Configure networking for a basic production cluster

Autopilot Standard

This tutorial is intended for cloud architects and operations administratorsinterested in deploying a web application to a Google Kubernetes Engine (GKE)cluster and exposing it with an HTTPS load balancer.

Objectives

In this tutorial, you will learn how to:

  • Create a GKE cluster.
  • Create a global IP address and Cloud DNS zone with Terraform.
  • Configure HTTPS load balancing.
  • Deploy a sample web application.

Costs

In this document, you use the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use thepricing calculator.

New Google Cloud users might be eligible for afree trial.

When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, seeClean up.

Before you begin

Set up your project

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, clickCreate project to begin creating a new Google Cloud project.

    Roles required to create a project

    To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Google Kubernetes Engine, Cloud DNS APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

  5. In the Google Cloud console, on the project selector page, clickCreate project to begin creating a new Google Cloud project.

    Roles required to create a project

    To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Google Kubernetes Engine, Cloud DNS APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

  • You must own a domain name. The domain name must be no longer than 63 characters. You can useGoogle Domains or another registrar.

Set up your environment

In this tutorial, you useCloud Shell to manage resources hosted onGoogle Cloud. Cloud Shell is preinstalled with the software you need forthis tutorial, includingTerraform,kubectl and thegcloud CLI.

  1. Set environment variables:

    PROJECT_ID=$(gcloudconfigget-valueproject)gcloudconfigsetproject$PROJECT_IDgcloudconfigsetcompute/regionus-central1

  2. Clone the code repository:

    gitclonehttps://github.com/GoogleCloudPlatform/kubernetes-engine-samples.git

  3. Change to the working directory:

    cdkubernetes-engine-samples/autopilot/networking-tutorial

Create a GKE cluster

The following Terraform file creates a GKE cluster:

terraform{required_version="~> 1.3"}provider"google"{}variable"region"{type=stringdescription="Region where the cluster will be created."default="us-central1"}variable"cluster_name"{type=stringdescription="Name of the cluster"default="networking-cluster"}resource"google_container_cluster""default"{name=var.cluster_namedescription="Cluster for sample web application"location=var.regionenable_autopilot=trueip_allocation_policy{}}output"region"{value=var.regiondescription="Compute region"}output"cluster_name"{value=google_container_cluster.default.namedescription="Cluster name"}

The following Terraform file creates a global IP address and Cloud DNSzone:

terraform{required_version="~> 1.3"}variable"base_domain"{type=stringdescription="Your base domain"}variable"name"{type=stringdescription="Name of resources"default="networking-tutorial"}data"google_client_config""current"{}resource"google_compute_global_address""default"{name=var.name}resource"google_dns_managed_zone""default"{name=var.namedns_name="${var.name}.${var.base_domain}."description="DNS Zone for web application"}resource"google_dns_record_set""a"{name=google_dns_managed_zone.default.dns_nametype="A"ttl=300managed_zone=google_dns_managed_zone.default.namerrdatas=[google_compute_global_address.default.address]}resource"google_dns_record_set""cname"{name=join(".", compact(["www",google_dns_record_set.a.name]))type="CNAME"ttl=300managed_zone=google_dns_managed_zone.default.namerrdatas=[google_dns_record_set.a.name]}output"dns_zone_name_servers"{value=google_dns_managed_zone.default.name_serversdescription="Write these virtual name servers in your base domain."}output"domain"{value=trim(google_dns_record_set.a.name,".")}

  1. Initialize Terraform:

    terraforminit

  2. View the infrastructure changes:

    terraformplan

    When prompted, enter your domain, such asmy-domain.net.

  3. Apply the Terraform configuration:

    terraformapply--auto-approve

    When prompted, enter your domain, such asmy-domain.net.

    The output is similar to the following:

    Apply complete! Resources: 1 added, 0 changed, 0 destroyed.Outputs:cluster_name = "networking-cluster"region = "us-central1"

Create an external Application Load Balancer

  1. The following manifest describes a ManagedCertificate, FrontendConfig,Deployment, Service, and Ingress:

    ---apiVersion:networking.gke.io/v1kind:ManagedCertificatemetadata:name:networking-managed-certspec:domains:-DOMAIN_NAME-www.DOMAIN_NAME---apiVersion:networking.gke.io/v1beta1kind:FrontendConfigmetadata:name:networking-fcspec:redirectToHttps:enabled:trueresponseCodeName:MOVED_PERMANENTLY_DEFAULT---apiVersion:apps/v1kind:Deploymentmetadata:name:frontendspec:selector:matchLabels:app:frontendreplicas:2template:metadata:labels:app:frontendspec:containers:-name:echo-amd64image:us-docker.pkg.dev/google-samples/containers/gke/hello-app-cdn:1.0---apiVersion:v1kind:Servicemetadata:name:frontendspec:type:LoadBalancerselector:app:frontendports:-name:httpport:80targetPort:8080---apiVersion:networking.k8s.io/v1kind:Ingressmetadata:name:frontendannotations:networking.gke.io/managed-certificates:networking-managed-certnetworking.gke.io/v1beta1.FrontendConfig:networking-fckubernetes.io/ingress.global-static-ip-name:networking-tutorialkubernetes.io/ingress.class:gcelabels:app:frontendspec:defaultBackend:service:name:frontendport:number:80

    ReplaceDOMAIN_NAME with your domain name, suchasmy-domain.net.

    This manifest has the following properties:

    • networking.gke.io/managed-certificates: the name of theManagedCertificate.
    • networking.gke.io/v1beta1.FrontendConfig: the name of the FrontendConfigresource.
    • kubernetes.io/ingress.global-static-ip-name: the name of the IP address.
    • kubernetes.io/ingress.class: instructs the GKE Ingresscontroller to create an external Application Load Balancer.

  2. Apply the manifest to your cluster:

    kubectlapply-fkubernetes-manifests.yaml

  3. Verify the Ingress was created:

    kubectldescribeingressfrontend

    The output is similar to the following:

    ...  Events:    Type    Reason  Age   From                     Message    ----    ------  ----  ----                     -------    Normal  ADD     2m    loadbalancer-controller  default/frontend    Normal  CREATE  1m    loadbalancer-controller  ip: 203.0.113.2...

    It might take several minutes for the Ingress to provision.

Test application

  1. Check the status of the SSL certificate:

    kubectlgetmanagedcertificates.networking.gke.ionetworking-managed-cert

    The SSL certificate might take up to 30 minutes to provision. The followingoutput indicates the SSL certificate is ready:

    NAME                      AGE   STATUSnetworking-managed-cert   28m   Active

  2. Run acurl command:

    curl-Lvhttps://DOMAIN_NAME

    The output is similar to the following:

    *   Trying 34.160.115.33:443...* Connected toDOMAIN_NAME (34.160.115.33) port 443 (#0)...* TLSv1.3 (IN), TLS handshake, Certificate (11):...* Server certificate:*  subject: CN=DOMAIN_NAME...> Host:DOMAIN_NAME

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Delete the project

    Caution: Deleting a project has the following effects:
    • Everything in the project is deleted. If you used an existing project for the tasks in this document, when you delete it, you also delete any other work you've done in the project.
    • Custom project IDs are lost. When you created this project, you might have created a custom project ID that you want to use in the future. To preserve the URLs that use the project ID, such as anappspot.com URL, delete selected resources inside the project instead of deleting the whole project.

    If you plan to explore multiple architectures, tutorials, or quickstarts, reusing projects can help you avoid exceeding project quota limits.

  1. In the Google Cloud console, go to theManage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then clickDelete.
  3. In the dialog, type the project ID, and then clickShut down to delete the project.

Delete individual resources

  1. Delete the kubernetes resources:

    kubectldelete-fkubernetes-manifests.yaml

  2. Delete the Terraform resources:

    terraformdestroy--auto-approve

    When prompted, enter your domain, such asmy-domain.net.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-25 UTC.