Creating a GCP Load Balancer for the TKGI API
Page last updated:
This topic describes how to create a load balancer for the TKGI API using Google Cloud Platform (GCP).
Overview
Before you install VMware Tanzu Kubernetes Grid Integrated Edition, you must configure an external TCP load balancer to access the TKGI API from outside the network. You can use any external TCP load balancer of your choice.
Refer to the procedures in this topic to create a load balancer using GCP. If you choose to use a different load balancer, use the configuration in this topic as a guide.
Note: This procedure uses example commands which you should modify to represent the details of your Tanzu Kubernetes Grid Integrated Edition installation.
To create a GCP load balancer for the TKGI API, do the following:
- Create a Load Balancer
- Create a Firewall Rule
- Create a DNS Entry
- Install Tanzu Kubernetes Grid Integrated Edition
- Create a Network Tag for the Firewall Rule
Create a Load Balancer
To create a load balancer using GCP, perform the following steps:
In a browser, navigate to the GCP console.
Navigate to Network Services > Load balancing and click CREATE LOAD BALANCER.
Under TCP Load Balancing, click Start configuration.
Under Internet facing or internal only, select From Internet to my VMs.
Under Multiple regions or single region, select Single region only.
Click Continue.
Name your load balancer. VMware recommends naming your load balancer
tkgi-api
.Select Backend configuration.
- Under Region, select the region where you deployed Ops Manager.
- Under Backends, select Select existing instances. This will be automatically configured when updating the Resource Config section of the Tanzu Kubernetes Grid Integrated Edition tile.
- (Optional) Under Backup pool, select a backup pool. If you select a backup pool, set a Failover ratio.
- (Optional) Under Health check, select whether or not you want to create a health check.
- Under Session affinity, select a session affinity configuration.
- (Optional) Select Advanced configurations to configure the Connection draining timeout.
Select Frontend configuration.
- (Optional) Name your frontend.
- (Optional) Click Add a description and provide a description.
- Select Create IP address to reserve an IP address for the TKGI API endpoint.
- Enter a name for your reserved IP address. For example,
tkgi-api-ip
. GCP assigns a static IP address that appears next to the name. - (Optional) Enter a description.
- Click Reserve.
- Enter a name for your reserved IP address. For example,
- Under Port, enter
9021
. Your external load balancer forwards traffic to the TKGI API VM using the UAA endpoint on port 8443 and the TKGI API endpoint on port 9021. - Click Done.
- Click New Frontend IP and Port.
- Enter a name for the frontend IP-port mapping, such as
tkgi-api-uaa
. - (Optional) Add a description.
- Under IP select the same static IP address that GCP assigned in the previous step.
- Under Port, enter
8443
. - Click Done.
- Enter a name for the frontend IP-port mapping, such as
Click Review and finalize to review your load balancer configuration.
Click Create.
Create a Firewall Rule
To create a firewall rule that allows traffic between the load balancer and the TKGI API VM, do the following:
From the GCP console, navigate to VPC Network > Firewall rules and click CREATE FIREWALL RULE.
Configure the following:
- Name your firewall rule.
- (Optional) Provide a description for your firewall rule.
- Under Network, select the VPC network you created in the Create a GCP Network with Subnets step of Preparing to Deploy Ops Manager on GCP Manually.
- Under Priority, enter a priority number between
0
and65535
. - Under Direction of traffic, select Ingress.
- Under Action on match, select Allow.
- Under Targets, select Specified target tags.
- Under Target tags, enter
tkgi-api
. - Under Source filter, select IP ranges.
- Under Source IP ranges, enter
0.0.0.0/0
. - Under Protocols and ports, select Specified protocols and ports and enter
tcp:8443,9021
.
Click Create.
Create a DNS Entry
To create a DNS entry in GCP for your TKGI API domain, do the following:
From the GCP console, navigate to Network Services > Cloud DNS.
If you do not already have a DNS zone, click Create zone.
- Provide a Zone name and a DNS name.
- Specify whether the DNSSEC state of the zone is Off, On, or Transfer.
- (Optional) Enter a Description.
- Click Create.
Click Add record set.
Under DNS Name, enter a subdomain for the load balancer. For example, if your domain is
example.com
, enterapi.tkgi
in this field to useapi.tkgi.example.com
as your TKGI API load balancer hostname.Under Resource Record Type, select A to create a DNS address record.
Enter a value for TTL and select a TTL Unit.
Enter the static IP address that GCP assigned when you created the load balancer in Create a Load Balancer.
Click Create.
Install Tanzu Kubernetes Grid Integrated Edition
Follow the instructions in Installing Tanzu Kubernetes Grid Integrated Edition on GCP to deploy Tanzu Kubernetes Grid Integrated Edition. After you finish installing Tanzu Kubernetes Grid Integrated Edition, continue to the Create a Network Tag for the Firewall Rule section below to complete the TKGI API load balancer configuration.
Create a Network Tag for the Firewall Rule
To apply the firewall rule to the VM or VMs hosting the TKGI API, the VM must have the tkgi-api
tag in GCP. Do the following:
- From the GCP console, navigate to Compute Engine > VM instances.
- Locate your TKGI API VM, or VMs.
To locate this VM, you can search for the
pivotal-container-service
job label on the VM instances page. - Click the name of the VM to open the VM instance details menu.
- Click Edit.
- Verify that the Network tags field contains the
tkgi-api
tag. Add the tag if it does not appear in the field. - Repeat the preceding steps for your other VMs with the
pivotal-container-service
job label and apply thetkgi-api
tag to each. - Scroll to the bottom of the screen and click Save.
Please send any feedback you have to pks-feedback@pivotal.io.