Solved: Multi Cluster setup with private/internal routing ...

dheerajpanyam · 10-19-2024 05:27 AM

I have a GKE Autopilot multi cluster setup with app segregated into different GKE clusters, for simplicity sake let's call the clusters public, service and tooling. These clusters communicate with each other via LB so there is cross cluster communication as shown in the image below. I want the public cluster to be public facing which is pretty easy to setup with GKE Native Ingress however the remaining 2 clusters need to be INTERNAL only + allow whitelisting for direct access (for maintenance and troubleshooting purposes). How can i achieve this cross cluster communication? What is the LB type etc that needs to be used here?

Public cluster (Public facing ) ---> Service (private/INTERNAL only +IP whitelisting) --> tooling (private/INTERNAL only +IP whitelisting)

francislouie

Hi @dheerajpanyam,

Welcome to Google Cloud Community!

To achieve that kind of setup cross-cluster communication, here’s the summary of the solution

For public cluster

I agree with you; you will be setting up GKE Ingress to expose services publicly on this cluster. This will allow traffic from the internet to access your public-facing apps.
Load balancer type: GKE Native Ingress HTTPs External Load balancer

For Service and Tooling Cluster (Private Cluster)

Load balancer type: Internal load balancer

It’s recommended to use an internal load balancer since the traffic will just route within the VPC and the services are only accessible within the VPC network.
Allow whitelisted for direct access:

Use firewall rules: Implement firewall rules that block all inbound traffic, only permitting access from allowed IP addresses.
Enable Authorized networks. You configure the IP addresses for which you want to allow access to the GKE cluster control plane endpoint as a CIDR block list

For further insights on deploying Ingress in Google Kubernetes Engine and enhance your understanding about Load balancers, Refer to this documentation below:

I hope the above information is helpful.

View solution in original post

francislouie

Hi @dheerajpanyam,

Welcome to Google Cloud Community!

To achieve that kind of setup cross-cluster communication, here’s the summary of the solution

For public cluster

I agree with you; you will be setting up GKE Ingress to expose services publicly on this cluster. This will allow traffic from the internet to access your public-facing apps.
Load balancer type: GKE Native Ingress HTTPs External Load balancer

For Service and Tooling Cluster (Private Cluster)

Load balancer type: Internal load balancer

It’s recommended to use an internal load balancer since the traffic will just route within the VPC and the services are only accessible within the VPC network.
Allow whitelisted for direct access:

Use firewall rules: Implement firewall rules that block all inbound traffic, only permitting access from allowed IP addresses.
Enable Authorized networks. You configure the IP addresses for which you want to allow access to the GKE cluster control plane endpoint as a CIDR block list

For further insights on deploying Ingress in Google Kubernetes Engine and enhance your understanding about Load balancers, Refer to this documentation below:

I hope the above information is helpful.

dheerajpanyam

Nice. Thank you so much @francislouie

Multi Cluster setup with private/internal routing + public whitelisting , is it possible?