Pivotal Container Service v1.0

Configuring a GCP Load Balancer for the PKS API

Page last updated:

This topic describes how to create a load balancer for the PKS API using Google Cloud Platform (GCP).

Before you install PKS, you must configure an external TCP load balancer to access the PKS API from outside the network. You can use any external TCP load balancer of your choice.

Refer to the procedures in this topic to create a load balancer using GCP. If you choose to use a different load balancer, use the configuration in this topic as a guide.

Note: This procedure uses example commands which you should modify to represent the details of your PKS installation.

Step 1: Create a Load Balancer

To create a load balancer using GCP, perform the following steps:

  1. In a browser, navigate to the GCP console.

  2. Navigate to Network Services > Load balancing and click CREATE LOAD BALANCER.

  3. Under TCP Load Balancing, click Start configuration.

  4. Select whether you want to load balance traffic from the Internet to your VMs or only between your VMs.

  5. Select whether you want to place the backends for your load balancer in a single region or across multiple regions.

  6. Give your load balancer a name. Pivotal recommends naming your load balancer pks-api.

  7. Select Backend configuration.

    • Under Region, select the region where you deployed Ops Manager.
    • Under Backends, leave Select existing instance groups selected. You point the PKS API instance to the backend later in this procedure.
    • (Optional) Select a backup pool.
    • (Optional) Select whether you want to create a health check or go without one.
    • Select a session affinity configuration.
    • (Optional) Select Advanced configurations to configure the Connection draining timeout.
  8. Select Frontend configuration.

    • (Optional) Give your frontend a name.
    • (Optional) Give your frontend a description.
    • Select Create IP address to reserve an IP address for the PKS API endpoint.
      1. Enter a name for your reserved IP address. For example, pks-api-ip. GCP assigns a static IP address that appears next to the name.
      2. (Optional) Enter a description.
      3. Click Reserve.
    • Under Ports, enter 8443 and 9021. Your external load balancer forwards traffic to the PKS control plane VM using the UAA endpoint on port 8443 and the PKS API endpoint on port 9021.
    • Click Done.
  9. Click Review and finalize to review your load balancer configuration.

  10. Click Create.

Step 2: Create a Firewall Rule

To create a firewall rule that allows traffic between the load balancer and the PKS API VM, do the following:

  1. From the GCP console, navigate to VPC Network > Firewall rules and click CREATE FIREWALL RULE.

  2. Configure the following:

    • Give your firewall rule a name.
    • (Optional) Give your firewall rule a description.
    • Under Network, select the VPC network you created in Step 3: Create a GCP Network with Subnets of Preparing to Deploy PKS on GCP.
    • Under Priority, enter a priority number between 0 and 65535.
    • Under Direction of traffic, select Ingress.
    • Under Action on match, select Allow.
    • Under Targets, select Specified target tags.
    • Under Target tags, enter pks-api.
    • Under Source filter, select IP ranges.
    • Under Source IP ranges, enter
    • Under Protocols and ports, select Specified protocols and ports and enter tcp:8443,9021.
  3. Click Create.

Step 3: Install PKS

Follow the instructions in Installing and Configuring PKS to deploy PKS. After you finish installing PKS, continue to the following sections to complete the PKS API load balancer configuration.

Step 4: Create a Network Tag for the Firewall Rule

To apply the firewall rule to the VM that hosts the PKS API, the VM must have the pks-api tag in GCP. Do the following:

  1. From the GCP console, navigate to Compute Engine > VM instances.
  2. Locate the your PKS control plane VM.
  3. Click the name of the VM to open the VM instance details menu.
  4. Click Edit.
  5. Verify that the Network tags field contains the pks-api tag. If the tag does not appear in the field, enter it now.
  6. Scroll to the bottom of the screen and click Save.

Step 5: Create a Wildcard DNS Entry

To create a wildcard DNS entry in GCP for your PKS API domain, do the following:

  1. From the GCP console, navigate to Network Services > Cloud DNS.

  2. If you do not already have a DNS zone, click Create zone.

    • Give a Zone name and a DNS name.
    • Specify whether the DNSSEC state of the zone is Off, On, or Transfer.
    • (Optional) Enter a Description.
    • Click Create.
  3. Click Add record set.

  4. Under DNS Name, enter a subdomain for the load balancer. For example, to use as your PKS API hostname, enter pks-api in this field.

  5. Under Resource Record Type, select A to create a DNS address record.

  6. Enter a value for TTL and select a TTL Unit.

  7. Enter the static IP address that GCP assigned when you created the load balancer in Step 1: Create a Load Balancer.

  8. Click Create.

Next Steps

Follow the procedures in Configure PKS API Access.

Configure authentication for PKS using User Account and Authentication (UAA). To create and manage users using UAA, see Manage Users in UAA.

Please send any feedback you have to

Create a pull request or raise an issue on the source for this page in GitHub