docs: multi-region GCP ILB other-region client-access now supported

[hermanbanken]

The docs of Multi-Region mention that there is a GCP limitation requiring public access to DNS. The reasons given do no longer hold.

See https://github.com/cockroachdb/cockroach/tree/master/cloud/kubernetes/multiregion#exposing-dns-servers-to-the-internet.

As currently configured, the way that the DNS servers from each Kubernetes cluster are hooked together is by exposing them via a load balanced IP address that's visible to the public Internet. This is because Google Cloud Platform's Internal Load Balancers do not currently support clients in one region using a load balancer in another region.

None of the services in your Kubernetes cluster will be made accessible, but their names could leak out to a motivated attacker. If this is unacceptable, please let us know and we can demonstrate other options. Your voice could also help convince Google to allow clients from one region to use an Internal Load Balancer in another, eliminating the problem.

The problem is eliminated.

Issue tracker last post:

Marked as fixed, reassigned to ge...@google.com. Thank you all for the valuable comments in this bug!

As suggested by the previous poster, GCP now allows you to configure an internal TCP/UDP load balancer such that it's available to clients in any region.

For more about this feature, please read: https://cloud.google.com/load-balancing/docs/internal/#client_access

If you're new to internal TCP/UDP load balancing in GCP, I encourage you to read the whole overview: https://cloud.google.com/load-balancing/docs/internal/

GKE 1.16 is required if you want to use this feature with Kubernetes Engine: https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access_beta

Please note the following:

• Internal TCP/UDP load balancers are still regional (even when they are globally accessible). This means that all backend VMs (or node VMs) must be in one region. The load balancer's backend service and forwarding rule are still regional.

• For details about how global access interacts with networks connected to the load balancer's VPC network, please read: https://cloud.google.com/load-balancing/docs/internal/internal-lb-and-other-networks

I'll mark this issue resolved. Thanks for using GCP!

Jira issue: CRDB-33808

[blathers-crl[bot]]

Hello, I am Blathers. I am here to help you get the issue triaged.

It looks like you have not filled out the issue in the format of any of our templates. To best assist you, we advise you to use one of these templates.

I was unable to automatically find someone to ping.

If we have not gotten back to your issue within a few business days, you can try the following:

• Join our community slack channel and ask on #cockroachdb.
• Try find someone from here if you know they worked closely on the area and CC them.

_{:owl: Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}