Community

Blog Events Webinars Tutorials Forum
  1. Blog
  2. Events
  3. Webinars
  4. Tutorials
  5. Forum
Create Account
×
Community Blog Building a Multi-Cloud Environment Using Google Cloud Kubernetes (GKE) and Alibaba Cloud Kubernetes on Alibaba Cloud ACK One

Building a Multi-Cloud Environment Using Google Cloud Kubernetes (GKE) and Alibaba Cloud Kubernetes on Alibaba Cloud ACK One

This article builds a multi-cloud environment using Google Cloud Kubernetes (GKE) and Alibaba Cloud Kubernetes on Alibaba Cloud ACK One.

Introduction

Alibaba Cloud ACK One is a product service provided by Alibaba Cloud that enables hybrid and multi-cloud environments based on Kubernetes. ACK One manages Kubernetes clusters from AWS, Azure, Google Cloud, on-premises, and others as a unified managed Kubernetes service in Alibaba Cloud ACK clusters, allowing for flexible multi-cluster configurations across different environments. With ACK One, as long as there is Kubernetes on the other cloud or on-premises environments, you can register the Kubernetes cluster with ACK One and operate it based on Alibaba Cloud's fully managed Kubernetes service, Alibaba Cloud Container Service for Kubernetes (ACK), even on other cloud or on-premises environments.

In a previous article, we explained how to build a multi-cluster service between ASK clusters on Alibaba Cloud using ACK One. With ACK One, clusters deployed in data centers and third-party cloud clusters can be registered, making it possible to build multi-cluster services involving GKE clusters.

This article explains how to build network connections between Alibaba Cloud and Google Cloud (via VPN Gateway) and how to use this as a base to build multi-cluster services with ACK One.

Explanation

1. Configuration Diagram

The overall configuration diagram is below:

1

2. Create VPC and vSwitch on Alibaba Cloud

In order to build a network connection with VPN Gateway, create VPC and vSwitch on Alibaba Cloud:

2
3

3. Create a VPN Gateway on Alibaba Cloud

In order to generate an external IP address, create a VPN Gateway on Alibaba Cloud:

4
5
6

  1. Click Create VPN Gateway on the VPN Gateway console
  2. Enter the required information on the creation form and ensure that the specific VPC and vSwitch created in the steps above are selected.
  3. Click Buy Now to proceed to the order confirmation page
  4. Confirm the terms of service
  5. Click Activate Now to execute the creation operation

Check the created resources and wait for the IP address to be generated. At this time, the VPN Gateway instance will be in the Active state, so make a note of the IP address displayed at that time. This IP address will be used in the future.

7
8

4. Create a VPC Network with a Subnet on Google Cloud

Go to the VPC Network console on the Google Cloud platform and create a new VPC with a subnet:

9
10

  1. Click the Create VPC Network to proceed
  2. Enter the required information for the basic settings and select custom for the subnet creation mode
  3. Enter the required information for the subnet settings, pick the target region, and verify that the IP address range is different from Alibaba Cloud's VPC
  4. Select the recommended firewall rules
  5. Click Create to execute the operation

Once complete, the target VPC network will be displayed on the Google Cloud console:

11

5. Create a VPN Gateway on Google Cloud

Navigate to the VPN console on Google Cloud and create a VPN connection for further use:

12
13
14
15

1.  Click Create VPN connection on the VPN console

2.  Select the classic VPN mode and click Continue to proceed to the next step

3.  Enter the basic information of the VPN Gateway (network, region, etc.)

4.  Reserve a new static IP address to bind with the target VPN Gateway. This can also be created separately on the IP addresses page of the VPC Network console. Remember this IP address for future use.

5.  Configure the VPN tunnel settings

  • Set the remote peer IP address to the generated external IP address of the Alibaba Cloud VPN Gateway
  • Select IKEv2 as the IKE version
  • Specify the IKE pre-shared key and remember it for future use
  • Select Policy-based for the routing option
  • Specify the Remote network IP ranges as the CIDR of the Alibaba Cloud VPC or vSwitch
  • Configure the Local subnetworks and Local IP ranges based on the VPC network created in the previous steps

6.  Click Create and execute the operation.

Check the created resources (such as the VPN Gateway and tunnel)

16
17

6. Create a Customer Gateway on Alibaba Cloud

Create a customer gateway on Alibaba Cloud:

18

  1. Click the Create Customer Gateway on the Alibaba console
  2. Enter the required information in the popup window and set the IP address as an instance of the static IP address generated in the steps above.
  3. Click OK to perform the operation

Verify the created instance as the following image:

19

7. Create an IPsec Connection on Alibaba Cloud

Next, we will build an IPsec connection on Alibaba Cloud. This will be done from the VPC console on Alibaba Cloud.

20
21

1.  Click Create IPsec Connection

2.  Enter the required information for basic settings

  • Set the Associate Resource to VPN Gateway and select the corresponding VPN Gateway and Customer Gateway from the dropdown list
  • Select the protected data flow as the routing mode
  • Set the IP range of the target VPC or vSwitch on Alibaba Cloud for the local network
  • Set the remote network with the IP range of the target VPC on Google Cloud
  • Set Effective Immediately to Yes as recommended, as the customer route policy of the VPN Gateway needs to be published manually
  • Set the same pre-shared key as set in Google Cloud settings

3.  Enter the required information for detailed settings

  • Pick IKEv2, which is the same as what is set in the Google Cloud settings, in the IKE settings field. Set the encryption algorithm to aes256 and the authentication algorithm to sha256.
  • Set the encryption algorithm to aes256 and the authentication algorithm to sha256 in the IPsec condition field, the same as above.

4.  Leave the BGP settings disabled by default

5.  Click OK to perform the operation

The IPsec connection that was created shows an error in the connection status. However, since all necessary resources have been prepared, the connection status will quickly change to successful. Please confirm that the final connection status is Phase 2 of IKE Tunnel Negotiation Succeeded. If the connection status is not as described, there may have been some error in the configuration steps above.

22

23

8. Confirm Network Connection Settings

We recommend checking several items in addition to the IPsec connection status to confirm that the configuration has been completed successfully. First, check the status of the VPN tunnel in Google Cloud. Once the IPsec connection has been successfully configured in Alibaba Cloud, the VPN tunnel in Google Cloud also needs to be updated to Established simultaneously.

24

Next, return to the VPN console in Alibaba Cloud and check the Policy-based Routing under the target VPN Gateway. There should be published route entries. If the route entry is in an Unpublished state, please manually publish it.

25

Display the route table for the selected VPC and check the custom routes in the route entry list. There should be one item corresponding to the published route entry under the VPN Gateway.

26

9. Confirm the Network Connection

Create two virtual machines on both Alibaba Cloud and Google Cloud and confirm network connectivity using the ping command. If there is no problem with the connection configuration, the response will be something like this:

27
28

29

10. Building a Multi-Cluster Service Using ASK Cluster and GKE Cluster

Use ACK One to build a multi-cluster service. Deploy an Alibaba Cloud ASK cluster as a service provider and a GKE cluster on Google Cloud as a provider for demo consumers to check service responses.

Prerequisites:

  • Preparation of a common network connection (via VPN Gateway) using the steps above
  • Enable multi-cluster management in ACK One and create a master instance in the target region
  • Prepare one ASK cluster in the target region of Alibaba Cloud
  • Confirm the existence of one GKE standard cluster in the target region of Google Cloud
  • Create a registered cluster on Alibaba Cloud and successfully connect it to the GKE cluster
  • Associate the prepared clusters with ACK One
  • Prepare the YAML file for configuring the multi-cluster service

You can also read this article as a reference.

30
31
32
33

Reuse the YAML file for configuring the multi-cluster service in this article (in Japanese) to deploy the application, create a service exporter on the ASK cluster on Alibaba Cloud, and create a service importer on the GKE cluster on Google Cloud. Here is an example of the relevant YAML file configuration: ack-vpc-app-meta.yaml, which includes deployments and services for a distributed application.

apiVersion: v1       # The Service provider.
kind: Service
metadata:
  name: service1
  namespace: provider-ns
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: web-demo
    department: demo
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: web-demo
    department: demo
  name: web-demo
  namespace: provider-ns
spec:
  replicas: 1
  selector:
    matchLabels:
      app: web-demo
      department: demo
  template:
    metadata:
      labels:
        app: web-demo
        department: demo
    spec:
      containers:
      - image: bwbw723/ack_one_demo_provider:1.0
        name: web-demo
        env:
        - name: ENV_NAME
          value: cluster1-jp-for-gke
---
apiVersion: core.oam.dev/v1beta1
kind: Application
metadata:
  name: web-demo       # Defining resources and propagation policies for the application
  namespace: provider-ns
  annotations:
    app.oam.dev/publishVersion: version1
spec:
  components:
    - name: web-demo
      type: ref-objects
      properties:
        objects:
          - resource: deployment
            name: web-demo
          - resource: service
            name: service1
  policies:
    - type: topology
      name: cluster2
      properties:
        clusters: ["ID of the ASK cluster"]     # This is the destination cluster for resource distribution. Replace it with the target cluster ID.

A YAML file for configuring the service importer and exporter (ack-vpc-mcs-service-policy.yaml) will be provided separately.

apiVersion: multicluster.x-k8s.io/v1alpha1
kind: ServiceExport
metadata:
  name: service1           # The value need to be the same as the name of the Kubernetes Service being exported
  namespace: provider-ns   # The value need to be the same as the namespace of the Kubernetes Service being exported
---
apiVersion: multicluster.x-k8s.io/v1alpha1
kind: ServiceImport
metadata:
  name: service1           # The value need to be the same as the name of the Kubernetes Service being exported
  namespace: provider-ns   # The value need to be the same as the namespace of the Kubernetes Service being exported
spec:
  ports:                   # the value of this field need to be the same as the port used by the Kubernetes Service being exported
  - port: 80
    protocol: TCP
  type: ClusterSetIP
---
apiVersion: core.oam.dev/v1beta1
kind: Application
metadata:
  name: amcs-export-service1
  namespace: provider-ns
  labels:
    amcs: export
    amcs-service: service1
    app: web-demo
    department: demo
  annotations:
    app.oam.dev/publishVersion: version1
spec:
  components:
    - name: export-service
      type: ref-objects
      properties:
        objects:
          - resource: serviceexport  # Refer to ServiceExport
            name: service1
  policies:
    - type: topology
      name: export-clusters
      properties:
        clusters: ["ID of the ASK cluster"]  # Distribute ServiceExport to ACK Cluster 2
---
apiVersion: core.oam.dev/v1beta1
kind: Application
metadata:
  name: amcs-import-service1
  namespace: provider-ns
  labels:
    amcs: import
    amcs-service: service1
    app: web-demo
    department: demo
  annotations:
    app.oam.dev/publishVersion: version1
spec:
  components:
    - name: import-service
      type: ref-objects
      properties:
        objects:
          - resource: serviceimport  # Refer to ServiceImport
            name: service1
  policies:
    - type: topology
      name: import-clusters
      properties:
        clusters: ["ID of the register cluster for GKE cluster"]  # Distribute ServiceImport to ACK Cluster 1

Update the cluster ID in the YAML configuration file before using it. The following is gke-consumer.yaml in the verification process of the multi-cluster service.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-consumer
  namespace: provider-ns
  labels:
    app: web-demo
    department: demo
spec:
  selector:
    matchLabels:
      app: web-demo
      department: demo
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: web-demo
        department: demo
    spec:
      containers:
      - image: bwbw723/ack_one_demo_consumer:1.0
        name: demo-consumer
        ports:
        - containerPort: 8080
          name: demo-consumer

If necessary, you can upload it to an OSS bucket, download it to the Alibaba Cloud shell environment, and use it further. Alternatively, you can use it directly in your local working environment with the following steps.

11. Update the VPN Connection on the Cluster

Once the multi-cluster service is completed through the VPN connection, you need to access the service from Pods on the GKE cluster. Therefore, you need to make the IP range of Pods on the GKE cluster visible through the VPN connection.

In other words, in addition to the IP range of the subnet network in the steps above, you need to set a new route entry for the IP range of Pods.

Confirm the IP range of Pods and services configured in the GKE cluster:

34

Recreate the VPN tunnel to include both the IP ranges of Pods and services:

35

Update the Alibaba Cloud IPsec connection to add two IP ranges as remote network options: 

36

Check the public route entry on both the VPN Gateway and vSwitch:

37
38

Network connections can be matched to clusters.

12. Build Multi-Cluster Services from Cloud Shell

You can connect to the ACK One master instance from your working environment using Alibaba Cloud shell, just like with ASK/ACK clusters. Open the Master Instance Basic Information page on the ACK One console and click Manage Master Instance in Cloud Shell to enable Cloud Shell.

39

You need to install the AMC component to use the kubectl amc command.

wget http://ack-one.oss-cn-hangzhou.aliyuncs.com/kubectl-amc-linux && chmod +x kubectl-amc-linux && mv kubectl-amc-linux  /usr/local/bin/kubectl-amc

40

Check the clusters managed by the command. If you have successfully associated a cluster in ACK One, it should be displayed here:

kubectl amc get managedclusters

41

Create a new namespace called provider-ns and then create deployments and services as the following steps:

kubectl create ns provider-ns

42
43

Create a distributed application that includes deployment and service using the prepared configuration YAML file. If using the image bwbw723/ack_one_demo_provider:1.0, the created service will respond with generated order information.

kubectl apply -f ack-vpc-app-meta.yaml
kubectl get app web-demo -n provider-ns
kubectl amc get deployment,service -n provider-ns -m <cluster ID>

44
45

You can also check resources directly from the console. Since the application is distributed to an ASK cluster on Alibaba Cloud, the details page of the target cluster should display the relevant deployment, pods, and services.

46
47
48

Create service importers and exporters using the kubectl command and build a multi-cluster service between the ASK and GKE clusters. You can also process it with a wizard from the console. Make sure the multi-cluster service only supports services in ClusterIP mode.

kubectl apply -f ack-vpc-mcs-service-policy.yaml
kubectl amc get serviceexport,serviceimport -n provider-ns -m all

49

The created multi-cluster service could be confirmed from the console. The figure on the page is an example of where Demo Cluster 2 needs to access Service 1 of Demo Cluster 1.

Please check Access Method for Multi-cluster Services on the page:

50

Also, a service will be created on the GKE cluster with the name acms-<name of the service in the ASK cluster>. In this case, the name of the service is acms-service1.

Since the actual response is provided by the service deployed in the ASK cluster, the target service should have a ServingPod of 0/0.

51

Deploy demo-consumer on the GKE cluster to access the multi-cluster service:

kubectl apply -f gke-consumer.yaml

52

Check the Pod generated using the kubectl command:

kubectl get pod -n provider-ns

53

Enter the Pod and check the multi-cluster service. You can confirm the access method of the multi-cluster service found in the steps above or check the local web application on port 8080 provided by the demo-consumer image:

kubectl exec -n provider-ns -ti demo-consumer-6bf66448f7-z54nz -- sh
curl amcs-service1.provider-ns.svc.cluster.local
curl 127.0.0.1:8080

54

Check the security group settings and apply inbound traffic on ports 80/8080 if a connection error occurs there.

13. Conclusion

This article introduced how to connect Google Cloud Kubernetes (GKE) and Alibaba Cloud Kubernetes using ACK One to build a multi-cloud and manage Kubernetes in a unified way. Currently, various hybrid cloud and multi-cloud solutions (such as Google Cloud Anthos and Redhat Openshift) are available. However, with ACK One's simple and easy-to-manage interface, services can be managed flexibly and easily, even on a large scale. I hope this can be a reference for creating a hybrid cloud and multi-cloud using Kubernetes.

References

Manage Serverless Kubernetes Clusters in Alibaba Cloud ACK One:
https://www.alibabacloud.com/blog/manage-serverless-kubernetes-clusters-in-alibaba-cloud-ack-one_599848

Start Hybrid Cloud and Multi-Cloud with Alibaba Cloud ACK One [Part One]:
https://www.alibabacloud.com/blog/start-hybrid-cloud-and-multi-cloud-with-alibaba-cloud-ack-one-part-one_599689

Start Hybrid Cloud and Multi-Cloud with Alibaba Cloud ACK One [Part Two]:
https://www.alibabacloud.com/blog/start-hybrid-cloud-and-multi-cloud-with-alibaba-cloud-ack-one-part-two_599690

Cloud Computing Multi-Cloud Kubernetes Tutorials cloud native ACK K8s ACK One GKE
0 3 1
Share on

Read previous post:

Manage Serverless Kubernetes Clusters in Alibaba Cloud ACK One

Read next post:

A Beginner's Guide to Building RESTful APIs in Python or Node.js Using Tablestore

Hironobu Ohara

9 posts | 0 followers

You may also like

Comments

Hironobu Ohara

9 posts | 0 followers

Related Products

More Posts by Hironobu Ohara

See All