This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Set static IP address to egress traffic

Posted on 11-06-2023 08:48 AM
hadi-getox
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

I would like to set a static ip address to some egress traffic coming out from GKE autopilot to some third party managed service i.e. MongodbAtlas. 

there is an option to set that in cloud run but could not find a documentation explaining this in GKE:

https://cloud.google.com/run/docs/configuring/static-outbound-ip

1 7 5,843
Topic Labels
7 REPLIES 7

Posted on --/--/---- --:-- AM
Arekkusu
Staff
Reply posted on --/--/---- --:-- AM

The short answer is this is possible using Cloud NAT with a fixed IP. See public documentation:

https://cloud.google.com/nat/docs/public-nat
https://cloud.google.com/nat/docs/nat-rules-overview
https://cloud.google.com/nat/docs/gke-example

At least this would be the recommended / easiest solution using a managed GCP offering.
Note that GKE doesn't support node VM can't have a fixed (public or private) IP.

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @hadi-getox ,

In addition to @Arekkusu 's answer, one way to achieve this is by utilizing Cloud NAT and the IP Masquerade Agent. Google Cloud NAT enables control over egress traffic from your VPC, using static IP addresses. Additionally, the IP Masquerade Agent, deployed as a DaemonSet on GKE nodes, allows you to customize outbound traffic's source IP address for specific pods or namespaces. This combination provides a way to manage static IPs for egress traffic in GKE Autopilot.

Posted on --/--/---- --:-- AM
mks89
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@Marvin_Lucero 

After Reading the IP Masquerading Agent docs, my understanding is, the Source IP of the packets leaving the cluster -- can be set to either PodIP or the NodeIP.

Is it possible to set a reserved private IP as the source IP via IP-Masq-agent?

Cheers,

/M

Posted on --/--/---- --:-- AM
Igoris
Bronze 2
Bronze 2
In response to mks89
Reply posted on --/--/---- --:-- AM

Were you able to find a solution for this? I tried to setup a Cloud NAT for my GKE Autopilot cluster. But seems that GKE Autopilot does not allow to setup custom Cloud NAT, at least for me it didn't work.

0 Likes

Posted on --/--/---- --:-- AM
hadi-getox
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Team, I was following the below documentation with no success:

https://cloud.google.com/kubernetes-engine/docs/how-to/egress-nat-policy-ip-masq-autopilot

Did it work for you?

0 Likes

Posted on --/--/---- --:-- AM
jrowinski
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I finally got this to work. I have a GKE Autopilot cluster running. You need to disable the External IPs from your nodes otherwise they will not route via the Cloud NAT. Private Nodes -> Enabled

Now any new nodes that join the cluster from your workloads will only have a local internal IP and will be using your newly created Cloud NAT. GEEEEEEZE that took too long to figure out. Hope this saves someone time that I had dont have right now 😛 

Posted on --/--/---- --:-- AM
Digitaldaz
Bronze 1
Bronze 1
In response to jrowinski
Reply posted on --/--/---- --:-- AM

Hi, do all the existing ingresses to the pods etc still work when you have enabled private nodes?

0 Likes
Top Labels in this Space