Backend health checks
Automatically monitor the status of backends by configuring health checks.
Health checks periodically and automatically assess the readiness of the Backend to receive requests. You can configure several settings, such as health thresholds and check intervals, that Gloo Gateway uses to determine whether a service is marked as healthy or unhealthy. For more information, see the Envoy health checking documentation.
The steps in this section use the Envoy-based kgateway data plane. The steps do not work with the agentgateway data plane.
Before you begin
Follow the Get started guide to install Gloo Gateway.
Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Configure a health check for a Backend
In the healthCheck section of a BackendConfigPolicy resource, specify settings for how you want the health check to perform for a Backend or Kubernetes service. The following example configures a simple set of HTTP health check settings for a service to get you started.
apiVersion: gateway.kgateway.dev/v1alpha1
kind: BackendConfigPolicy
metadata:
name: healthcheck-policy
namespace: gloo-system
spec:
targetRefs:
- name: my-backend
group: ""
kind: Service
healthCheck:
healthyThreshold: 1
http:
path: /status/200
interval: 30s
timeout: 10s
unhealthyThreshold: 1
| Setting | Description |
|---|---|
healthyThreshold | The number of successful health checks required before a Backend is marked as healthy. Note that during startup, only a single successful health check is required to mark a Backend healthy. |
http | Configuration for an HTTP health check. |
http.host | The host header in the HTTP health check request. If unset, defaults to the name of the Backend that this health check is associated with. |
http.path | The path on your app that you want Gloo Gateway to send the health check request to. |
http.method | The HTTP method for the health check to use. If unset, defaults to GET. |
interval | The amount of time between sending health checks to the Backend. You can increase this value to ensure that you don’t overload your Backend service. |
timeout | The time to wait for a health check response. If the timeout is reached, the health check is considered unsuccessful. |
unhealthyThreshold | The number of unsuccessful health checks required before a Backend is marked unhealthy. Note that for HTTP health checking, if a Backend responds with 503 Service Unavailable, this threshold is ignored and the Backend is immediately considered unhealthy. |
grpc | Optional configuration for a gRPC health check. The example omits this field because the Backend is not a gRPC service. |
grpc.authority | The authority header in the gRPC health check request. If unset, defaults to the name of the Backend that this health check is associated with. |
grpc.serviceName | Optional: Name of the gRPC service to check. The example omits this field because the Backend is not a gRPC service. |
Verify the health check configuration
To try out an active health check policy, you can follow these steps to create a BackendConfigPolicy for the httpbin sample app and check the endpoint status in the Envoy service directory.
Create a BackendConfigPolicy resource that configures a health check on the httpbin path
/status/503. This path always returns a503 Service UnavailableHTTP response code, which Gloo Gateway interprets as a failing request.kubectl apply -f- <<EOF apiVersion: gateway.kgateway.dev/v1alpha1 kind: BackendConfigPolicy metadata: name: httpbin-healthcheck namespace: httpbin spec: targetRefs: - name: httpbin group: "" kind: Service healthCheck: healthyThreshold: 1 http: path: /status/503 interval: 2s timeout: 1s unhealthyThreshold: 1 EOFCheck the endpoint in the Envoy service directory.
- Port-forward the
httpgateway deployment on port 19000.kubectl port-forward deploy/http -n gloo-system 19000 & - Send an
HTTP GETrequest to the/clustersendpoint.curl -X GET 127.0.0.1:19000/clusters - In the output, search for
/failed_active_hc, which indicates that the Backend failed its active health check. For example, you might see a line such as the following.httpbin_httpbin::10.XX.X.XX:8080::health_flags::/failed_active_hc - Stop port-forwarding the
httpdeployment.lsof -ti:19000 | xargs kill -9
- Port-forward the
Cleanup
You can remove the resources that you created in this guide.
kubectl delete BackendConfigPolicy httpbin-healthcheck -n httpbin