This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

External load balancer NEG healtcheck failing to GKE pods

Posted on 11-14-2022 05:46 PM
MH1169
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi,

I have configured an ingress resource in GKE which creates an external LB to the istio pods in the GKE cluster.

NEG endpoints are correctly added. But healtcheck to the pods itself are failing.

MH1169_0-1668476531054.png

The ingress FW rule to allow 130.211.0.0/22 and 35.191.0.0/16 to port 8443 has been added. Am I missing any configuration?

 

Thanks.

Solved Solved
0 3 4,908
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
glen_yu
Google Developer Expert
Google Developer Expert
Reply posted on --/--/---- --:-- AM

The (I'm assuming) HTTP load balancer will only health check against HTTP port 80 (plus a handful of other default settings) unless you tell it otherwise.  So while you did put in the correct FW rules for the health check, your health check was never going to port 8443 anyway.  

What you need is a BackendConfig that defines a custom health check port/path/protocol, etc.

Here's an example of a BackendConfig with a custom health check defined.

You'll also need to point your Ingress at it in the annotations.  Example here.

 

 

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
glen_yu
Google Developer Expert
Google Developer Expert
Reply posted on --/--/---- --:-- AM

The (I'm assuming) HTTP load balancer will only health check against HTTP port 80 (plus a handful of other default settings) unless you tell it otherwise.  So while you did put in the correct FW rules for the health check, your health check was never going to port 8443 anyway.  

What you need is a BackendConfig that defines a custom health check port/path/protocol, etc.

Here's an example of a BackendConfig with a custom health check defined.

You'll also need to point your Ingress at it in the annotations.  Example here.

 

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
MH1169
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi Glen,

Thanks for the pointers. Have added the configuration and customized backend health check.

Found out that the pod readiness probe (istio service) is failing that caused the NEG readiness probe to fail.

Will check further why istio internal readiness is failing.

 

 

Thanks.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
rjtg1992
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have the same problem in two scenarios, the first one when I scale the deployment in the istio-system namespace istio-ingress-gateway the issue is basically the load balancer create a new exponents making some request fails, do you have a idea about a good solution ?

Jump to Solution
Top Labels in this Space
Top Solution Authors
View all