This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

GKE gateway firewall rules are not auto created in shared VPC

Posted on 01-20-2024 09:44 AM
yanqiang
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi all,

I'm encountering a problem with GKE gateway that the NEG is warning about unhealthy backend (on port 8080). I think it's probably due to the firewall rules.

Per https://cloud.google.com/kubernetes-engine/docs/concepts/firewall-rules#gateway-fws, GKE gateway should auto create two firewall rules `gkegw1-l7-[network]-[region/global]` and `gkemcg1-l7-[network]-[region/global]` but it didn't.

I have granted the Compute Security Admin role to the GKE service account in the host project per https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#shared_vpc.

Could you help me to figure out what should I do in this case? Thanks!

Best,

Solved Solved
2 2 1,109
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
shinebayar
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

When using Shared VPC, Gateway API controller doesn't create firewall rules for you.

It's documented here. https://cloud.google.com/kubernetes-engine/docs/concepts/firewall-rules#shared_vpc

Note: In case of GKE Gateway, currently the firewall rules are not automatically deployed. You need to manually create the firewall rules in order for health checks to succeed.

 

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @yanqiang ,

You can check if the GKE service account has the needed permission. Considering that you mentioned granting the Compute Security Admin role, which is correct, you also have to check if it is assigned at the correct level (project or organization level) and to the correct service account.

You might also want to check if there were custom firewall rules that are affecting the auto-generated rules. Sometimes, custom firewall rules might prevent the auto-creation of GKE Gateway firewall rules. There must be no deny rules that blocks the creation. 

Let me add to it the GKE version. Make sure it supports auto-creation of gateway firewall rules. 

Lastly, you can try manually creating the required firewall rules. You can refer to the commands below:

gcloud compute firewall-rules create gkegw1-l7-[network]-[region/global] --allow tcp:8080 --source-ranges [CIDR_BLOCK]
gcloud compute firewall-rules create gkemcg1-l7-[network]-[region/global] --allow tcp:8080 --source-ranges [CIDR_BLOCK]

 Let me know if this helps.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
shinebayar
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

When using Shared VPC, Gateway API controller doesn't create firewall rules for you.

It's documented here. https://cloud.google.com/kubernetes-engine/docs/concepts/firewall-rules#shared_vpc

Note: In case of GKE Gateway, currently the firewall rules are not automatically deployed. You need to manually create the firewall rules in order for health checks to succeed.

 

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all