Reputation: 458
GCP - Use Restricted Maps API Key via Private Google Access
I have a private GKE cluster running a service that is attempting to use the Google Places API. I have created an API key and configured my cluster's NAT IPs (which are static) as permitted IPs that can use the key.
However, when I try to call the API from the private VM, I get the following error:
{
"error_message" : "This IP, site or mobile application is not authorized to use this API key. Request received from IP address fda3:e722:ac3:10:4:9db9:a8e:xxx, with empty referer",
"predictions" : [],
"status" : "REQUEST_DENIED"
}
My expectation is that the connection from a pod in GKE should use the NAT gateway's allocated static IPs, which we use for all other external integrations, however it seems to be failing when trying to access Google's APIs.
It seems Google is doing some internal IPv4 to IPv6 NAT conversion when the traffic is expected to stay within their network, but external connections use IPv4 as intended.
I have searched for solutions to this problem and found the following which are more or less the same problem I have, but none of them have a working solution:
- https://serverfault.com/questions/1115602/restrict-ip-addresses-google-apis-and-accesing-from-gke-google-kubernetes-engin
- Restrict IP addresses Google APIs and Accesing from GKE (Google Kubernetes Engine) Request Denied
- Restrict Google Maps API key for us in Private Google Access environment
- https://serverfault.com/questions/1068166/google-api-key-ip-based-restriction-when-using-private-instances-and-cloud-nat-i
My question is, how do I force GKE to use IPv4 for PGA connections, or identify a list of IPv6 IP addresses used by Google so I can whitelist them in the API key's configuration?
Upvotes: 0
Views: 210
Answers (1)
Reputation: 552
- How do I force GKE to use IPv4 for PGA connections? (Assuming NAT Gateway)
Cloud NAT doesn't change how PGA enabled subnets should work, it doesn't perform public NAT to send traffic from instances (GKE nodes) to Google APIs.
PGA uses GCP networking that are designed for instance/VMs with no public IP to reach Google APIs
- Identify a list of IPv6 IP addresses used by Google
This is not possible to list since it is a backend architecture of the platform.
Upvotes: 0
Related Questions
- How to access a GKE internal Knative service from a VM in the same VPC
- Google Api key restrictions does not take effect
- Google Kubernetes Enginge NAT routing outgoing IP doesn't work
- Port-forwarding for the pod in GKE private cluster with NO global control plane access
- Google Places API request denied for Android autocomplete, even with the right api key
- Should I or must I use API key restrictions for a google api key?
- Using Cloud Shell to Access a Private Kubernetes Cluster in GCP
- Google API Key issues with Google Places
- google maps gives results not returned by google places API or google maps API