GCP internal load balancer Global access (Beta) annotation does not work?

1/10/2020

I tried creating an internal load balancer with the following annotation as mentioned in this documentation:

networking.gke.io/internal-load-balancer-allow-global-access: "true"

Here is the full manifest:

apiVersion: v1
kind: Service
metadata:
  name: ilb-global
  annotations:
    cloud.google.com/load-balancer-type: "Internal"
    networking.gke.io/internal-load-balancer-allow-global-access: "true"
  labels:
    app: hello
spec:
  type: LoadBalancer
  selector:
    app: hello
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP

I tried accessing the load balancer from a VM in a different region but the VM is not able to reach the endpoint.

However according to this documentation I ran the following command on the created forwarding-rule (GCP creates a forwarding-rule with a random name for all the load balancers which can be retrieved using gcloud compute forwarding-rules list command) to update the Global access:

gcloud beta compute forwarding-rules update abcrandomnamehehe --region [REGION-NAME] --allow-global-access

After running the above command and updating the load balancer manually, the endpoint is accessible from all the regions. Is this manual step of running gcloud command necessary?

If yes,what is the use of the annotation then? I the annotation with the latest available GKE version (1.15.4-gke.22) as well but doesn't work without being updated using the gcloud command. Is there something I am missing or it is a bug in GCP?

EDIT: I had also opened this issue with GCP which was addressed pretty quickly and they have updated the public documentations (Jan 15, 2020) to specifically mention the requirement of GKE 1.16 for the Global Access feature to work.

-- Amit Yadav
google-cloud-internal-load-balancer
google-cloud-platform
google-kubernetes-engine
kubernetes
load-balancing

1 Answer

1/10/2020

This is expected but the reason for this behavior is not explained at all in the public documentation. In fact, the 'Global Access' feature works with GKE 1.16 clusters.

So far, I can share with you the following bullet points:

  • There are 2 different features regarding Global Access: 1 for ILB and 1 specifically for GKE.
  • Global Access Feature for GKE was launched on December 23rd.
  • Global Access Feature for GKE works from GKE 1.16 but it appears to not be mentioned in the documentation.
  • Our tests have been done with a GKE 1.13.11-gke.14 cluster.
  • Need to create a GKE 1.16 cluster and test it again.

That being said, I'd like to notify you that this mismatch in the public information has been addressed properly with the correct team and is being handled in order to update the public documentation available here to prevent future confusion. You can keep track of this process by following updates here

How can you verify the information provided above? Here you have a brief process that you can follow:

TEST 1:

  • Create GKE 1.16 cluster in europe-west4 (this region/zone is not mandatory).
  • Create Deployment.
  • Create an internal TCP load balancer with annotation “networking.gke.io/internal-load-balancer-allow-global-access: "true" by writing the Service configuration file.
  • Go within Network Services > Load Balancing > Advanced menu (at the bottom) > : Global access should be Enabled.
  • SSH VM in europe-west1.
  • Run command $curl -v : You should receive a HTTP/1.1 200 OK.

TEST 2:

  • Delete annotation “networking.gke.io/internal-load-balancer-allow-global-access: "true" in Service Configuration File.
  • Update my Service by running command $kubectl apply -f
  • Go within Network Services > Load Balancing > Advanced menu (at the bottom) > : Global access should be disabled.
  • SSH VM in europe-west1.
  • Run command $curl -v : You should receive a Timeout error message.
-- Raynel A.S
Source: StackOverflow