Kubernetes (on GKE) external connection through NAT for specific kube services?

Question

I currently have two clusters on GKE - one in eu-west1-b and another in us-east1-b. The pods deployed to the nodes in these clusters need to make location-based requests (for latency testing purposes).

I also need to connect to my postgres instance on RDS, which uses IP-based whitelisting for external connections. The nodes in my clusters have ephemeral IPs so I can't use them.

I have done a lot of research and gone through lots of SO answers and docs and tutorials and come to the solution that routing traffic through a NAT is pretty much the best/only way to do this right now on GKE.

https://serverfault.com/questions/835425/kubernetes-external-connection-through-single-ip

Similar to that question above, I don't want to route all of my traffic through the NAT. My reason is because I need my requests to come from the internet gateway associated with the current node so it is coming from a particular region.

The above question has some answers that almost get me there, but doesn't include any kube-specific configuaration. This is a great tutorial:

https://docs.tenable.com/pvs/deployment/Content/GoogleCloudInstructionsNatGateway.htm

But again, is not based on kube.

My thinking is that I need to define a service for postgres in my kube cluster, and then tell that to route to the external service through the NAT. Not entirely sure where to start and would appreciate help.

Answer 1

A solution:

1. Tag your instances in different zones/regions with different tags

2. Create static IP addresses for each zone/region

3. Create NAT exit nodes (GCE instances or instance groups) using the external address from above

4. Create a route trough each of the NAT exit nodes. Restrict each route with destination IP range for your RDS ingress IP/32 and network tags from Step 1 (so the instances use the correct gateway)