Background: I am trying to protect an app by making it not possible to reach from public internet. Users should only be able to reach it through Pomerium. Pomerium itself will be deployed in GKE but the app is installed in an on premise server. To connect to the app from GCP, I am planning to use Netbird for VPN. The image below is what I have in mind right now.
I've followed the quickstart guide for installing Pomerium in K8S and everything is running well (I can reach a simple service deployed in a pod).
My next step was setting up another Service with type ExternalName . I tested this step by pointing the service to HttpBin. There was no problem with this step.
So the last step is to try to reach the external app through the VPN. I am not sure how to achieve this. My first idea is to setup a VM where I can install the Netbird client and a proxy application and then direct all egress traffic from the cluster to this VM. But all the guides I found talks about how to set a proxy for Pods. Where in my case, there is no pod at all.
Am I missing something or is there a better way to achieve my plan?