Stable public IP or IP range for outbound connections in GKE

google-cloud-platform google-kubernetes-engine

I use Google Kubernetes Engine to run on demand pods. Each pod is publicly exposed to the internet using a nodeport service.

I am looking for a way in GKE to get a single IP or an IP range for outbound connections, to give them to third party API's to whitelist them.

The GKE node IPs are not manageable when nodes autoscale or when I upgrade them. I need a way to maintain a consistent outbound IP.

I have tried using a simple NAT Gateway to the Kubernetes nodes (Using the example from here), and while this routes the outbound connections to the NAT Gateway, it breaks inbound traffic to the pods(Nodeport service) since they get dropped off at the NAT gateway.

  • Is there a default IP range for a google cloud region which I can provide to the third party to whitelist (or)

  • If GKE provides a way to select node external IPs from a pre reserved list of static IP's (or)

  • Is there any other way to accomplish having a single static IP or an IP range that represents the outbound traffic from the pods

I have found similar questions like this, but they don't address my problem as the pods should be externally connectable, which breaks when using a NAT.


Google Cloud now provides a managed NAT Gateway service - Cloud NAT.

This gateway can be used with a GKE cluster, which provides a stable public egress IP to all the pods inside it, which enables them to be whitelisted by third party service providers.

The example implementation for using Cloud NAT with GKE is provided here - https://cloud.google.com/nat/docs/gke-example


You can try this solution :

https://cloud.google.com/solutions/using-a-nat-gateway-with-kubernetes-engine

Under normal circumstances, Google Kubernetes Engine nodes route all egress traffic through the internet gateway associated with their node cluster. The internet gateway connection, in turn, is defined by the Compute Engine network associated with the node cluster. Each node in the cluster has an ephemeral external IP address. When nodes are created and destroyed during autoscaling, new node IP addresses are allocated automatically.

The default gateway behavior works well under normal circumstances. However, you might want to modify how ephemeral external IP addresses are allocated in order to:

  • Provide a third-party service with a consistent external IP address.
  • Monitor and filter egress traffic out of the Google Kubernetes Engine cluster.

Related

Install CentOS 7 on HP dl120 gen9 server with b140i raid controller
MX Backup service [closed]
Iptables massive 1:1 NAT
Suggestions for using Active Directory credentials (user name/password) with Google Apps?
SYN Flood Advice
Is it possible to make redundancy on HAProxy server?
How can I set the disk partition alignment using linux tools?
New Sys Admin job...Where do I begin?
Active Directory in a DMZ
How to set up two default routes in linux
Alternative to mod_throttle
CentOS 5 - realtime patch