I have a GKE service with load balancer, but I want to use it internally by my other services, e.g. I want public IP not to be assigned to it
Is is it possible without private VPN and juggling over firewall settings?
All other load-balancing (like kube-dns) features work great and for services within my Container Engine do not need public IP
All nodes live in same region and zone so I do not need and do not care about multi-regional features
GKE supports Internal Load Balancing now:
apiVersion: v1
kind: Service
metadata:
name: [SERVICE-NAME]
annotations:
cloud.google.com/load-balancer-type: "Internal"
labels:
app: echo
spec:
type: LoadBalancer
loadBalancerIP: [IP-ADDRESS]
ports:
- port: 9000
protocol: TCP
selector:
[KEY]: [VALUE]
Notice the annotation: cloud.google.com/load-balancer-type: "Internal". This will create a LoadBalancer Service with a private IP-Address routable from within your VPC.
Bitnami also has a great blog post on this: creating-private-kubernetes-clusters-on-gke.
It isn't clear in the context of your question whether "internally by my other services" means "Kubernetes Services running in the same cluster" or "other applications running in GCE but outside the Kubernetes cluster".
Kubernetes "Service" resources do load balancing even when they aren't set to LoadBalancer. So if you only need to expose this Service to other applications running in Kubernetes, you can set the spec.type of the Service to ClusterIP. From the docs:
ClusterIP: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster.
If you need to expose this Service to applications outside of Kubernetes, you will need to set spec.type to LoadBalancer which will assign it a public IP. Firewall configuration is made relatively easy for simple firewall rules using spec.loadBalancerSourceRanges. You can read more about that here: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/