Hi @mks89 ,

Yes, this is possible because of the ability to route egress traffic from a dedicated node pool in GKE through Cloud NAT.

In addition, GKE clusters are built on top of GCP's VPC networking. VPCs provide a way to logically isolate and segment your resources in the cloud. On the Node Pools part, GKE allows you to create multiple node pools within a single cluster. Each node pool can have its own configuration, such as machine type, disk size, and labels.

By using network tags, it will allow you to assign network tags to instances (in this case, GKE nodes). And lastly, Cloud NAT allows your VM instances (including GKE nodes) without external IP addresses to access the internet while preserving the private IP addresses. It works by translating the private IPs to a public IP.

Given these capabilities, the steps outlined above will utilize these features:

a. By creating a dedicated node pool, you can isolate certain workloads or applications to specific groups of nodes.

b. By associating a network tag with the dedicated node pool, you can use this tag in firewall rules to control the egress traffic for these nodes.

c. Cloud NAT is then configured to route the egress traffic from instances with the specified network tag. This ensures that traffic leaving the nodes in the dedicated pool goes through Cloud NAT, allowing for translation of private IP addresses to public IPs for outbound internet access.

Let me know if this answers or addresses your question.