Is it possible to use Cloud NAT with public GKE Cluster?

Question

I have one public GKE cluster with 2 nodes and with that, 2 public external IPs. I want only one egress IP.

I want to use Cloud NAT for that. It seems it is possible.

An alias IP range assigned to the VM's network interface: Even if the network interface has an external IP address assigned to it, you can configure a Cloud NAT gateway to provide NAT for packets whose sources come from an alias IP range of the interface. An external IP address on an interface never performs one-to-one NAT for alias IP addresses.

I created a Cloud NAT but it is not working. I use the following commands to get the IP and it always returns one of the IPs of the nodes.

kubectl run -i --tty get-ip-address --image=dwdraju/alpine-curl-jq --restart=Never

and

curl checkip.amazonaws.com

My cluster has VPC native enabled.

Answer 1

You will be able to still use Cloud NAT even with a public GKE cluster by deploying IP-MASQ agents on each node that overwrites Node's NAT iptables and bypasses Masquerade for internal traffic

https://rajathithanrajasekar.medium.com/google-cloud-public-gke-cluster-egress-traffic-via-static-ip-addresses-for-ip-whitelisting-1cb024228e7e

Answer 2

Please use the Private Kubernetes Cluster option. The nodes will only have internal IP addresses.

If you follow this guide, you will be able to achieve your desired configuration using Private clusters.

Answer 3

Cloud NAT does not work with public clusters. However, this just means that your nodes will not have public IPs. Private clusters can still use public endpoints by using service type LoadBalancer or using ingress resources.

For your endpoint REST API endpoint, use either an ingress or loadbalancer with a static IP to make sure the endpoint is reachable from outside the cluster and the endpoint (IP or URL) is stable.