This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Access GKE private endpoint via private service connect published service

Posted on 09-25-2024 12:23 AM
Wittes
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi All

I want to roll out many GKE clusters in separate projects that use a shared VPC. These clusters must be private and have no allowed CIDR ranges configured. To facilitate connecting to the various private GKE control plane endpoints from a central control plane running a Terraform workflow I need some routable endpoint to any given GKE private endpoint. 

I tried using a hybrid connectivity neg configured with the private IP address of the GKE private endpoint and using private service connect to publish a service via a load balancer. My initial thinking was that this would work, but unfortunately not. 

An alternative I know of is using tinyproxy (GKE deployment & service) with private service connect published service to facilitate the connection to the GKE cluster master nodes but I am not 100% if this violates my and Google's shared responsibility agreement.

For further context: 

I am not interested in peering or Cloud VPN 
I am not interested in using authorized IPs on the public and private endpoints. 

Solved Solved
0 5 1,452
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Wittes
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

The solution to this is to connect over dns endpoint, which I am not 100% sure of how it works. But from my testing it's more secure that connection over public host ip.

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
francislouie
Staff
Reply posted on --/--/---- --:-- AM

Hi @Wittes,

Welcome to Google Cloud Community!

Regarding the alternative setup of GKE cluster, you might consider using a Bastion host instead of tinyproxy. Bastion host is suited for secure administrative access to internal resources and nodes in your GKE cluster. 

This approach aligns with Google's shared responsibility model. By adhering to best practices for managing your bastion host, Private Service Connect, and network configuration, you can ensure full compliance with Google's security guidelines.

Here are documentations related to Private Service Connect and Bastion host in Google that can help you :

I hope the above information is helpful.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Wittes
Bronze 1
Bronze 1
In response to francislouie
Reply posted on --/--/---- --:-- AM

Your first point of using a bastion host with tinyproxy I explicity said is not an option. But see the solution 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

Where is the "central control plane" running?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Wittes
Bronze 1
Bronze 1
In response to garisingh
Reply posted on --/--/---- --:-- AM

Sorry for the late reply, that's Terraform running with Atlantis on another subnet in the shared VPC setup

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Wittes
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

The solution to this is to connect over dns endpoint, which I am not 100% sure of how it works. But from my testing it's more secure that connection over public host ip.

Jump to Solution
0 Likes
Top Labels in this Space