Closed dkassab closed 3 years ago
Hi @dkassab There is a firewall rule in the foundation to allow traffic from the load balancers
It requires turning on the flag optional_fw_rules_enabled
in step 3-networks and adding the TAG allow-lb
to the GCE instances
resource "google_compute_firewall" "allow_lb" {
count = var.optional_fw_rules_enabled ? 1 : 0
name = "fw-${var.environment_code}-shared-restricted-1000-i-a-all-allow-lb-tcp-80-8080-443"
network = module.main.network_name
project = var.project_id
dynamic "log_config" {
for_each = var.firewall_enable_logging == true ? [{
metadata = "INCLUDE_ALL_METADATA"
}] : []
content {
metadata = log_config.value.metadata
}
}
source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4)
// Allow common app ports by default.
allow {
protocol = "tcp"
ports = ["80", "8080", "443"]
}
target_tags = ["allow-lb"]
}
Hi @dkassab and @daniel-cit Does only the mci cluster need the tag or do all clusters need them. The tag "allow-lb" can be added here for all clusters And here for the bastion host
We just need it on the GKE clusters
We need a firewall rule to allow health checks to pass from the Cloud Load Balancing to container workloads:
https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-ingress-setup#shared_vpc_deployment