Why GKE private cluster does not allow internal IP of bastion VM in authorised network to access control plane

Question

We need to add only external IP of the bastion host to "authorised network" to access the control plane of GKE private cluster. It does not work if we add internal IP of the VM in same VPC which serves as bastion. Is there any specific region for this ?

We add IP ranges to this field

Answer 1

The connection works when you add the external IP of the VM to the master authorized networks, but not when you use the internal IP, indicating that the GKE cluster and the bastion VM are in different networks which are not connected to one another. I need to know the private, internal network path between the bastion VM and the GKE cluster (if there is one) in order to investigate further the connectivity and help you fix this issue.

The general guidance is that you should have an architecture like the one below:

GKE control plane VPC --VPC Peering--> GKE cluster VPC --Cloud Interconnect / VPN--> Network where the bastion VM is

To the best of my understanding, there should be no limitation regarding adding external or internal ranges to a cluster's authorized networks, as long as there is a way to connect to these addresses (connectivity with VPN/Interconnect for internal ranges and Cloud NAT for external ranges).