Load Balancer Setup

Peter Goldthorp, Dito. April 2022

By default BMS servers and any VMs configured on them have no access to the Internet. Applications like web servers that expose endpoints externally can be configured to do this using a global external HTTP(S) load balancer with hybrid connectivity to BMS. This document shows an example of how to do this using the BMS Test Application.

The logic for this is also available as a Terraform module in the BMS inaBOX resource kit.

Firewall Rules

Create a firewall rule to allow load balancer health checks

gcloud compute firewall-rules create fw-allow-health-checks \
    --network=gcp-shared-vpc-vpc \
    --action=ALLOW \
    --direction=INGRESS \
    --source-ranges=35.191.0.0/16,130.211.0.0/22 \
    --target-tags=allow-health-checks \
    --rules=tcp

Cloud Routers

Update the cloud routers to advertise health check routes

gcloud compute routers update gcp-shared-vpc-central1-router \
   --project=gcp-shared-vpc \
   --advertisement-mode custom \
   --set-advertisement-groups=all_subnets \
   --set-advertisement-ranges=35.191.0.0/16,130.211.0.0/22

gcloud compute routers update gcp-shared-vpc-west2-router \
   --project=gcp-shared-vpc \
   --advertisement-mode custom \
   --set-advertisement-groups=all_subnets \
   --set-advertisement-ranges=35.191.0.0/16,130.211.0.0/22

Infrastructure test environment

Setup NEGs

  1. Setup NEG for the api-west VM

     gcloud compute network-endpoint-groups create bms-west-test-neg \
     --network-endpoint-type=NON_GCP_PRIVATE_IP_PORT \
     --zone=us-west2-c \
     --network=gcp-shared-vpc-vpc

 gcloud compute network-endpoint-groups update bms-west-test-neg \
     --zone=us-west2-c \
     --add-endpoint="ip=10.216.218.186,port=3000"

  2. Setup NEG for the api-central VM

     gcloud compute network-endpoint-groups create bms-central-test-neg \
     --network-endpoint-type=NON_GCP_PRIVATE_IP_PORT \
     --zone=us-central1-c \
     --network=gcp-shared-vpc-vpc

 gcloud compute network-endpoint-groups update bms-west-test-neg \
     --zone=us-central1-c \
     --add-endpoint="ip=10.216.218.226,port=3000"

Configure Load Balancer

  1. Reserve an external IP address

     gcloud compute addresses create bms-test-ip \
     --global

  2. Create API West backend service

     gcloud beta compute health-checks create http bms-test-west-http-health \
     --use-serving-port

 gcloud beta compute backend-services create bms-test-west-backend \
     --health-checks=bms-test-west-http-health \
     --global

 gcloud beta compute backend-services add-backend bms-test-west-backend \
     --global \
     --balancing-mode=RATE \
     --max-rate-per-endpoint=100 \
     --network-endpoint-group=bms-west-test-neg \
     --network-endpoint-group-zone=us-west2-c

  3. Create API Central backend service

     gcloud beta compute health-checks create http bms-test-central-http-health \
     --use-serving-port

 gcloud beta compute backend-services create bms-test-central-backend \
     --health-checks=bms-test-central-http-health \
     --global

 gcloud beta compute backend-services add-backend bms-test-central-backend \
     --global \
     --balancing-mode=RATE \
     --max-rate-per-endpoint=100 \
     --network-endpoint-group=bms-central-test-neg \
     --network-endpoint-group-zone=us-central1-c

  4. Create URL map and forwarding rules

     gcloud beta compute url-maps create bms-test-lb-url-map \
     --default-service bms-test-west-backend

 gcloud beta compute target-http-proxies create bms-test-proxy \
     --url-map=bms-test-default-url-map

 gcloud beta compute forwarding-rules create bms-test-forwarding-rule \
     --address=bms-test-ip \
     --target-http-proxy=bms-test-proxy \
     --global \
     --ports=80

Configure URL map

  1. Export the existing URL map

     gcloud beta compute url-maps export bms-test-lb-url-map \
 --destination=bms-test-lb-map-west-config.yaml \
 --global

  2. Append the following to the bms-test-lb-map-west-config.yaml file

     defaultService: global/backendServices/bms-test-west-backend
 hostRules:
 - hosts:
     - '*'
     pathMatcher: matcher1
 name: bms-test-default-url-map
 pathMatchers:
 - defaultService: global/backendServices/bms-test-west-backend
     name: matcher1
     routeRules:
     - matchRules:
     - prefixMatch: /
     priority: 2
     routeAction:
         weightedBackendServices:
         - backendService: global/backendServices/bms-test-west-backend
         weight: 100
         - backendService: global/backendServices/bms-test-central-backend
         weight: 0

  3. Update the URL map

     gcloud beta compute url-maps import bms-test-lb-url-map \
--global \
--source=bms-test-lb-map-west-config.yaml

  4. Test the load balancer. Verify pages are being served from the API West backend

  5. Create a second config file to route requests to API Central

     cp bms-test-lb-map-west-config.yaml bms-test-lb-map-central-config.yaml

 vi bms-test-lb-map-central-config.yaml

 defaultService: global/backendServices/bms-test-central-backend
 hostRules:
 - hosts:
     - '*'
     pathMatcher: matcher1
 name: bms-test-default-url-map
 pathMatchers:
 - defaultService: global/backendServices/bms-test-central-backend
     name: matcher1
     routeRules:
     - matchRules:
     - prefixMatch: /
     priority: 2
     routeAction:
         weightedBackendServices:
         - backendService: global/backendServices/bms-test-west-backend
         weight: 0
         - backendService: global/backendServices/bms-test-central-backend
         weight: 100

  6. Import the config file and re-verify. Requests should now be served from API Central

Copyright © Dito LLC, 2023