I'm trying access elasticsearch cluster on GKE from my project in GAE - flexible. Since I don't want an external load-balancer, I'm following this guide: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing Both GKE and GAE are deployed in the same region, but the calls to the elasticsearch cluster timeout all the time. Has anyone done this and can share some tips would be much appreciated!
My service.yaml file looks like this:
apiVersion: v1
kind: Service
metadata:
name: internalloadbalancerservice
annotations:
cloud.google.com/load-balancer-type: "Internal"
labels:
app.kubernetes.io/component: elasticsearch-server
app.kubernetes.io/name: elasticsearch #label selector service
spec:
type: LoadBalancer
loadBalancerSourceRanges: # restrict access
- xxxxxxxx
ports:
- name: myport
port: 9000
protocol: TCP # default; can also specify UDP
selector:
app.kubernetes.io/name : elasticsearch # label selector for Pods
app.kubernetes.io/component: elasticsearch-server
Assuming that the GAE app and the GKE cluster are in the same region, and in the same VPC network, I would suggest to make sure you have created Ingress allow firewall rules that apply to the GKE nodes as targets with the GAE app VMs as sources.
Remember Ingress to VMs is denied by the implied deny Ingress rule. So unless you create Ingress allow firewall rules, you'll not be able to send packets to any VMs. And to use an Internal Load Balancing (ILB), both the client and the backend VMs must be in the same:
- Region
- VPC network
- Project
GCP now has a beta Global Access feature with Internal Load balancers which will allow the internal load balancers to be accessible from any region within the same network.
I have posted this answer that will be useful in your case too, please have a look. I will give a summary of the same here as well.
You can now make your internalloadbalancerservice service accessible from any region following the below steps:
Just get the "EXTERNAL-IP" of the service using the below command:
kubectl get services/internalloadbalancerserviceGet your forwarding rule with the following command:
gcloud compute forwarding-rules listUpdate the forwading rule to --allow-global-access (remember adding beta, as it is still a beta feature) using the below command:
gcloud beta compute forwarding-rules update FORWARDING-RULE-NAME \
--region REGION-NAME --allow-global-accessAnd it's done. Now you can access the internal IP of the load balancer from any instance in any region (but the same VPC network).
The manual step of running the gcloud command in order to allow-global-access will not be required from GKE 1.16. You can test by deploying GKE 1.16 using the "Rapid" release channel (rapid release channel is not recommended for production).
To save anyone else from a similar situation, I will share my findings of why I couldn't connect to my GKE app from GAE. The GAE was in region europe-west, while GKE was in region europe-west-4a. I thought that would be the same region. But changing GKE region to europe-west-1b worked. Not very obvious but when reading the documentation GAE region europe-west and GKE region europe-west-1b are both in Belgium.