Creating a GCP Load Balancer for the TKGI API

Page last updated:

This topic describes how to create a load balancer for the TKGI API using Google Cloud Platform (GCP).

Overview

Before you install VMware Tanzu Kubernetes Grid Integrated Edition, you must configure an external TCP load balancer to access the TKGI API from outside the network. You can use any external TCP load balancer of your choice.

Refer to the procedures in this topic to create a load balancer using GCP. If you choose to use a different load balancer, use the configuration in this topic as a guide.

Note: This procedure uses example commands which you should modify to represent the details of your Tanzu Kubernetes Grid Integrated Edition installation.

To create a GCP load balancer for the TKGI API, do the following:

1. Create a Load Balancer
2. Create a Firewall Rule
3. Create a DNS Entry
4. Install Tanzu Kubernetes Grid Integrated Edition
5. Create a Network Tag for the Firewall Rule

Create a Load Balancer

To create a load balancer using GCP, perform the following steps:

1. In a browser, navigate to the GCP console.

2. Navigate to Network Services > Load balancing and click CREATE LOAD BALANCER.

3. Under TCP Load Balancing, click Start configuration.

4. Under Internet facing or internal only, select From Internet to my VMs.

5. Under Multiple regions or single region, select Single region only.

6. Click Continue.

7. Name your load balancer. VMware recommends naming your load balancer tkgi-api.

8. Select Backend configuration.

   • Under Region, select the region where you deployed Ops Manager.
   • Under Backends, select Select existing instances. This will be automatically configured when updating the Resource Config section of the Tanzu Kubernetes Grid Integrated Edition tile.
   • (Optional) Under Backup pool, select a backup pool. If you select a backup pool, set a Failover ratio.
   • (Optional) Under Health check, select whether or not you want to create a health check.
   • Under Session affinity, select a session affinity configuration.
   • (Optional) Select Advanced configurations to configure the Connection draining timeout.

9. Select Frontend configuration.

   • (Optional) Name your frontend.
   • (Optional) Click Add a description and provide a description.
   • Select Create IP address to reserve an IP address for the TKGI API endpoint.
     1. Enter a name for your reserved IP address. For example, tkgi-api-ip. GCP assigns a static IP address that appears next to the name.
     2. (Optional) Enter a description.
     3. Click Reserve.
   • Under Port, enter 9021. Your external load balancer forwards traffic to the TKGI API VM using the UAA endpoint on port 8443 and the TKGI API endpoint on port 9021.
   • Click Done.
   • Click New Frontend IP and Port.
     1. Enter a name for the frontend IP-port mapping, such as tkgi-api-uaa.
     2. (Optional) Add a description.
     3. Under IP select the same static IP address that GCP assigned in the previous step.
     4. Under Port, enter 8443.
     5. Click Done.

10. Click Review and finalize to review your load balancer configuration.

11. Click Create.

Create a Firewall Rule

To create a firewall rule that allows traffic between the load balancer and the TKGI API VM, do the following:

1. From the GCP console, navigate to VPC Network > Firewall rules and click CREATE FIREWALL RULE.

2. Configure the following:

   • Name your firewall rule.
   • (Optional) Provide a description for your firewall rule.
   • Under Network, select the VPC network you created in the Create a GCP Network with Subnets step of Preparing to Deploy Ops Manager on GCP Manually.
   • Under Priority, enter a priority number between 0 and 65535.
   • Under Direction of traffic, select Ingress.
   • Under Action on match, select Allow.
   • Under Targets, select Specified target tags.
   • Under Target tags, enter tkgi-api.
   • Under Source filter, select IP ranges.
   • Under Source IP ranges, enter 0.0.0.0/0.
   • Under Protocols and ports, select Specified protocols and ports and enter tcp:8443,9021.

3. Click Create.

Create a DNS Entry

To create a DNS entry in GCP for your TKGI API domain, do the following:

1. From the GCP console, navigate to Network Services > Cloud DNS.

2. If you do not already have a DNS zone, click Create zone.

   • Provide a Zone name and a DNS name.
   • Specify whether the DNSSEC state of the zone is Off, On, or Transfer.
   • (Optional) Enter a Description.
   • Click Create.

3. Click Add record set.

4. Under DNS Name, enter a subdomain for the load balancer. For example, if your domain is example.com, enter api.tkgi in this field to use api.tkgi.example.com as your TKGI API load balancer hostname.

5. Under Resource Record Type, select A to create a DNS address record.

6. Enter a value for TTL and select a TTL Unit.

7. Enter the static IP address that GCP assigned when you created the load balancer in Create a Load Balancer.

8. Click Create.

Install Tanzu Kubernetes Grid Integrated Edition

Follow the instructions in Installing Tanzu Kubernetes Grid Integrated Edition on GCP to deploy Tanzu Kubernetes Grid Integrated Edition. After you finish installing Tanzu Kubernetes Grid Integrated Edition, continue to the Create a Network Tag for the Firewall Rule section below to complete the TKGI API load balancer configuration.

Create a Network Tag for the Firewall Rule

To apply the firewall rule to the VM or VMs hosting the TKGI API, the VM must have the tkgi-api tag in GCP. Do the following:

1. From the GCP console, navigate to Compute Engine > VM instances.
2. Locate your TKGI API VM, or VMs. To locate this VM, you can search for the pivotal-container-service job label on the VM instances page.
3. Click the name of the VM to open the VM instance details menu.
4. Click Edit.
5. Verify that the Network tags field contains the tkgi-api tag. Add the tag if it does not appear in the field.
6. Repeat the preceding steps for your other VMs with the pivotal-container-service job label and apply the tkgi-api tag to each.
7. Scroll to the bottom of the screen and click Save.