This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to keep service to service traffic internal to cluster and avoid Cloud Armor

Posted 2 weeks ago
gillesleblanc
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a GKE cluster that hosts some services. 
These services are exposed externally through Load Balancer. 
The services are protected using Cloud Amor.

My issue is that I do not want Cloud Armor policies to apply for service to service calls within the cluster. 

I'm getting traffic that is denied by Cloud Armor for cross service calls. 
The cluster is VPC-native traffic routing is Enabled.

I've tried changing the Internal Traffic policy from Cluster to Local.

Does Cloud Armor apply only filter external traffic? If so that would mean that my service to service calls (which are made using the external facing URLs) are leaving the cluster.

How can I have the traffic stay inside the cluster so as not to be denied by Cloud Armor?

4 1 81
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
MaxImbrox
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Hi @gillesleblanc,

in which way you're exposing your services? If the communication it's intra-cluster you can simply expose your services with the ClusterIP type, and then kubeDNS will resolve the hostnames. 

If you want to better manage the communication from outside the cluster, you can implement Ingress Controller (like the NGINX one) and then use Ingress as rules to forward the traffic towards you microservices. (https://kubernetes.io/docs/concepts/services-networking/ingress/) (https://docs.nginx.com/nginx-ingress-controller/)  

Top Labels in this Space