google-cloud-platform - 使用共享 VPC 的 GCP 内部 HTTP(S) 负载平衡

Question

最近发布了共享 VPC 服务项目中的内部 HTTP(S) 负载均衡器，我尝试了以下教程。

• 使用共享 VPC 设置内部 HTTP(S) 负载平衡

但我在创建转发规则（用于 HTTP）步骤时出错。

$ make VERBOSITY=debug create_forwarding_rule
gcloud beta compute forwarding-rules create l7-ilb-forwarding-rule \
                --load-balancing-scheme=INTERNAL_MANAGED \
                --network=projects/gx-cloud-master/global/networks/gx-cloud \
                --subnet=projects/gx-cloud-master/regions/asia-northeast1/subnetworks/gx-sandbox-dev1-subnet2 \
                --address=10.22.16.99 \
                --ports=80 \
                --region=asia-northeast1 \
                --target-http-proxy=l7-ilb-proxy \
                --target-http-proxy-region=asia-northeast1 \
                --project gx-sandbox-dev1 \
                --verbosity=debug
DEBUG: Running [gcloud.beta.compute.forwarding-rules.create] with arguments: [--address: "10.22.16.99", --load-balancing-scheme: "INTERNAL_MANAGED", --network: "projects/gx-cloud-master/global/networks/gx-cloud", --ports: "<googlecloudsdk.command_lib.compute.forwarding_rules.flags.PortRangesWithAll object at 0x111cd0990>", --project: "gx-sandbox-dev1", --region: "asia-northeast1", --subnet: "projects/gx-cloud-master/regions/asia-northeast1/subnetworks/gx-sandbox-dev1-subnet2", --target-http-proxy: "l7-ilb-proxy", --target-http-proxy-region: "asia-northeast1", --verbosity: "debug", NAME: "l7-ilb-forwarding-rule"]
DEBUG: (gcloud.beta.compute.forwarding-rules.create) Could not fetch resource:
 - Invalid value for field 'resource.target': 'https://compute.googleapis.com/compute/beta/projects/gx-sandbox-dev1/regions/asia-northeast1/targetHttpProxies/l7-ilb-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule.
Traceback (most recent call last):
  File "/Users/junya/google-cloud-sdk/lib/googlecloudsdk/calliope/cli.py", line 983, in Execute
    resources = calliope_command.Run(cli=self, args=args)
  File "/Users/junya/google-cloud-sdk/lib/googlecloudsdk/calliope/backend.py", line 807, in Run
    resources = command_instance.Run(args)
  File "/Users/junya/google-cloud-sdk/lib/surface/compute/forwarding_rules/create.py", line 362, in Run
    self._support_psc_google_apis).Run(args)
  File "/Users/junya/google-cloud-sdk/lib/surface/compute/forwarding_rules/create.py", line 123, in Run
    return client.MakeRequests(requests)
  File "/Users/junya/google-cloud-sdk/lib/googlecloudsdk/api_lib/compute/client_adapter.py", line 105, in MakeRequests
    errors, error_message='Could not fetch resource:')
  File "/Users/junya/google-cloud-sdk/lib/googlecloudsdk/api_lib/compute/utils.py", line 124, in RaiseToolException
    RaiseException(problems, calliope_exceptions.ToolException, error_message)
  File "/Users/junya/google-cloud-sdk/lib/googlecloudsdk/api_lib/compute/utils.py", line 136, in RaiseException
    errors))
googlecloudsdk.calliope.exceptions.ToolException: Could not fetch resource:
 - Invalid value for field 'resource.target': 'https://compute.googleapis.com/compute/beta/projects/gx-sandbox-dev1/regions/asia-northeast1/targetHttpProxies/l7-ilb-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule.

ERROR: (gcloud.beta.compute.forwarding-rules.create) Could not fetch resource:
 - Invalid value for field 'resource.target': 'https://compute.googleapis.com/compute/beta/projects/gx-sandbox-dev1/regions/asia-northeast1/targetHttpProxies/l7-ilb-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule.

make: *** [create_forwarding_rule] Error 1

此外，我无法在 GCP Console 上创建内部 HTTP(S) 负载平衡器。没有选择共享 VPC 网络的选项。

我想知道我怎样才能让它工作。

我做了什么准备

• 在宿主项目上启用 shared-vpc
• 将服务项目关联到 shared-vpc
• 在 asia-northeast1 区域创建 proxy-only-subnet 和 service-subnet
• 授予服务项目的服务帐户对子网的访问权限

我在教程中运行的

通过 Makefile 运行这些命令。

NETWORK_NAME:=
HOST_PROJECT_NAME:=
PROJECT_NAME:=
PROJECT_SUBNET_NAME:=

PROXY_ONLY_SUBNET_RANGE:=10.0.2.0/23
REGION:=asia-northeast1
ZONE:=asia-northeast1-b
VERBOSITY:=debug

configure-shared-vpc:
    gcloud compute shared-vpc enable $(HOST_PROJECT_NAME)
    gcloud compute shared-vpc associated-projects add $(PROJECT_NAME) --host-project $(HOST_PROJECT_NAME)
    gcloud compute networks create $(NETWORK_NAME) --subnet-mode custom --project $(HOST_PROJECT_NAME)

    # proxy-only subnet
    gcloud compute networks subnets create proxy-only-subnet \
        --project $(HOST_PROJECT_NAME) \
        --purpose INTERNAL_HTTPS_LOAD_BALANCER \
        --role ACTIVE \
        --region $(REGION) \
        --network $(NETWORK_NAME) \
        --range $(PROXY_ONLY_SUBNET_RANGE)

    # service project's subnet
    gcloud compute networks subnets create $(PROJECT_SUBNET_NAME) \
        --project $(HOST_PROJECT_NAME) \
        --network $(NETWORK_NAME) \
        --range 10.22.16.0/24 \
        --region $(REGION)

    # add roles/compute.networkUser to service project's service account
    #  * {project_id}@cloudservices.gserviceaccount.com
    #  * service-{project_id}@container-engine-robot.iam.gserviceaccount.com
    gcloud compute networks subnets set-iam-policy proxy-only-subnet \
        proxy-only-subnet-policy.yaml \
        --project $(HOST_PROJECT_NAME) \
        --region $(REGION)
    gcloud compute networks subnets set-iam-policy $(PROJECT_SUBNET_NAME) \
        service-project-subnet-policy.yaml \
        --project $(HOST_PROJECT_NAME) \
        --region $(REGION)

create_firewall_rule:
    gcloud compute firewall-rules create fw-allow-ssh \
        --project=$(HOST_PROJECT_NAME) \
        --network=$(NETWORK_NAME) \
        --action=allow \
        --direction=ingress \
        --target-tags=allow-ssh \
        --rules=tcp:22

    gcloud compute firewall-rules create fw-allow-health-check \
        --project=$(HOST_PROJECT_NAME) \
        --network=$(NETWORK_NAME) \
        --action=allow \
        --direction=ingress \
        --source-ranges=130.211.0.0/22,35.191.0.0/16 \
        --target-tags=load-balanced-backend \
        --rules=tcp

    gcloud compute firewall-rules create fw-allow-proxies \
        --project=$(HOST_PROJECT_NAME) \
        --network=$(NETWORK_NAME) \
        --action=allow \
        --direction=ingress \
        --source-ranges=$(PROXY_ONLY_SUBNET_RANGE) \
        --target-tags=load-balanced-backend \
        --rules=tcp:80,tcp:443,tcp:8000

create_instance_template:
    gcloud compute instance-templates create l7-ilb-backend-template \
        --project $(PROJECT_NAME) \
        --region=$(REGION) \
        --network=projects/$(HOST_PROJECT_NAME)/global/networks/$(NETWORK_NAME) \
        --subnet=projects/$(HOST_PROJECT_NAME)/regions/$(REGION)/subnetworks/$(PROJECT_SUBNET_NAME) \
        --tags=allow-ssh,load-balanced-backend \
        --image-family=debian-9 \
        --image-project=debian-cloud \
        --metadata-from-file=startup-script=startup-script.sh

create_instance_group:
    gcloud compute instance-groups managed create l7-ilb-backend-example \
        --zone=$(ZONE) \
        --size=2 \
        --template=l7-ilb-backend-template \
        --project $(PROJECT_NAME)

create_health_check:
    gcloud beta compute health-checks create http l7-ilb-basic-check \
         --region=$(REGION) \
         --use-serving-port \
         --project $(PROJECT_NAME)

create_backend_services:
    gcloud beta compute backend-services create l7-ilb-backend-service \
        --load-balancing-scheme=INTERNAL_MANAGED \
        --protocol=HTTP \
        --health-checks=l7-ilb-basic-check \
        --health-checks-region=$(REGION) \
        --region=$(REGION) \
        --project $(PROJECT_NAME)

    gcloud beta compute backend-services add-backend l7-ilb-backend-service \
        --balancing-mode=UTILIZATION \
        --instance-group=l7-ilb-backend-example \
        --instance-group-zone=$(ZONE) \
        --region=$(REGION) \
        --project $(PROJECT_NAME)

configure_load_balancer:
    gcloud beta compute url-maps create l7-ilb-map \
        --default-service=l7-ilb-backend-service \
        --region=$(REGION) \
        --project $(PROJECT_NAME)

    gcloud beta compute target-http-proxies create l7-ilb-proxy \
        --url-map=l7-ilb-map \
        --url-map-region=$(REGION) \
        --region=$(REGION) \
        --project $(PROJECT_NAME)

create_forwarding_rule:
    gcloud beta compute forwarding-rules create l7-ilb-forwarding-rule \
        --load-balancing-scheme=INTERNAL_MANAGED \
        --network=projects/$(HOST_PROJECT_NAME)/global/networks/$(NETWORK_NAME) \
        --subnet=projects/$(HOST_PROJECT_NAME)/regions/$(REGION)/subnetworks/$(PROJECT_SUBNET_NAME) \
        --address=10.22.16.99 \
        --ports=80 \
        --region=$(REGION) \
        --target-http-proxy=l7-ilb-proxy \
        --target-http-proxy-region=$(REGION) \
        --project $(PROJECT_NAME) \
        --verbosity=$(VERBOSITY)

更新 (2020-07-07)

此功能在 Alpha 版中可用，而不是 Beta 版。公告是错误的，但现在已修复。

更新 (2020-08-19)

现在这个功能是 GA 状态。

• https://cloud.google.com/load-balancing/docs/release-notes#August_17_2020