Internal load balancer for multi region shared vpc gke service

0
votes

I have followed the guide here to create a shared vpc and create a couple clusters in this vpc. The guide explains the use of internal load balancers for communication between services in different clusters however according to the docs:

Internal load balancing creates a private (RFC 1918) LoadBalancer Ingress IP address in the cluster for receiving traffic on the network within the same compute region from an IP range in the user’s subnet.

How can I facilitate receiving traffic from my vpc but from a different compute region? For context I am setting up a federated prometheus so I can have a single pane of glass to see all metrics. As prometheus does not provide any authentication mechanisms I want to only permit traffic from within vpc and not have it publicly accessible.

2
google-compute-enginegoogle-kubernetes-engine
The document doesn't say your your cluster's services will be 'publicly' accessible. It explains Internal load balancing makes your cluster's services accessible to applications running on the same network but outside of the cluster. If you run a cluster alongside some GCE VM instances in the same network, you can configure your cluster's Service resources to add an internal load balancer in order to let your cluster-internal services be available to the cluster-external instances.mehdi sharifi
For more assistance, please explain more about your use case.mehdi sharifi

2 Answers

0
votes

To implement an internal cross-region load balancer providing access to GKE resources:

Your service will be assigned an External IP, but firewalls will block traffic except from internal sources.

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 10.0.0.0/8

EDIT: The above solution doesn't quite work; the loadBalancerSourceRanges are actually applied to the external IPs of the source pod, rather than the internal IPs. That means you would need to use Cloud NAT to get a stable IP and use that in the YAML in addition to 10.0.0.0/8

-1
votes

If it is for a Prometheus-Federation, just use an Ingress with basic auth for polling /federate from your main Prometheus.