Internal load balancer for multi region shared vpc gke service

9/12/2018

I have followed the guide here to create a shared vpc and create a couple clusters in this vpc. The guide explains the use of internal load balancers for communication between services in different clusters however according to the docs:

Internal load balancing creates a private (RFC 1918) LoadBalancer Ingress IP address in the cluster for receiving traffic on the network within the same compute region from an IP range in the user’s subnet.

How can I facilitate receiving traffic from my vpc but from a different compute region? For context I am setting up a federated prometheus so I can have a single pane of glass to see all metrics. As prometheus does not provide any authentication mechanisms I want to only permit traffic from within vpc and not have it publicly accessible.

-- Tim Blackwell
google-compute-engine
google-kubernetes-engine

2 Answers

6/5/2019

To implement an internal cross-region load balancer providing access to GKE resources:

Your service will be assigned an External IP, but firewalls will block traffic except from internal sources.

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 10.0.0.0/8

EDIT: The above solution doesn't quite work; the loadBalancerSourceRanges are actually applied to the external IPs of the source pod, rather than the internal IPs. That means you would need to use Cloud NAT to get a stable IP and use that in the YAML in addition to 10.0.0.0/8

-- Rob
Source: StackOverflow

11/30/2018

If it is for a Prometheus-Federation, just use an Ingress with basic auth for polling /federate from your main Prometheus.

-- cyrilbkr
Source: StackOverflow