Configure external IP addresses for Google Distributed Cloud (software only) for VMware with F5 BIG-IP load balancers

Note: This guide only supports Cloud Service Mesh with Istio APIs and doesnot support Google Cloud APIs. For more information see,Cloud Service Mesh overview.Note: This feature is not supported on managed Cloud Service Mesh

The default Cloud Service Mesh installation on Google Distributed Cloud (software only) for VMware assumes thatexternal IP addresses are automatically allocated forLoadBalancer services.This is not true for Google Distributed Cloud (software only) for VMware with F5 BIG-IP load balancers.Because of this, you need to allocate one or more external IP addresses,depending on your service mesh configuration:

  • One external IP address for the Cloud Service Mesh ingress Gateway resource, forexample the gateway that your customers use to access your workloads fromacross the internet.
  • Another external IP address for your clusters to communicate with each otherif they exist on different networks within your service mesh. This is referredto as the east-west gateway.

Configuring the ingress gateway IP address

To configure an external IP address for the ingress gateway, follow theinstructions in one of these sections, depending on yourGoogle Distributed Cloud (software only) for VMware load balancing mode:

    Integrated mode

  1. Patch theistio-ingressgateway Service's configuration with the external IP address for the ingress gateway:
    kubectl patch svc istio-ingressgateway -n istio-system --type='json' -p '[{"op": "add", "path": "/spec/loadBalancerIP", "value": "INGRESS_GATEWAY_IP"}]'

    2. Manual mode

  2. View theistio-ingressgateway service's configuration in your shell:
    kubectl get svc -n istio-system istio-ingressgateway -o yaml
    Each of the ports for Cloud Service Mesh's gateways are displayed. The command output is like the following:
      ...  ports:  - name: status-port    nodePort: 30391    port: 15020    protocol: TCP    targetPort: 15020  - name: http2    nodePort: 31380    port: 80    protocol: TCP    targetPort: 80  - name: https    nodePort: 31390    port: 443    protocol: TCP    targetPort: 443  - name: tcp    nodePort: 31400    port: 31400    protocol: TCP    targetPort: 31400  - name: https-kiali    nodePort: 31073    port: 15029    protocol: TCP    targetPort: 15029  - name: https-prometheus    nodePort: 30253    port: 15030    protocol: TCP    targetPort: 15030  - name: https-grafana    nodePort: 30050    port: 15031    protocol: TCP    targetPort: 15031  - name: https-tracing    nodePort: 31204    port: 15032    protocol: TCP    targetPort: 15032  - name: tls    nodePort: 30158    port: 15443    protocol: TCP    targetPort: 15443  ...
  3. Expose these ports through your load balancer.

    For example, the service port namedhttp2 hasport 80 andnodePort 31380. Suppose the node addresses for your user cluster are192.168.0.10,192.168.0.11, and192.168.0.12, and your load balancer's VIP is203.0.113.1.

    Configure your load balancer so that traffic sent to203.0.113.1:80 is forwarded to192.168.0.10:31380,192.168.0.11:31380, or192.168.0.12:31380. You can select the service ports that you want to expose on this given VIP.

Confirm that the ingress gateway was assigned an external IP address. Theremight be a slight delay that requires you to repeat this command until yousee the expected result:

kubectl --context="${CTX_CLUSTER1}" get svc istio-ingressgateway -n istio-system

The expected output is:

NAME                    TYPE           CLUSTER-IP    EXTERNAL-IP    PORT(S)   AGEistio-ingressgateway   LoadBalancer   10.80.6.124   34.75.71.237   ...       51s

Configuring the east-west gateway IP address

To configure an external IP address for the east-west gateway, follow theinstructions in one of these sections, depending on yourGoogle Distributed Cloud (software only) for VMware load balancing mode:

    Integrated mode

  1. Patch theistio-eastwestgateway Service's configuration with the external IP address for the east-west gateway:
    kubectl patch svc istio-eastwestgateway -n istio-system --type='json' -p '[{"op": "add", "path": "/spec/loadBalancerIP", "value": "EAST_WEST_GATEWAY_IP"}]'

    2. Manual mode

  2. View theistio-eastwestgateway service's configuration in your shell:
    kubectl get svc -n istio-system istio-eastwestgateway -o yaml
    Each of the ports for Cloud Service Mesh's gateways are displayed. The command output is like the following:
      ports:  - name: status-port    nodePort: 31781    port: 15021    protocol: TCP    targetPort: 15021  - name: tls    nodePort: 30498    port: 15443    protocol: TCP    targetPort: 15443  - name: tls-istiod    nodePort: 30879    port: 15012    protocol: TCP    targetPort: 15012  - name: tls-webhook    nodePort: 30336    port: 15017    protocol: TCP    targetPort: 15017  ...
  3. Expose these ports through your load balancer.

    For example, the service port namedhttp2 hasport 80 andnodePort 31380. Suppose the node addresses for your user cluster are192.168.0.10,192.168.0.11, and192.168.0.12, and your load balancer's VIP is203.0.113.1.

    Configure your load balancer so that traffic sent to203.0.113.1:80 is forwarded to192.168.0.10:31380,192.168.0.11:31380, or192.168.0.12:31380. You can select the service ports that you want to expose on this given VIP.

Confirm that the east-west gateway was assigned an external IP address. Theremight be a slight delay that requires you to run repeat this command until yousee the expected result:

kubectl --context="${CTX_CLUSTER1}" get svc istio-eastwestgateway -n istio-system

The expected output is:

NAME                    TYPE           CLUSTER-IP    EXTERNAL-IP    PORT(S)   AGEistio-eastwestgateway   LoadBalancer   10.80.6.124   34.75.71.237   ...       51s

What's next?

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.