Deploying Anthos Service Mesh on Private GKE and Configuring ASM with Cloud Load Balancing
Anthos Service Mesh (ASM) is a robust platform based on Istio, designed to provide a secure, observable, and standardized communication layer for applications. While ASM excels at managing service-to-service communications within a mesh, exposing these services to external clients introduces unique challenges. This guide details how to leverage Cloud Load Balancing alongside ASM to seamlessly integrate external traffic into your service mesh.
In this guide, we will utilize an L7 (Layer 7) load balancer, which offers significant advantages over traditional L4 load balancers. L7 load balancers operate at the application layer, allowing for more intelligent traffic management based on content-specific rules. They support advanced routing, SSL termination, and provide enhanced logging and monitoring capabilities. Furthermore, integrating Google Cloud Armor with L7 load balancers enhances security by protecting against DDoS attacks and other common web-based threats. This setup ensures efficient and secure handling of client requests, thereby improving the overall performance and reliability of your applications.
This tutorial demonstrates how to install Anthos Service Mesh (ASM) on Google Kubernetes Engine (GKE) and leverage Cloud Load Balancing with L7 functionality to expose applications within a service mesh to internet clients. L7 load balancing enables routing decisions based on HTTP headers and paths, offering finer-grained control over traffic distribution.
Key Features of Anthos Service Mesh
ASM offers a suite of tools to manage, secure, and observe your services:
- Service Metrics and Logs: Automatic ingestion of HTTP(S) traffic metrics and logs into Google Cloud.
- Preconfigured Dashboards: Comprehensive views of service health and performance.
- In-depth Telemetry: Detailed analysis of metrics and logs.
- Service Relationships: Visualization of service-to-service connections.
- Service Relationships: Visualization of service-to-service connections.
Deploying Anthos Service Mesh on Google Kubernetes Engine (GKE)
Prerequisites
Ensure you have the following roles:
- A Google Cloud project with billing enabled
- Access to a bastion VM witch has connectivity to the Kubernetes
- Kubernetes Engine Admin
- GKE Hub Admin
- Editor
- Service Account Admin
Note : If you are authenticating using the service account you have to provide the service account with the above access.
Installation Steps
1. Connect to Your GKE Cluster
- SSH to the bastion VM which has access to the GKE.
- Connect to the GKE cluster using the gcloud command:
- Go to the Google Cloud Console page.
- Navigate to the Kubernetes Engine page.
- In the cluster list, click on the cluster to connect.
- In the top right corner, click on “Connect.”
- Copy the gcloud command and run it on the bastion VM.
gcloud container clusters get-credentials CLUSTER_NAME --zone ZONE --project PROJECT_IDRun the above command in the bastion vm
Ensure you have the cluster-admin role on your cluster by running:
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=user.example@test.com2. Prepare for Installation
Use the asmcli tool provided by Google to streamline the installation process. It will handle the following:
- Grant necessary IAM permissions.
- Enable required APIs.
- Label the cluster.
- Create service accounts.
- Register the cluster with the fleet.
Installing asmcli
Download the asmcli tool version that installs the latest Anthos Service Mesh to your current directory:
curl https://storage.googleapis.com/csm-artifacts/asm/1.19.5-asm.4 > asmcli
Make the script executable:
chmod +x asmcliNote: If you encounter an error message referencing the inability to run the jq command, install jq on the bastion VM by running:
sudo apt update
sudo apt install jq -y3. Validate Configuration
ASM CLI tool will ensure the environment meets all requirements before proceeding with the installation:
./asmcli validate \
--project_id PROJECT_ID \ ## GKE Project ID
--cluster_name CLUSTER_NAME \
--cluster_location CLUSTER_LOCATION \
--fleet_id FLEET_PROJECT_ID \ ## GKE Project ID
--output_dir OUTPUT_DIR4. Installing Anthos Service Mesh
Install ASM with the following command, which also enables required Google APIs and configures IAM permissions:
./asmcli install \
--project_id PROJECT_ID \ ## GKE Project ID
--cluster_name CLUSTER_NAME \
--cluster_location CLUSTER_LOCATION \
--fleet_id FLEET_PROJECT_ID \ ## GKE Project ID
--output_dir OUTPUT_DIR \
--enable_all \
--ca mesh_ca \
--enable_gcp_components \
--option legacy-default-ingressgatewayCreating an L7 Load Balancer for Istio Ingress Gateway
After installing ASM, the asmcli tool will deploy a istio ingress gateway with an L4 Load Balancer. To upgrade to an L7 Load Balancer, follow these steps:
1. Patch the Istio Ingress Gateway Service to create a Network Endpoint Group (NEG)
SSH to the bastion VM and connect to the GKE and run the following commands:
kubectl get svc -n istio-systemWe will use a Network Endpoint Group (NEG) as the backend for Istio. To create a NEG, we need to add an annotation to the Istio service file. Run the following command to add the NEG annotation.
kubectl patch svc <ISTIO_SERVICE_NAME> -n istio-system -p '{"spec": {"type": "NodePort"}, "metadata": {"annotations": {"cloud.google.com/neg": "{\"exposed_ports\":{\"80\":{\"name\": \"<CLOUD_NEGG_NAME>\"}}}"}}}'Example:
kubectl patch svc istio-ingressgateway -n istio-system -p \
'{"spec": {"type": "NodePort"}, "metadata": {"annotations": {"cloud.google.com/neg": "{\"exposed_ports\":{\"80\":{\"name\": \"istio-http\"}}}"}}}'After running the above command you will get the below output
To view the NEG Backend follow the below steps
- In the Google Cloud Console Search Network endpoint groups
We can see in the above image,the istio-http NEG has been successfully created.
2. Creating the L7 Load Balancer
In this step we will be creating the GCP Application Load Balancer, For which we will be using NEG as a backend
Navigate to the Load Balancer page in the Google Cloud Console and follow these steps:
- Click on “Create Load Balancer.”
2. Select “Application Load Balancer” and proceed with the setup.
3. Configure the frontend as required.
4. For the backend, create a new backend service using the istio-http NEG.
Once all the required details has been configured click on CREATE button.
Once your service mesh is configured and applications are deployed, you can use Google Cloud Console to view the service mesh topology and gain insights into the interactions and health of your services.
Conclusion
By following these steps, you can successfully expose your applications within Anthos Service Mesh to external clients using Cloud Load Balancing. This integration not only ensures secure and efficient traffic management but also enhances observability and control over your service communications. Now, you can deploy applications using Istio YAML files, which simplifies the process of defining and managing service configurations within the mesh. For advanced practitioners managing ASM, these tools provide a robust framework to maintain high standards of service reliability and performance.
