I have GKE clusters in 2 regions on a shared VPC network, both are running istio and I need to globally load balance between them. Having set up each cluster with an istio-ilbgateway with port 80 exposed, a GCP internal regional load balancer is created and assigned an external IP on the region’s subnet. I can see corresponding backend services for both ilb-gateways. However, when setting up a Global HTTP Load Balancer with the new backend services and pinging the global load balancer’s IP, requests are directed by it to the IP address of one of the cluster’s nodes NOT to the ip address of an internal load balancer as I expected.
Is what I am trying to achieve here possible? If so, is there a step missing above?
You can set up a Global Loadbalancer on top of Istio. However, you can't reach the TCP load balancer automatically set up by Istio Ingress Gateway.
This Ingress Gateway, is a K8S service which expose NodePorts. You can get them with this commands:
# For HTTP
kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}'
# For HTTPS
kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}'
Now you can set up your Global Load balancer backend with the Instance Group created by your cluster and the NodePort. By This way, your traffic will be route to Istio without using the Ingress gateway (-> the TCP Loadbalancer).
About the 2 regions, you should have 2 instances groups, 1 in each region, and 2 TCP Load Balancer, 1 in each region. By the way, you can define 2 different backends on your Global Load Balancer, but your can't loadbalance the same traffic between the 2 regions. You will have 2 different path-rules, thus 2 different URL entries
UPDATE
After reflection, if you want to route the same traffic in the 2 regions, you have to rely on Dynamic DNS service which perform this kind of loadbalancing. Most of time, this kind of DNS service include an Health Check to verify if your region is responding or not. Today Google Global Load Balancing don't allow this. I know that Cloudflare do this.
GCP has a separate tool for you to use to set up a global ingress called KubeMCI it requires a bit of manual intervention, for example, the service your routing to in this case your Istio gateway needs to be running as node port instead of load balancer and the node port needs to be exactly the same on every cluster where you want it to respond to.
The how-to makes no reference to Istio just Kubernetes services and I don't think TCP is available yet just HTTP(s). Bare in mind it specifically says that kubemci is a temporary tool until they build the functionality into Kubectl.
But providing you configure the node ports the same it should work well.
Here is the official documentation: https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-ingress
What you are trying to achieve is not possible. For 2 reasons.