Hi there!
I have a GKE service that needs to send egress traffic to a 3rd-party service running in Azure. These are requirements:
- Traffic needs to originate from a static source-IP
- Only outbound traffic to a certain IP (let's call it ext-IP) needs to be routed via the classic VPN tunnel (classic basically means no BGP)
- All traffic to this external service goes via an obscure port, let's call it ext-Port
I have so far:
- GKE service deployed
- Route to ext-IP is set up with all GKE nodes included, and the VPN tunnel as the next hop (this route has the highest priority of all my IP routes)
- Firewall rule to allow any egress traffic to ext-IP:ext-Port
- Classic VPN tunnel is established
- To apply SNAT to the traffic, I have a GKE daemonset in `kube-system`-namespace that applies iptables rules to all my GKE nodes. These rules SNAT all traffic destined for ext-IP.
I just can't see where the traffic is going, but the VPN "flow logs" seem empty. However the external party confirms that they can see a 'syn' message coming from me, to which they respond, but after that there's no traffic whatsoever.
Any ideas on how to start trouble-shooting this issue?
LinkedIn
Twitter
