Reputation: 11
Private pool (cloud build) can't reach a server hosted on a local site
@guillaume-blaquiere and @john-hanley,
Thanks for your feedback, I edited my initial post after your remarks to give you as much info as possible about the context.
In a project A a network called 'vpc-1' has been created a sub-network whose ip range is 172.200.10.0/24. in this project we need a cloud build that will be executed eventually by talend To make cloud build communicate with the vpc network it is necessary to create an internal IP address range allocated for the private service connection (10.120.0.0/16)
A private connection has been made to pair the vpc network.
One of the commands executed in the workerpool of the cloud build is to connect to the sql server to retrieve data.
For this, a vpn is needed to create a secure tunnel between my gcp project and my local infrastructure.
A standard tunnel based on rules was set up and went well.
I set up a vm in vpc-1, ip 172.200.10.10/24, I can ping and connect to the sql srv on my local infra.
From the sql server of my local network, I can ping this vm too.
According to the google doc https://cloud.google.com/vpc/docs/configure-private-services-access?hl=fr#gcloud_9 it is necessary to export the custom routes at the vpc network pairing level.
In the exported routes, we find
-the local subnet route 172.200.10.0/24 and the static route to the sql ip
of my local network 192.168.200.20
I then created a workerpool in cloud build by indicating the project, the type of machine, etc.
To do a test, I created a .yml file to execute commands with this workerpool.
In the yml file test I run simple ping commands :
steps:
- name: ubuntu
script: |
apt update
apt install telnet iputils-ping traceroute net-tools -y
ping -c 4 172.200.10.10 (100% success)
ping -c 4 192.168.200.20 (100% lost)
options:
pool:
name: "projects/project-id/locations/europe-north1/workerPools/workpool-test"
I wonder if communication is simply possible or not between the workerpool and my on-premise network
Upvotes: 1
Views: 418
Answers (1)
Reputation: 361
It is possible to communicate between your worker pool and your on-prem network. We have successfully POC this recently. The caveat is you have to create a private network service between your private pool subnet and google services. Then whitelist the communication based on the IP range reserved for google services, not the subnet's one. Apparently the private pool workers are created within reserved IP range for google services
Upvotes: 0
Related Questions
- Setting Static External IP Range for GCP Cloud Build Private Pool
- The peering connection cloudsql-mysql-googleapis-com is not established when a Cloud SQL instance is configured to use Private IP
- GCE cannot access private SQL
- Compute Engine in VPC can't connect to Internet & Cloud Storage after establishing Cloud VPN
- Accessing Cloud SQL from another GCP project
- Can't access Google Cloud SQL with private IP from peered VPC network