Overview

Welcome to Anthos!

Kubernetes is the de-facto standard for container orchestration, and Google Kubernetes Engine (GKE) is a leader in the field of managed Kubernetes offerings. In 2018, Google brought Kubernetes to data centers with a new offering called Anthos, a certified and managed extension of the cloud-based GKE platform.

Responding to significant early successes and listening to customer needs, Google has expanded its efforts to enable your modernization effort.

Anthos is a modern application management platform announced by Google at Next '19. Anthos provides the tools and technology you need for modern, hybrid, and multi-cloud solutions, all built on the foundations of GKE. Anthos enables several features, including:

• Infrastructure provisioning in both cloud and on-premises
• Infrastructure management tooling, security, policies and compliance solutions
• Streamlined application development, service discovery and telemetry, service management, and workload migration from on-premises to cloud

In this lab, you will deploy Anthos clusters on AWS. Note that Anthos has a number of other deployment options, such as Anthos clusters on bare metal, Anthos clusters on VMware, and Anthos clusters on Azure. In addition, you use Attached clusters, which are third-party Kubernetes clusters registered to your fleet.

Objectives

In this lab, you learn how to perform the following tasks:

• Create and register an Anthos GKE cluster on Google Cloud.
• Create and register an Anthos cluster on AWS.
• Access the Anthos cluster on AWS via Connect Gateway.
• Review cluster configurations for AWS and Google Cloud with the GKE interface on the Google Cloud Console.
• Deploy workloads and services to Anthos clusters on Google Cloud and AWS.
• Get information about your multi-cloud deployment using the Anthos dashboard on the Google Cloud Console.

Lab architecture

Setup and requirements

In this task, you use Qwiklabs and perform initialization steps for your lab.

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

1. Sign in to Qwiklabs using an incognito window.

2. Note the lab's access time (for example, 1:15:00), and make sure you can finish within that time.
   There is no pause feature. You can restart if needed, but you have to start at the beginning.

3. When ready, click Start lab.

4. Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.

5. Click Open Google Console.

6. Click Use another account and copy/paste credentials for this lab into the prompts.
   If you use other credentials, you'll receive errors or incur charges.

7. Accept the terms and skip the recovery resource page.

After you complete the initial sign-in steps, the project dashboard appears.

8. Click Select a project, highlight your Google Cloud Project ID, and click Open to select your project.

Activate Google Cloud Shell

Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud.

Google Cloud Shell provides command-line access to your Google Cloud resources.

1. In Cloud console, on the top right toolbar, click the Open Cloud Shell button.

   

2. Click Continue.

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

• You can list the active account name with this command:

gcloud auth list

Output:

Credentialed accounts: - @.com (active)

Example output:

Credentialed accounts: - google1623327_student@qwiklabs.net

• You can list the project ID with this command:

gcloud config list project

Output:

[core] project =

Example output:

[core] project = qwiklabs-gcp-44776a13dea667a6 Note: Full documentation of gcloud is available in the gcloud CLI overview guide .

Task 1. Set up your project

To access some of the resource types within Google Cloud, you first need to enable a few APIs. These are enabled automatically when you first access a service through the UI or command line. To simplify the process and reduce user prompts, you explicitly enable the APIs needed.

1. In the Cloud Shell, set up the following environment variables, which will be used in scripts throughout the lab:

   export PROJECT_ID=$(gcloud config get-value project) export GCP_CLUSTER_NAME=gcp-cluster export GCP_CLUSTER_ZONE={{{project_0.default_zone|GCP Zone}}}

2. In the Cloud Shell, enable APIs required for the tasks in the lab:

   gcloud services enable \ gkemulticloud.googleapis.com \ connectgateway.googleapis.com \ cloudresourcemanager.googleapis.com \ container.googleapis.com \ gkeconnect.googleapis.com \ gkehub.googleapis.com \ serviceusage.googleapis.com \ anthos.googleapis.com \ logging.googleapis.com \ monitoring.googleapis.com \ stackdriver.googleapis.com \ storage-api.googleapis.com \ storage-component.googleapis.com \ securetoken.googleapis.com \ sts.googleapis.com

3. To confirm that specific APIs are enabled, in the Google Cloud Console, on the Navigation menu (), click APIs & Services.

Task 2. Start the setup of your GKE (on Google Cloud) cluster

• To create your cluster, in Cloud Shell, run the following command:

  gcloud container clusters create $GCP_CLUSTER_NAME \ --zone $GCP_CLUSTER_ZONE \ --machine-type "n1-standard-2" \ --enable-ip-alias \ --num-nodes=2 \ --workload-pool=$PROJECT_ID.svc.id.goog \ --release-channel=regular \ --project=$PROJECT_ID

  This should begin the installation of your GKE cluster. Cluster creation will take about five minutes, so continue to the next task while installation continues in the background.

Task 3. Review the provisioned AWS resources and prepare the environment

This lab has provisioned the following AWS Virtual Private Cloud (VPC) architecture for you to be able to run Anthos clusters on AWS. Refer to the Create an AWS VPC documentation to reproduce the setup steps.

The AWS VPC has been deployed in us-east-1 and uses the IP CIDR range 10.0.0.0/16. It contains the following resources:

• Three private subnets in three different availability zones: us-east-1a, us-east-1b, us-east-1c
  • Later, you deploy the control plane nodes, load balancer endpoints, and the worker nodes of your cluster in these subnets.
• Three public subnets in the same availability zones as the private subnets
  • A NAT Gateway in each public subnet to provide outbound internet access for the private subnets and public load balancer endpoints
  • An Internet Gateway to allow a route from the public subnets to allow internet connectivity

All subnets are tagged for subnet auto-discovery so that when you create a Kubernetes Service, an AWS Load Balancer can be provisioned in those networks. Internal load balancers will be provisioned in the private subnets, and internet-facing load balancers will be provisioned in the public subnets. The tag used dictates the type of load balancer.

Review the bootstrapped resources in the AWS Console

1. Right-click on the AWS Console URL button on the Qwiklabs instructions page, and select Open Link in Incognito Window (or whatever the equivalent is in your browser).

2. Log in using the AWS Username and AWS Password provided by Qwiklabs.

3. In the search bar of the console window, enter vpc and press ENTER.

   A dashboard displays all the AWS networking resources that have been deployed.

   

4. (Optional) Investigate the resources created and verify that they match the lab architecture diagram in the Objectives section of this lab guide. There might be some additional resources that AWS creates in every new account, but you can ignore them.

Note:

• What IP CIDR ranges are associated with the private subnets?
• What tags are associated with the subnets?
• What Elastic IP addresses are associated with the NAT Gateways?

Configure the AWS CLI

1. In the Google Cloud Console, open a new Cloud Shell tab.

2. In the new tab, set the project ID as an environment variable:

   export PROJECT_ID=$(gcloud config get-value project) gcloud config set project $PROJECT_ID

3. Download and install the AWS CLI:

   curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install

4. Configure the AWS CLI:

   aws configure

5. At the prompt, enter the following:

   Property	Value
   AWS Access Key ID
   AWS Secret Access Key
   Default region name	us-east-1
   Default output format	json

    

Obtain the AWS IDs

1. Initialize the environment variables with the references to AWS resources:

   AWS_CLUSTER=aws-cluster AWS_REGION=us-east-1 VPC=${AWS_CLUSTER}-anthos-vpc PRIVATE_SUBNET_1=${VPC}-private-cp-us-east-1a PRIVATE_SUBNET_2=${VPC}-private-cp-us-east-1b PRIVATE_SUBNET_3=${VPC}-private-cp-us-east-1c CONTROL_PLANE_PROFILE=${AWS_CLUSTER}-anthos-cp-instance-profile NODE_POOL_IAM_INSTANCE_PROFILE=aws-cluster-anthos-np-instance-profile

2. Get the AWS VPC and the subnets, and store their IDs:

   VPC_ID=`aws ec2 describe-vpcs \ --filters Name=tag:Name,Values=$VPC \ --query Vpcs[].VpcId --output text` PRIVATE_SUBNET_ID_1=`aws ec2 describe-subnets \ --filters Name=tag:Name,Values=$PRIVATE_SUBNET_1 \ --query "Subnets[].SubnetId" --output text` PRIVATE_SUBNET_ID_2=`aws ec2 describe-subnets \ --filters Name=tag:Name,Values=$PRIVATE_SUBNET_2 \ --query "Subnets[].SubnetId" --output text` PRIVATE_SUBNET_ID_3=`aws ec2 describe-subnets \ --filters Name=tag:Name,Values=$PRIVATE_SUBNET_3 \ --query "Subnets[].SubnetId" --output text`

3. Get the AWS API Roles that will be used by the Anthos Multi-Cloud API to create and manage your clusters and node pools:

   API_ROLE_ARN=$(aws iam list-roles \ --query 'Roles[?RoleName==`aws-cluster-anthos-api-role`].Arn' \ --output text)

   This role has a policy associated with permissions to manage AWS Key Management Service (KMS), Elastic Compute Cloud (EC2), Autoscaling, Elastic Load Balancer (ELB), and Identity and Access Management (IAM).

4. Get the AWS Key Management Service (KMS) keys:

   ENCRYPTION_KEY=$(aws kms describe-key \ --key-id alias/aws-cluster-database-encryption-key \ --query 'KeyMetadata.Arn' --output text)

   Anthos clusters on AWS require two AWS KMS keys. In this lab, you use the same key for both use cases. The KMS keys encrypt:

   • Data during the installation process with envelope encryption.
   • Application-layer secrets in your user clusters.

Task 4. Create the Anthos cluster on AWS

1. Create the Anthos cluster on AWS:

   gcloud container aws clusters create $AWS_CLUSTER \ --cluster-version 1.30.3-gke.100 \ --aws-region us-east-1 \ --location={{{project_0.default_region|GCP Region}}} \ --fleet-project $PROJECT_ID \ --vpc-id $VPC_ID \ --subnet-ids $PRIVATE_SUBNET_ID_1,$PRIVATE_SUBNET_ID_2,$PRIVATE_SUBNET_ID_3 \ --pod-address-cidr-blocks 10.2.0.0/16 \ --service-address-cidr-blocks 10.1.0.0/16 \ --role-arn $API_ROLE_ARN \ --iam-instance-profile $CONTROL_PLANE_PROFILE \ --database-encryption-kms-key-arn $ENCRYPTION_KEY \ --config-encryption-kms-key-arn $ENCRYPTION_KEY \ --tags google:gkemulticloud:cluster=$AWS_CLUSTER

   Notice that the 10.1.0.0/16 IP CIDR range is used for Kubernetes ClusterIP Services and the 10.2.0.0/16 IP CIDR is used for Kubernetes Pods. Those CIDR ranges are part of the AWS VPC that you created but are not part of the subnets. The subnets host the cluster nodes.

Congratulations! You have started the Anthos cluster on AWS creation process. This process will take approximately 5 minutes to complete.

2. While you are waiting for the cluster to be provisioned, switch to the AWS console tab in your browser and note the newly created VMs.

Note:

• How many VMs are created for the control plane of your user cluster (you may need to wait for a minute and refresh before you see the VMs)?
• What zones are your control plane nodes located in?

3. On the left side of the AWS console, scroll down to Load Balancing and select Load Balancers.

Note:

• How many load balancers have been created?
• What is each one used for?

4. Switch back to the browser tab with Cloud Shell open, and when the command returns, generate an asymmetric private key and import its public key into AWS:

   ssh-keygen -t rsa -m PEM -b 4096 -C "$USER" \ -f SSH_PRIVATE_KEY -N "" 1>/dev/null aws ec2 import-key-pair --key-name SSH_KEY_PAIR_NAME \ --public-key-material fileb://SSH_PRIVATE_KEY.pub

   In the next step, you associate them with the EC2 node pool instances to be able to SSH into them later.

5. Add a node pool to your cluster:

   gcloud container aws node-pools create pool-0 \ --cluster $AWS_CLUSTER \ --location={{{project_0.default_region|GCP Region}}} \ --node-version 1.30.3-gke.100 \ --min-nodes 1 \ --max-nodes 5 \ --max-pods-per-node 110 \ --root-volume-size 50 \ --subnet-id $PRIVATE_SUBNET_ID_1 \ --iam-instance-profile $NODE_POOL_IAM_INSTANCE_PROFILE \ --config-encryption-kms-key-arn $ENCRYPTION_KEY \ --ssh-ec2-key-pair SSH_KEY_PAIR_NAME \ --tags google:gkemulticloud:cluster=$AWS_CLUSTER

6. Obtain the credentials to your cluster:

   gcloud container aws clusters get-credentials $AWS_CLUSTER --location={{{project_0.default_region|GCP Region}}} kubectx aws=.

7. Check the cluster information:

   kubectl cluster-info

   Output:

   Kubernetes control plane is running at https://connectgateway.googleapis.com... CoreDNS is running at https://connectgateway.googleapis.com... Metrics-server is running at https://connectgateway.googleapis.com...

   Notice that you are not connecting directly to your Anthos cluster on AWS. Instead, you are connecting through the Anthos Connect Gateway, which then securely forwards the requests via the connect agent to the Kubernetes API server.

8. Verify that you can see your worker nodes:

   kubectl get nodes

9. To authorize the Kubernetes workload identity gke-system/gke-telemetry-agent to write logs to Cloud Logging and write metrics to Cloud Monitoring, run this command:

   gcloud projects add-iam-policy-binding ${PROJECT_ID} \ --member="serviceAccount:${PROJECT_ID}.svc.id.goog[gke-system/gke-telemetry-agent]" \ --role=roles/gkemulticloud.telemetryWriter

   Anthos clusters on AWS can create and upload system logs and metrics to Google Cloud's operations suite only if authorized.

Task 5. Connect the Anthos cluster on AWS with the Google Cloud Console

1. In your browser, switch to the tab with Google Cloud Console.

2. On the Navigation menu, click Kubernetes Engine > Clusters.

3. In the row for aws-cluster in the cluster list, click the 3-dots menu.

4. Select Log in, select Use your Google Identity to log-in, and then click Login.

5. Click on the aws-cluster entry to display information about your Anthos cluster on AWS.

6. On the Navigation menu, click Anthos > Overview. One cluster is displayed.

7. Click View all clusters.

8. Click on the aws-cluster entry.

   A Details pane displays information about your AWS Anthos Cluster.

Task 6. Register the GKE cluster on the Anthos Hub

1. Return to the first Cloud Shell tab.

2. Verify that your cluster has been created. The output from the initial cluster creation command should look like this:

   NAME LOCATION MASTER_VERSION... gcp-cluster {{{project_0.default_zone|GCP Zone}}} 1.24.8-gke.2000 ...

   You may need to wait for a minute or two for the cluster to be created.

3. To configure kubectx with a short name for the kubectl context that is used to manage the Google Cloud cluster, run the following command:

   gcloud container clusters get-credentials gcp-cluster \ --zone {{{project_0.default_zone|GCP Zone}}} \ --project $PROJECT_ID kubectx gcp=.

   While registering the cluster, you can configure the Connect Agent to use either Workload Identity or a Google Cloud Service Account. In this lab, you use Workload Identity.

4. Register the GKE cluster on the Anthos Hub:

   gcloud beta container fleet memberships register $GCP_CLUSTER_NAME \ --gke-cluster=$GCP_CLUSTER_ZONE/$GCP_CLUSTER_NAME \ --enable-workload-identity Note: If an error says PERMISSION_DENIED: fleet default service account does not have access, wait for one minute and try re-running the command. If it fails a second time, repeat the wait/retry cycle 1-2 more times.
   There is a known issue with registering GKE clusters using Workload Identity where the first effort fails, but then it will work 1-3 minutes later.

5. In the Cloud Console, on the Navigation menu, click Anthos > Overview. Cluster Status should now list two available clusters.

6. Click View all clusters. A list displays your GKE on Google Cloud cluster.

7. Click on the gcp-cluster entry to see cluster details.

Note: What does the Manage features button in the Detail pane do?

Task 7. Deploy applications to your clusters

Doing a simple deployment to your Anthos on Google Cloud cluster

1. In your browser, return to the Cloud Shell tab. Switch to the first Cloud Shell terminal tab, where you originally created the cluster on Google Cloud.

2. Ensure that kubectl is configured in this terminal window to point to your Google Cloud cluster:

   kubectx gcp

3. Create a manifest for a Kubernetes Deployment of a simple application:

cat <<EOF > deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: my-deployment-50001 spec: selector: matchLabels: app: products department: sales replicas: 3 template: metadata: labels: app: products department: sales spec: containers: - name: hello image: "gcr.io/google-samples/hello-app:2.0" env: - name: "PORT" value: "50001" EOF

4. Create the deployment on your Google Cloud cluster:

   kubectl apply -f deployment.yaml

5. In the Cloud Console, go to Kubernetes Engine > Workloads, and verify that the Deployment has been created and the pods are running.

   You can also check the pods from the command line:

   kubectl get pods --selector=app=products

6. Return to the Cloud Shell tab. Create a Kubernetes service manifest for your application:

   cat <<EOF > service.yaml apiVersion: v1 kind: Service metadata: name: my-lb-service spec: type: LoadBalancer selector: app: products department: sales ports: - protocol: TCP port: 80 targetPort: 50001 EOF

7. Create the service:

   kubectl apply -f service.yaml

8. In the Cloud Console, go to Kubernetes Engine > Services & Ingress, and verify that the Service has been created and the external IP address has been assigned. It make take a minute or two until the service is ready.

   You can also check the pods from the command-line:

   kubectl get service my-lb-service

9. When the service is ready, get the External IP address of the load balancer and load that address in a new browser tab. You should see output like this:

Hello, world! Version: 2.0.0 Hostname: my-deployment-50001-58f9d56c76-c7j55

Doing a simple deployment to your Anthos on AWS cluster

Now, you will do the same deployment to your AWS cluster.

1. Switch to the browser tab with Cloud Shell.

2. Switch to the second Cloud Shell tab where you created the AWS cluster.

3. Ensure that kubectl is configured to manage your AWS cluster:

   kubectx aws

4. Apply the deployment and service manifest to your AWS cluster:

   kubectl apply -f ~/deployment.yaml kubectl apply -f ~/service.yaml

5. Confirm that the deployment was successfully created:

   kubectl get pods

6. Confirm that the service was successfully created:

   kubectl get services

You can also check both via GKE management UI in the console.

7. Switch to the browser tab with the Google Cloud Console.

8. On the Navigation menu, click Kubernetes Engine > Workloads.

   A second my-deployment-50001 entry is displayed, this time for aws-cluster.

9. In the menu pane, click Services & Ingress.

   Two my-lb-service entries, one for each cluster, are displayed.

10. Click the link in the Endpoints column for the aws-cluster my-lb-service.

The same hello world message you saw with the gcp-cluster deployment should be displayed. If you see an error, wait a minute or two until the load balancer in AWS has finished setting up, and then try again.

Task 8. Clean up the environment

1. Delete the Kubernetes resources on the Anthos cluster on AWS:

kubectx aws kubectl delete -f ~/deployment.yaml kubectl delete -f ~/service.yaml

2. Delete the node pool from the Anthos cluster on AWS:

gcloud container aws node-pools delete pool-0 --cluster aws-cluster --location={{{project_0.default_region|GCP Region}}}

3. Enter Y and press enter to confirm.

4. Delete your cluster Anthos cluster on AWS:

gcloud container aws clusters delete aws-cluster --location={{{project_0.default_region|GCP Region}}}

5. Enter Y and press enter to confirm.

6. Delete your GKE cluster:

gcloud container clusters delete gcp-cluster --zone {{{project_0.default_zone|GCP Zone}}}

7. Enter Y and press enter to confirm.

Congratulations!

In this lab, you created and registered Anthos GKE clusters on Google Cloud and AWS. You managed clusters using both the CLI and the Google Cloud Console. You deployed workloads using standard kubectl commands on both clusters.

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.