\"}]'\n ```\n\n### Manual mode\n\n- View the `istio-ingressgateway` service's configuration in your shell: \n\n ```\n kubectl get svc -n istio-system istio-ingressgateway -o yaml\n ```\n Each of the ports for Cloud Service Mesh's gateways are displayed. The command output is like the following: \n\n ```\n ...\n ports:\n - name: status-port\n nodePort: 30391\n port: 15020\n protocol: TCP\n targetPort: 15020\n - name: http2\n nodePort: 31380\n port: 80\n protocol: TCP\n targetPort: 80\n - name: https\n nodePort: 31390\n port: 443\n protocol: TCP\n targetPort: 443\n - name: tcp\n nodePort: 31400\n port: 31400\n protocol: TCP\n targetPort: 31400\n - name: https-kiali\n nodePort: 31073\n port: 15029\n protocol: TCP\n targetPort: 15029\n - name: https-prometheus\n nodePort: 30253\n port: 15030\n protocol: TCP\n targetPort: 15030\n - name: https-grafana\n nodePort: 30050\n port: 15031\n protocol: TCP\n targetPort: 15031\n - name: https-tracing\n nodePort: 31204\n port: 15032\n protocol: TCP\n targetPort: 15032\n - name: tls\n nodePort: 30158\n port: 15443\n protocol: TCP\n targetPort: 15443\n ...\n ```\n- Expose these ports through your load balancer. \n\n For example, the service port named `http2` has `port` 80 and `nodePort` 31380. Suppose the node addresses for your user cluster are `192.168.0.10`, `192.168.0.11`, and `192.168.0.12`, and your load balancer's VIP is `203.0.113.1`. \n\n Configure your load balancer so that traffic sent to `203.0.113.1:80` is forwarded to `192.168.0.10:31380`, `192.168.0.11:31380`, or `192.168.0.12:31380`. You can select the service ports that you want to expose on this given VIP.\n\nConfirm that the ingress gateway was assigned an external IP address. There\nmight be a slight delay that requires you to repeat this command until you\nsee the desired result:\n\n\u003cbr /\u003e\n\n```\nkubectl --context=\"${CTX_CLUSTER1}\" get svc istio-ingressgateway -n istio-system\n```\n\n\u003cbr /\u003e\n\nThe expected output is:\n\n\u003cbr /\u003e\n\n```\nNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\nistio-ingressgateway LoadBalancer 10.80.6.124 34.75.71.237 ... 51s\n```\n\n\u003cbr /\u003e\n\nConfiguring the east-west gateway IP address\n--------------------------------------------\n\nTo configure an external IP address for the east-west gateway, follow one of the\nsections below, depending on your\n[Google Distributed Cloud load balancing mode](/anthos/clusters/docs/on-prem/1.9/how-to/setup-load-balance):\n\n### Integrated mode\n\n- Patch the `istio-eastwestgateway` Service's configuration with the external IP address for the east-west gateway: \n\n ```\n kubectl patch svc istio-eastwestgateway -n istio-system --type='json' -p '[{\"op\": \"add\", \"path\": \"/spec/loadBalancerIP\", \"value\": \"EAST_WEST_GATEWAY_IP\"}]'\n ```\n\n### Manual mode\n\n- View the `istio-eastwestgateway` service's configuration in your shell: \n\n ```\n kubectl get svc -n istio-system istio-eastwestgateway -o yaml\n ```\n Each of the ports for Cloud Service Mesh's gateways are displayed. The command output is like the following: \n\n ```\n ports:\n - name: status-port\n nodePort: 31781\n port: 15021\n protocol: TCP\n targetPort: 15021\n - name: tls\n nodePort: 30498\n port: 15443\n protocol: TCP\n targetPort: 15443\n - name: tls-istiod\n nodePort: 30879\n port: 15012\n protocol: TCP\n targetPort: 15012\n - name: tls-webhook\n nodePort: 30336\n port: 15017\n protocol: TCP\n targetPort: 15017\n ...\n ```\n- Expose these ports through your load balancer. \n\n For example, the service port named `http2` has `port` 80 and `nodePort` 31380. Suppose the node addresses for your user cluster are `192.168.0.10`, `192.168.0.11`, and `192.168.0.12`, and your load balancer's VIP is `203.0.113.1`. \n\n Configure your load balancer so that traffic sent to `203.0.113.1:80` is forwarded to `192.168.0.10:31380`, `192.168.0.11:31380`, or `192.168.0.12:31380`. You can select the service ports that you want to expose on this given VIP.\n\nConfirm that the east-west gateway was assigned an external IP address. There\nmight be a slight delay that requires you to run repeat this command until you\nsee the desired result:\n\n\u003cbr /\u003e\n\n```\nkubectl --context=\"${CTX_CLUSTER1}\" get svc istio-eastwestgateway -n istio-system\n```\n\n\u003cbr /\u003e\n\nThe expected output is:\n\n\u003cbr /\u003e\n\n```\nNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\nistio-eastwestgateway LoadBalancer 10.80.6.124 34.75.71.237 ... 51s\n```\n\n\u003cbr /\u003e\n\nWhat's next?\n------------\n\n- [Deploy the Online Boutique sample sample application](/service-mesh/v1.19/docs/onlineboutique-install-kpt)"]]