1. Answers
  2. Configuring GKE Egress NAT with Google Cloud

How do I configure GKE Egress NAT with Google Cloud?

In this guide, we will configure Google Kubernetes Engine (GKE) with an Egress NAT to control access to external services. This setup allows you to control how your GKE workloads access external services by routing their traffic through a NAT gateway. We will create a GKE cluster, a Cloud NAT, and the necessary networking components.

Here’s how you can achieve this using Pulumi in TypeScript:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

// Create a VPC network
const network = new gcp.compute.Network("network", {
    autoCreateSubnetworks: false,
});

// Create a subnet
const subnet = new gcp.compute.Subnetwork("subnet", {
    network: network.id,
    ipCidrRange: "10.0.0.0/24",
    region: "us-central1",
});

// Create a GKE cluster
const cluster = new gcp.container.Cluster("gke-cluster", {
    initialNodeCount: 1,
    minMasterVersion: "1.20.8-gke.900",
    network: network.id,
    subnetwork: subnet.id,
    nodeConfig: {
        machineType: "n1-standard-1",
        oauthScopes: [
            "https://www.googleapis.com/auth/cloud-platform",
        ],
    },
});

// Create a Cloud Router
const router = new gcp.compute.Router("router", {
    network: network.id,
    region: "us-central1",
});

// Create a Cloud NAT
const nat = new gcp.compute.RouterNat("nat", {
    router: router.name,
    region: "us-central1",
    natIpAllocateOption: "AUTO_ONLY",
    sourceSubnetworkIpRangesToNat: "ALL_SUBNETWORKS_ALL_IP_RANGES",
});

// Export the cluster name and endpoint
export const clusterName = cluster.name;
export const clusterEndpoint = cluster.endpoint;

Key Points:

  • VPC Network: We created a custom VPC network to host our resources.
  • Subnet: A subnet within the VPC network was created to allocate IP ranges for our GKE cluster.
  • GKE Cluster: A GKE cluster was created within the VPC network and subnet, with a specified node configuration.
  • Cloud Router: A Cloud Router was set up to manage the network routes.
  • Cloud NAT: A Cloud NAT was configured to handle egress traffic from the GKE cluster, ensuring controlled access to external services.

Summary

In this guide, we set up a GKE cluster with a Cloud NAT for controlled egress to external services. We created a VPC network, a subnet, a GKE cluster, a Cloud Router, and configured a Cloud NAT using Pulumi in TypeScript. This setup ensures that all outbound traffic from the GKE cluster is routed through the NAT gateway, providing a secure and controlled access to external services.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up