This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Routing traffic from GKE via Classic VPN

Posted on 01-01-2025 11:55 PM
ernst
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi there!

I have a GKE service that needs to send egress traffic to a 3rd-party service running in Azure. These are requirements:

  1. Traffic needs to originate from a static source-IP
  2. Only outbound traffic to a certain IP (let's call it ext-IP) needs to be routed via the classic VPN tunnel (classic basically means no BGP)
  3. All traffic to this external service goes via an obscure port, let's call it ext-Port

I have so far:

  1. GKE service deployed
  2. Route to ext-IP is set up with all GKE nodes included, and the VPN tunnel as the next hop (this route has the highest priority of all my IP routes)
  3. Firewall rule to allow any egress traffic to ext-IP:ext-Port
  4. Classic VPN tunnel is established
  5. To apply SNAT to the traffic, I have a GKE daemonset in `kube-system`-namespace that applies iptables rules to all my GKE nodes. These rules SNAT all traffic destined for ext-IP.

I just can't see where the traffic is going, but the VPN "flow logs" seem empty. However the external party confirms that they can see a 'syn' message coming from me, to which they respond, but after that there's no traffic whatsoever.

Any ideas on how to start trouble-shooting this issue?

0 2 386
Topic Labels
0 Likes
2 REPLIES 2
Top Labels in this Space