Requirement : With private GKE ( version : 1.21.11-gke.1100 ), each pod is required to have a dedicated public IP as source IP when reaching to internet. It is not required for ingress but only for egress.
Solution tried : Cloud NAT. Works partially. Meaning, suppose we have 10 pods and each of them is made to run on a distinct node. Cloud NAT does not assign an unique IP to each pod even when the Minimum ports per VM instance
is set to the maximum possible value of 57344
.
Experiment Done: 10 NAT gateway IPs are assigned to the NAT Gateway. 8 pods are created, each running on a dedicated node. Cloud NAT assigned only 3 Cloud NAT IPs instead of 8 even though there aee 10 IPs available.
Cloud NAT is configured as below :
Configuration | Setting |
---|---|
Manual NAT IP address assignment |
true |
Dynamic port allocation |
disabled |
Minimum ports per VM instance |
57344 . This decides how many VMs can be assigned to the same Cloud NAT IP. |
Endpoint-Independent Mapping |
disabled |
Instead of converting to a Public GKE cluster, is there an easier way of achieving this goal?
Has anyone ever done such a setup which is proved to work?
You can create the NAT gateway instance and forward the traffic from there.
Here terraform script to create : https://github.com/GoogleCloudPlatform/terraform-google-nat-gateway/tree/master/examples
https://medium.com/google-cloud/using-cloud-nat-with-gke-cluster-c82364546d9e
If you are looking to use cloud NAT with route you can checkout this : https://github.com/GoogleCloudPlatform/gke-private-cluster-demo/blob/master/README.md#private-clusters
TF code for NAT : https://github.com/GoogleCloudPlatform/gke-private-cluster-demo/blob/master/terraform/network.tf#L84
Demo architecture : https://github.com/GoogleCloudPlatform/gke-private-cluster-demo/blob/master/README.md#demo-architecture