Reputation: 31
Setting Static External IP Range for GCP Cloud Build Private Pool
I am working on a solution where we are using a GCP Cloud Build trigger to access an external 3rd party service in order to download files before uploading them to the cloud. However, the service provider is requesting a limited CIDR range to allow through their firewall for security purposes.
In the documentation for Cloud Build, it specifically states that you can set a static IP range for a private pool that you configure.
https://cloud.google.com/build/docs/private-pools/use-in-private-network#defining_a_static_ip_range
However, the documentation that it links to never actually makes mention of defining a static IP range for external use.
I have the trigger set up to use the Private Pool that I created in the VPC in my project, but while I can limit it to one of the 60 or so IP ranges that Google Cloud uses, this is still too many to really give to the provider.
I attempted to set up a Cloud NAT, but it doesn't appear to work with Cloud Build (which admittedly matches what the documentation says).
Is there a good way to set up a static external IP address or range of IP addresses to use with the Cloud Build Private Pool?
Upvotes: 3
Views: 2455
Answers (2)
Reputation: 3079
In my case I needed the IP range to be allowed into my own VPC firewall rule because we need to specify the exact IP ranges allowed due to compiance requirements.
So to achieve this, I went to the VPC Network > PRIVATE SERVICES ACCESS tab. Then I used the IP range allocated by the Google Cloud Platform Service producer configured for the private pool.
Upvotes: 0
Reputation: 3789
This is not possible.
The problem with the documentation is that mentions it is possible to set a static IP range (notice it says range) but is about private IPs, not public ones.
The purpose of private pools for Cloud Build is that your build can access to private resources in your VPC and sometimes can be confused that the workers are part of the project.
If we look at the network diagram for private pools, you will notice that actually the workers are in Service Producer Project and connects to our project through a VPC peering.
This means that to set a static IP, you need to access to the Service Producer Project and configure there the NAT which obviously is not possible.
As well setting the NAT in your project won't work since again you could need to do any other net configurations in that Service Project which is not feasible.
There is already a Feature Request for this so you may want to follow up there any progress.
Upvotes: 2
Related Questions
- How do I set a stable ip in Google Cloud Platform?
- GCP regional static external IP limit
- GCP API Gateway Static IP for egress
- Static IP for GCP API Gateway
- How to attach a static external IP address to a google cloud compute instance using the CLI
- Why does GCP not allow external public IP within VM
- GCP Deployment manager: How to use a static IP address already reserved
- GCP external IP range
- GCP external ip address range
- Additional Static IP Address For Google Cloud VM