mirror of
https://github.com/puppetmaster/typhoon.git
synced 2025-01-07 19:39:32 +01:00
a12833531e
* Describe kube-apiserver load balancing on each platform * Describe HTTP/S Ingress load balancing on each platform * Describe TCP/UDP load balancing apps on each platform (some clouds don't support UDP) * Describe firewall customization (e.g. for TCP/UDP apps) * Update IPv6 status for each platform
95 lines
3.2 KiB
Markdown
95 lines
3.2 KiB
Markdown
# Google Cloud
|
|
|
|
## Load Balancing
|
|
|
|
![Load Balancing](/img/typhoon-gcp-load-balancing.png)
|
|
|
|
### kube-apiserver
|
|
|
|
A global forwarding rule (IPv4 anycast) and TCP Proxy distribute IPv4 TCP/443 traffic across a backend service with zonal instance groups of controller(s) with a healthy `kube-apiserver` (TCP/6443). Clusters with multiple controllers span zones in a region to tolerate zone outages.
|
|
|
|
Notes:
|
|
|
|
* GCP TCP Proxy limits external port options (e.g. must use 443, not 6443)
|
|
* A regional NLB cannot be used for multi-controller (see [#190](https://github.com/poseidon/typhoon/pull/190))
|
|
|
|
### HTTP/HTTP Ingress
|
|
|
|
Global forwarding rules and a TCP Proxy distribute IPv4/IPv6 TCP/80 and TCP/443 traffic across a managed instance group of workers with a healthy Ingress Controller. Workers span zones in a region to tolerate zone outages.
|
|
|
|
The IPv4 and IPv6 anycast addresses are output as `ingress_static_ipv4` and `ingress_static_ipv6` for use in DNS A and AAAA records. See [Ingress on Google Cloud](/addons/ingress/#google-cloud).
|
|
|
|
### TCP/UDP Services
|
|
|
|
Load balance TCP/UDP applications by adding a forwarding rule to the worker target pool (output).
|
|
|
|
```tf
|
|
# Static IPv4 address for some-app Load Balancing
|
|
resource "google_compute_address" "some-app-ipv4" {
|
|
name = "some-app-ipv4"
|
|
}
|
|
|
|
# Forward IPv4 TCP traffic to the target pool
|
|
resource "google_compute_forwarding_rule" "some-app-tcp" {
|
|
name = "some-app-tcp"
|
|
ip_address = google_compute_address.some-app-ipv4.address
|
|
ip_protocol = "TCP"
|
|
port_range = "3333"
|
|
target = module.yavin.worker_target_pool
|
|
}
|
|
|
|
|
|
# Forward IPv4 UDP traffic to the target pool
|
|
resource "google_compute_forwarding_rule" "some-app-udp" {
|
|
name = "some-app-udp"
|
|
ip_address = google_compute_address.some-app-ipv4.address
|
|
ip_protocol = "UDP"
|
|
port_range = "3333"
|
|
target = module.yavin.worker_target_pool
|
|
}
|
|
```
|
|
|
|
Notes:
|
|
|
|
* GCP Global Load Balancers aren't appropriate for custom TCP/UDP.
|
|
* Backend Services require a named port corresponding to an instance group (output by Typhoon) port. Typhoon shouldn't accept a list of every TCP/UDP service that may later be hosted on the cluster.
|
|
* Backend Services don't support UDP (i.e. rules out global load balancers)
|
|
* IPv4 Only: Regional Load Balancers use a regional IPv4 address (e.g. `google_compute_address`), no IPv6.
|
|
* Forward rules don't support differing external and internal ports. Some Ingress controllers (e.g. nginx) can proxy TCP/UDP traffic to achieve this.
|
|
* Worker target pool health checks workers `HTTP:10254/healthz` (i.e. `nginx-ingress`)
|
|
|
|
## Firewalls
|
|
|
|
Add firewall rules to the cluster's network.
|
|
|
|
```tf
|
|
resource "google_compute_firewall" "some-app" {
|
|
name = "some-app"
|
|
network = module.yavin.network_self_link
|
|
|
|
allow {
|
|
protocol = "tcp"
|
|
ports = [3333]
|
|
}
|
|
|
|
allow {
|
|
protocol = "udp"
|
|
ports = [3333]
|
|
}
|
|
|
|
source_ranges = ["0.0.0.0/0"]
|
|
target_tags = ["yavin-worker"]
|
|
}
|
|
```
|
|
|
|
## IPv6
|
|
|
|
Applications exposed via HTTP/HTTPS Ingress can be served over IPv6.
|
|
|
|
| IPv6 Feature | Supported |
|
|
|-------------------------|-----------|
|
|
| Node IPv6 address | No |
|
|
| Node Outbound IPv6 | No |
|
|
| Kubernetes Ingress IPv6 | Yes |
|
|
|