GCLB Traffic Management: envoy inside

923237754890d536819892ad42451555?s=47 sakajunquality
September 19, 2019

GCLB Traffic Management: envoy inside

GCP internal traffic management with HTTP Load Balancer.

923237754890d536819892ad42451555?s=128

sakajunquality

September 19, 2019
Tweet

Transcript

  1. GCLB Traffic Management: envoy inside @sakajunquality Google Developers Expert, Cloud

    19 April 2019 #gcpug
  2. Traffic Management between Services - Canary Release - Disaster Recovery

    - Service Migration - etc...
  3. Istio?

  4. Istio(in functionality) https://istio.io/

  5. In “some” cases Istio is too much

  6. In “some” cases Istio is too much (For the record,

    I am Istio user in production)
  7. In “some” cases Istio is too much (For the record,

    I am Istio user in production) (And I like Istio)
  8. Istio: Deployment Model https://istio.io/docs/concepts/deployment-models/

  9. Istio: Control Plane? or https://istio.io/docs/concepts/deployment-models/

  10. And many things to be taken care of…

  11. Traffic Director?

  12. Traffic Director - Yes! Control Plane is managed by Google

    and outside cluster - should be reliable enough - Still need to deploy envoy for the data plane - And still too much? Maybe - Anyways another time!
  13. https://twitter.com/kelseyhightower/status/1150158904900431873

  14. https://twitter.com/kelseyhightower/status/1150175947665993728

  15. None
  16. https://twitter.com/mattklein123/status/1156413081116798976

  17. +

  18. Envoy L7 ILB - Announced in Cloud Next ’19 SF

    Sessions - L7 Internal Load Balancer - Powered by fully-managed envoy - => Traffic Management Capability https://cloud.google.com/load-balancing/docs/l7-internal/traffic-management
  19. How it works https://cloud.google.com/load-balancing/docs/l7-internal/traffic-management

  20. URL Map? Target Proxy …? - Remember the GCE Ingress!

    apiVersion: extensions/v1beta1 kind: Ingress metadata: name: my-ingress spec: rules: - http: paths: - path: /* backend: serviceName: hello servicePort: 8080 - path: /hi backend: serviceName: hey servicePort: 8080
  21. How it works https://cloud.google.com/load-balancing/docs/l7-internal/traffic-management https://cloud.google.com/load-balancing/docs/url-map-concepts#url-map-components

  22. How it works https://cloud.google.com/load-balancing/docs/l7-internal/traffic-management Those components are extended w/

  23. How it works https://cloud.google.com/load-balancing/docs/l7-internal/traffic-management https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route.proto Those components are extended w/

  24. How it works https://cloud.google.com/load-balancing/docs/l7-internal/traffic-management This is actually a same technology

    of Traffic Director’s route rules and traffic policies https://cloud.google.com/traffic-director/docs/traffic-control
  25. Let’s try!

  26. Demo

  27. Demo - Frontend and Backend Services - Frontend is somewhere

    within VPC - Backend is spread into two GKE Clusters across zones - Control Backend traffic w/ internal L7 LB Frontend Services Backend ILB Cloud Load Balancing Primary Cluster Kubernetes Engine Secondary Cluster Kubernetes Engine Control Traffic Here!
  28. Detailed Architecture: Backend zone-b zone-a Primary Cluster Kubernetes Engine Service

    Pods NEG Backend Service Secondary Cluster Kubernetes Engine Service Pods NEG Backend Service URL Map Target HTTP Proxy Forwarding Rule
  29. Setup Check out the Gist https://gist.github.com/sakajunquality/1f258cbe20e0a509324cb5b2f45bb901

  30. Demo: Primary 100% At first backend service is using only

    running on the primary cluster. Frontend Services Backend ILB Cloud Load Balancing Primary Cluster Kubernetes Engine 100%
  31. Demo: Primary 100% // Test Traffic $ ./test.sh *** ***

    Results of load balancing to 10.100.1.199: *** 1000 This is Primary
  32. Demo: Test Script // test.sh for LB_IP in 10.100.1.199; do

    RESULTS= for i in {1..1000}; do RESULTS="$RESULTS:`curl ${LB_IP}`"; done >/dev/null 2>&1 IFS=':' echo "***" echo "*** Results of load balancing to $LB_IP: " echo "***" for line in $RESULTS; do echo $line; done | grep -Ev "^$" | sort | uniq -c echo done
  33. Demo: Primary 100% // export the current config gcloud beta

    compute url-maps export sakajun-map --region=us-west1 --destination=config.yaml defaultService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service kind: compute#urlMap name: sakajun-map region: https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1 selfLink: https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/urlMaps/sakajun-map
  34. Demo: Primary 90% / Secondary 10% Prepared the secondary cluster

    and sending traffic little by little: e.g. approx. 10% Frontend Services Backend ILB Cloud Load Balancing Primary Cluster Kubernetes Engine Secondary Cluster Kubernetes Engine 90% 10%
  35. Demo: Primary 90% / Secondary 10% defaultService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service hostRules:

    - description : '' hosts: - '*' pathMatcher : matcher1 kind: compute#urlMap name: sakajun-map pathMatchers : - defaultService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service name: matcher1 routeRules : - matchRules : - prefixMatch : / routeAction : weightedBackendServices : - backendService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service weight: 90 - backendService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-secondary-service weight: 10 region: https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1 selfLink: https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/urlMaps/sakajun-map
  36. Demo: Primary 90% / Secondary 10% defaultService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service hostRules:

    - description : '' hosts: - '*' pathMatcher : matcher1 kind: compute#urlMap name: sakajun-map pathMatchers : - defaultService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service name: matcher1 routeRules : - matchRules : - prefixMatch : / routeAction : weightedBackendServices : - backendService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service weight: 90 - backendService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-secondary-service weight: 10 region: https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1 selfLink: https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/urlMaps/sakajun-map - For any url starts from “/” - Send 90% traffic to primary backend - Send the rest of traffic to secondary backend
  37. // Update the current config gcloud beta compute url-maps import

    sakajun-map --region=us-west1 --source=config.yaml Demo: Primary 90% / Secondary 10% // Check the traffic $ ./test.sh *** *** Results of load balancing to 10.100.1.199: *** 910 This is Primary 90 This is Secondary
  38. Demo: Primary 50% / Secondary 50% Looks good! Now it’s

    time to increase traffic to the secondary cluster! Frontend Services Backend ILB Cloud Load Balancing Primary Cluster Kubernetes Engine Secondary Cluster Kubernetes Engine 50% 50%
  39. Demo: Primary 50% / Secondary 50% defaultService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service hostRules:

    - description : '' hosts: - '*' pathMatcher : matcher1 kind: compute#urlMap name: sakajun-map pathMatchers : - defaultService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service name: matcher1 routeRules : - matchRules : - prefixMatch : / routeAction : weightedBackendServices : - backendService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service weight: 50 - backendService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-secondary-service weight: 50 region: https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1 selfLink: https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/urlMaps/sakajun-map Just changing the weight!
  40. // Update the current config gcloud beta compute url-maps import

    sakajun-map --region=us-west1 --source=config.yaml Demo: Primary 50% / Secondary 50% // Check the traffic $ ./test.sh *** *** Results of load balancing to 10.100.1.199: *** 480 This is Primary 520 This is Secondary
  41. Demo: Destroy a Cluster by mistake Oops! I just destroyed

    one of the clusters…. Let’s fix it. Frontend Services Backend ILB Cloud Load Balancing Primary Cluster Kubernetes Engine Secondary Cluster Kubernetes Engine 50% 50%
  42. Demo: Destroy a Cluster by mistake defaultService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service hostRules:

    - description : '' hosts: - '*' pathMatcher : matcher1 kind: compute#urlMap name: sakajun-map pathMatchers : - defaultService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service name: matcher1 routeRules : - matchRules : - prefixMatch : / routeAction : weightedBackendServices : - backendService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-primary-service weight: 0 - backendService : https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/backendServices/sakajun-secondary-service weight: 100 region: https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1 selfLink: https://www.googleapis.com/compute/beta/projects/sakajunlabs-0916/regions/us-west1/urlMaps/sakajun-map Stop sending to the primary
  43. // Update the current config gcloud beta compute url-maps import

    sakajun-map --region=us-west1 --source=config.yaml Demo: Destroy a Cluster by mistake // Check the traffic $ ./test.sh *** *** Results of load balancing to 10.100.1.199: *** 1000 This is Secondary
  44. Demo: Destroy a Cluster by mistake Now we have a

    plenty of time to recover the deleted cluster! And next time, we can stop traffic before destroying clusters. Demo Ends.
  45. Limitations - Internal LB Limitations - e.g. Shared VPC, IAP...

    - https://cloud.google.com/load-balancing/docs/l7-internal/#limitations - URL Map Limitations - Some resource does not work as intended - https://cloud.google.com/load-balancing/docs/l7-internal/traffic-management#limitations
  46. Takeaways

  47. Takeaways With Internal HTTP Load Balancer (and thanks to envoy

    proxy), you can control traffic - of service with several versions - running in different workloads: VMs or containers without a rich control plane!
  48. Thanks

  49. Resources - Internal HTTP(S) Load Balancing concepts - https://cloud.google.com/load-balancing/docs/l7-internal/ -

    Setting Up Internal HTTP(S) Load Balancing for GKE pods - https://cloud.google.com/load-balancing/docs/l7-internal/set-up-gke-pods - Traffic management with route rules and traffic policies - https://cloud.google.com/load-balancing/docs/l7-internal/traffic-management - Network endpoint groups in load balancing concepts - https://cloud.google.com/load-balancing/docs/negs/ - Proxy-only subnets for internal HTTP(S) load balancers - https://cloud.google.com/load-balancing/docs/l7-internal/proxy-only-subnets