2

I have created a google cloud load balancer: configuration.

The backend is an unmanaged instance group. For example, it consists of one VM. The gRPC service is deployed on the VM (port 443). gRPC health checks are successful. But the gRPC client cannot connect to the service. I can't find a solution to this problem.

The last thing I found in the documentation:

If you use HTTP/2, you must use TLS. HTTP/2 without encryption is not supported.

Could this be a solution and I just need to secure the gRPC connection with SSL/TLS?

Denis Yarullin
  • 25
  • 1
  • 5
  • Did you enable HTTP/2 as the protocol from the load balancer to the backends? According to the [documentation](https://cloud.google.com/load-balancing/docs/https#using_grpc_with_your_applications) this is a requirement. – Gabriel Robledo Ahumada Jul 28 '22 at 15:05

1 Answers1

1

You need to enable TLS on the Load Balancer and also between the Load balancer and your backend VM

boredabdel
  • 1,732
  • 3
  • 7
  • Thanks for the answer. I use Google-managed SSL certificate on frontend (Load Balancer). This part looks correct. I will make the gRPC service also secure and check if it works. – Denis Yarullin Jul 26 '22 at 16:54
  • I have set up a gRPC secure connection, but [gRPC health checks don't support TLS](https://cloud.google.com/load-balancing/docs/health-check-concepts?hl=en_US#criteria-protocol-grpc). – Denis Yarullin Jul 27 '22 at 15:02
  • Correct, our gRPC health-check doesn't support TLS. You have two solutions. Either you make your app expose a health-check port and path with HTTP Or you can use a custom proxy for that. This is an example (https://github.com/GoogleCloudPlatform/gke-networking-recipes/tree/main/ingress/single-cluster/ingress-custom-grpc-health-check) which shows how to set this up on GKE, but you can use the same proxy on a VM – boredabdel Jul 28 '22 at 07:55