Google cloud -Public GKE cluster’s egress traffic via Cloud NAT for ip whitelisting

Rajathithan Rajasekar
3 min readDec 18, 2020

In my previous post on GKE outbound traffic , i had discussed on how to reroute the egress traffic from public GKE cluster via compute NAT instances for ip-whitelisting by third party systems. The solution is discussed in detail in the below link.

In this post we are going to see how we can reroute the GKE egress traffic via cloud NAT.

Masquerading in GKE

We will use a daemon set in GKE , that will rewrite the ip-table rules in the GKE Nodes to masquerade the outbound traffic.

Basically it will prevent SNAT of the pod’s outbound traffic via Node’s external ip address and retain its internal ip address , so the connection will egress out of the cloud NAT gateway’s external ip address.

Step 1:

Create a cloud NAT gateway , select the VPC in which you have deployed your public GKE cluster and apply the mapping to all the primary and secondary subnets. Create a new cloud router. For the NAT gateway’s ip address, create it manually so you can reserve it . This will be the ip-address that you will give to your third party vendor for whitelisting your incoming connection.

Step 2:

Create the config map and the daemon-set.

config

kubectl create configmap ip-masq-agent --from-file config --namespace kube-system

--

--

Rajathithan Rajasekar

I like to write code in Python . Interested in cloud , dataAnalysis, computerVision, ML and deepLearning. https://rajathithanrajasekar.medium.com/membership