This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Two private clusters in different service projects with private endpoint in shared vpc cant connect

Posted on 05-30-2025 04:39 AM
defyjoy
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a GCP shared vpc in project **central** which has two private endpoint subnets. And these subnets are used in the respective service projects in **Project-A** and **Project-B** as cluster private endpoint subnets

- Management Cluster Private endpoint CIDR ( 10.10.0.0/29 ) Which resides in Project-A
- Dev Cluster private endpoint CIDR ( 10.10.0.8/29 ) which is residing in Project-B

Now the management cluster needs connectivity to the cluster endpoint of dev cluster. To clear the context a bit more I want to connect the management cluster to access the dev cluster endpoint as argocd needs to access the dev cluster access .

But though both subnets are in same shared vpc the network is not reachable for some reason for port 443 . I have no idea why . Can someone put some light on this .

Also the network connectivity does not seem to succeed through the subnets are in same shared vpc and firewall rule in host vpc is also unrestricted .  

 

defyjoy_0-1748605420235.png

defyjoy_1-1748605445303.png

 

When I try to run the command -

argocd cluster add $DEV_CONTEXT --name dev --label environment=dev --label cluster=dev --upsert --grpc-web

on management cluster it gives the error as the subnets are not able to connect to the dev cluster endpoint .



WARNING: This will create a service account `argocd-manager` on the cluster referenced by context `gke_dev_australia-southeast1_dev` with full cluster level privileges. Do you want to continue [y/N]? y

{"level":"fatal","msg":"Failed to create service account \"argocd-manager\" in namespace \"kube-system\": Post \"https://10.10.0.11/api/v1/namespaces/kube-system/serviceaccounts\": EOF","time":"2025-05-30T17:04:25+05:30"}

 

0 1 169
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
francislouie
Staff
Reply posted on --/--/---- --:-- AM

Hi defyjoy ,

Welcome to Google Cloud Community!

Have you tried validating your firewall rule? Ensure that firewall rules in the host project allow TCP:443 traffic from the Management cluster’s subnet (10.10.0.0/29) to the Dev cluster’s subnet (10.10.0.8/29). If you haven’t configure it, here’s a sample configuration for ingress and egress firewall rule:

# Ingress rule 

gcloud compute firewall-rules create allow-management-to-dev-ingress \
--project=central \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:443 \
--source-ranges=10.10.0.0/29 \
--destination-ranges=10.10.0.8/29 \
--network=shared-vpc-network \
--priority=1000

# Egress rule Option1:

gcloud compute firewall-rules create allow-management-to-dev-egress \
  --project=central \
  --direction=EGRESS \
  --action=ALLOW \
  --rules=tcp:443 \
  --source-ranges=10.10.0.0/29 \
  --destination-ranges=10.10.0.8/29 \
  --network=shared-vpc-network \
  --priority=1000

# Egress rule Option 2 --target:all instance in the network:

gcloud compute firewall-rules create allow-management-to-dev-egress \
--project=central \
--direction=EGRESS \
--action=ALLOW \
--rules=tcp:443 \
--destination-ranges=10.10.0.8/29 \
--network=shared-vpc-network \
--priority=1000

If the issue still persists and needs further assistance, feel free to reach out to our Google Cloud Support.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes
Top Labels in this Space