This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Can't access to master node from a instance in different VPC

Posted on 08-19-2024 06:35 PM
sbcho
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I hope this finds you well,

I am trying to set up a private gke cluster and want to access it from a different VPC.
For example I want to set up a private gke cluster in VPC B and access this from VPC A.
I have configured the  VPC Peering between VPC A and B. 
The Control plane global access is enabled and the CIDR of the instance in Subnet located in  VPC A to Control plane authorized networks. I also made a new ingress firewall rules letting the each internal IP range to access the each VPC.
The GKE version is 1.29.7-gke.1008000 and the gcloud cli i used to create the gke cluster is as follows.
```

gcloud container clusters create-auto devops-infra-cluster \
--region asia-northeast3 \
--enable-master-authorized-networks \
--network devops-infra-cluster-vpc \
--subnetwork devops-infra-cluster-subnet \
--cluster-secondary-range-name gke-devops-infra-cluster-pods \
--services-secondary-range-name gke-devops-infra-cluster-services \
--master-ipv4-cidr 172.16.0.16/28 \
--enable-private-endpoint \
--enable-master-global-access \
--scopes=cloud-platform \
--master-authorized-networks 10.4.0.0/20 \
--service-account=devops-infra-service-account@devops-infra-431208.iam.gserviceaccount.com \
--enable-private-nodes

```
Even tough I configured the things i think is needed i still cannot access the control plane from VPC A.
Is there anything that I am missing?

Thanks in advance

Solved Solved
0 2 574
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

Unfortunately, this setup will not / cannot work because VPC Network Peering does not provide transitive routing. For example, if VPC networks net-a and net-b are connected using VPC Network Peering, and VPC networks net-a and net-c are also connected using VPC Network Peering, VPC Network Peering does not provide connectivity between net-b and net-c.  (The GKE control plane is "peered" with the VPC used by your cluster).

In the short term, you'll need to setup some type of forward proxy (example) to make this work.  We do have a new feature coming out in 4Q which will make this much easier.

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

Unfortunately, this setup will not / cannot work because VPC Network Peering does not provide transitive routing. For example, if VPC networks net-a and net-b are connected using VPC Network Peering, and VPC networks net-a and net-c are also connected using VPC Network Peering, VPC Network Peering does not provide connectivity between net-b and net-c.  (The GKE control plane is "peered" with the VPC used by your cluster).

In the short term, you'll need to setup some type of forward proxy (example) to make this work.  We do have a new feature coming out in 4Q which will make this much easier.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sbcho
Bronze 1
Bronze 1
In response to garisingh
Reply posted on --/--/---- --:-- AM

Thanks, I will try to have a go with the forward proxy as you guided

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all