Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create firewall rule for backend port if distinct from HC port #175

Open
petomalina opened this issue Jun 29, 2021 · 3 comments
Open

Create firewall rule for backend port if distinct from HC port #175

petomalina opened this issue Jun 29, 2021 · 3 comments
Labels
enhancement New feature or request P3 medium priority issues triaged Scoped and ready for work

Comments

@petomalina
Copy link

I am using this module with Istio where ingress has a health endpoint on :15021/healthz/ready while listening on :8080: for traffic.

Since the health check is targetting the first endpoint, it does not create a firewall rule for the traffic endpoint.

This is the rule I am creating manually at the moment:

data "google_compute_lb_ip_ranges" "ip_ranges" {}

resource "google_compute_firewall" "lb-http-ingress" {
  name = "global-ingress-0"

  project = var.xpn_project_id
  network = var.xpn_network_id

  source_ranges = concat(
    data.google_compute_lb_ip_ranges.ip_ranges.network,
    data.google_compute_lb_ip_ranges.ip_ranges.http_ssl_tcp_internal,
  )

  target_tags = [
    "lb-target"
  ]

  allow {
    protocol = "tcp"
    ports    = ["8080"]
  }
}

It would make sense for this module to support such a scenario natively.
@morgante
Copy link
Contributor

morgante commented Jul 7, 2021

Can you provide an example of the module configuration you're using?

@morgante morgante added enhancement New feature or request P3 medium priority issues triaged Scoped and ready for work labels Jul 7, 2021
@petomalina
Copy link
Author

@morgante I am sharing my config. I redacted some values that I found unnecessary for this case. Let me know if there's something specific you are missing.

moodule "lb-http" {
  source  = "GoogleCloudPlatform/lb-http/google"
  version = "5.1.1"

  project           = var.project_id
  name              = var.lb_name
  create_address    = false
  address           = data.google_compute_global_address.global-public-ip.address
  target_tags = [
    "lb-target"
  ]

  # custom url map
  url_map = google_compute_url_map.sandcastle-global-urlmap.self_link
  create_url_map = false

  backends = {
    default = merge(var.default_backend_params, {
      description = "istio global public LB"
      protocol    = "HTTP"
      port_name   = "http"
      port        = 8080 // <- this is ingress port
      timeout_sec = 30

      health_check = {
        request_path        = "/healthz/ready"
        host                = null
        port                = 15021 // <- this is the ingress health port
        healthy_threshold   = 1
        unhealthy_threshold = 3
        check_interval_sec  = 7
        timeout_sec         = 5
        logging             = true
      }

      groups = [
        merge(var.default_group_params, {
          group       = "https://www.googleapis.com/compute/v1/projects/${var.project_id}/zones/${var.gke_zones[0]}/networkEndpointGroups/istio-ingress-neg"
          description = "NEG zonal backend"
        })
      ]
    })
  }
}

@morgante
Copy link
Contributor

morgante commented Jul 16, 2021
edited
Loading

Thank you, this makes sense to support. We should add an additional firewall rule like the existing one which adds rules for any backends which have a different health check port.

I will include this in our backlog, but we would also be happy to review a pull request if you're able to get to it sooner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request P3 medium priority issues triaged Scoped and ready for work
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@petomalina @morgante